Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in __strlen_avx2 () #1990

Closed
ZFeiXQ opened this issue Dec 14, 2021 · 3 comments
Closed

Null Pointer Dereference in __strlen_avx2 () #1990

ZFeiXQ opened this issue Dec 14, 2021 · 3 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 14, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
 MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

./bin/gcc/MP4Box -bt POC1

POC1.zip

Result

[5]    2204206 segmentation fault  ./sourceproject/momey/gpac/bin/gcc/MP4Box -bt 

Gdb information

Stopped reason: SIGSEGV
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65      ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
gdb-peda$ bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007ffff755a503 in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00007ffff7851545 in gf_svg_dump_attribute () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff7a497e2 in gf_dump_svg_element () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff7a4a9b0 in gf_sm_dump_command_list () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff7a5173d in gf_sm_dump () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#6  0x0000555555585418 in dump_isom_scene ()
#7  0x000055555557c42c in mp4boxMain ()
#8  0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe248, init=<optimized out>, 
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238) at ../csu/libc-start.c:308
#9  0x000055555556d45e in _start ()


@jeanlf
Copy link
Member

jeanlf commented Dec 14, 2021

I cannot reproduce with latest master, can you cross-check ?

@ZFeiXQ
Copy link
Author

ZFeiXQ commented Dec 15, 2021

I re-checked the software version and running information, it seems that the bug still exists

Version

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1566-gaa906eefd-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  

Result

[1]    1742533 segmentation fault  ./MP4Box -bt ~/POC1

GDB information

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7851530 (<gf_svg_dump_attribute+688>:	lea    rdi,[rip+0x5a40bf]        # 0x7ffff7df55f6)
RBX: 0x7fffffff71e0 --> 0x450000004a ('J')
RCX: 0x0 
RDX: 0x0 
RSI: 0x7fffffff71e0 --> 0x450000004a ('J')
RDI: 0x0 
RBP: 0x0 
RSP: 0x7fffffff6908 --> 0x7ffff755a503 (<__GI___strdup+19>:	lea    r12,[rax+0x1])
RIP: 0x7ffff7643675 (<__strlen_avx2+21>:	vpcmpeqb ymm1,ymm0,YMMWORD PTR [rdi])
R8 : 0x1 
R9 : 0x15 
R10: 0x7ffff7e307db --> 0x253a73252f3c0022 ('"')
R11: 0x5555555f25c0 --> 0x5555555f25e0 --> 0x0 
R12: 0x5555555f4990 --> 0x1 
R13: 0x5555555f4990 --> 0x1 
R14: 0x5 
R15: 0x5555555f47e0 --> 0x5555555f4800 --> 0x300010430
EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff764366d <__strlen_avx2+13>:	and    ecx,0x3f
   0x7ffff7643670 <__strlen_avx2+16>:	cmp    ecx,0x20
   0x7ffff7643673 <__strlen_avx2+19>:	ja     0x7ffff76436a0 <__strlen_avx2+64>
=> 0x7ffff7643675 <__strlen_avx2+21>:	vpcmpeqb ymm1,ymm0,YMMWORD PTR [rdi]
   0x7ffff7643679 <__strlen_avx2+25>:	vpmovmskb eax,ymm1
   0x7ffff764367d <__strlen_avx2+29>:	test   eax,eax
   0x7ffff764367f <__strlen_avx2+31>:	jne    0x7ffff7643770 <__strlen_avx2+272>
   0x7ffff7643685 <__strlen_avx2+37>:	add    rdi,0x20
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff6908 --> 0x7ffff755a503 (<__GI___strdup+19>:	lea    r12,[rax+0x1])
0008| 0x7fffffff6910 --> 0x0 
0016| 0x7fffffff6918 --> 0x5555555f47e0 --> 0x5555555f4800 --> 0x300010430 
0024| 0x7fffffff6920 --> 0x5555555f4990 --> 0x1 
0032| 0x7fffffff6928 --> 0x7ffff7851545 (<gf_svg_dump_attribute+709>:	mov    r13,rax)
0040| 0x7fffffff6930 --> 0x0 
0048| 0x7fffffff6938 --> 0x0 
0056| 0x7fffffff6940 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65	../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
gdb-peda$ bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1  0x00007ffff755a503 in __GI___strdup (s=0x0) at strdup.c:41
#2  0x00007ffff7851545 in gf_svg_dump_attribute () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff7a497f2 in gf_dump_svg_element () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff7a4a9c0 in gf_sm_dump_command_list () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff7a5174d in gf_sm_dump () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#6  0x0000555555585418 in dump_isom_scene ()
#7  0x000055555557c42c in mp4boxMain ()
#8  0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#9  0x000055555556d45e in _start ()

@jeanlf jeanlf closed this as completed in 4613a35 Dec 15, 2021
@jeanlf
Copy link
Member

jeanlf commented Dec 15, 2021

My bad, I was testing with gpac's memory tracker on... Thanks for the cross-check !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants