Untrusted pointer dereference in shift_chunk_offsets.part ()

[ZFeiXQ]

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

• [Yes ] I looked for a similar issue and couldn't find any.
• [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
• [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC

POC.zip

Result

Segmentation fault.

bt

Program received signal SIGSEGV, Segmentation fault.
0x0000000000544b81 in shift_chunk_offsets.part ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA

 RAX  0x6054
 RBX  0x6054
 RCX  0x0
 RDX  0xf23eb0 ◂— 0xcc3900003712
 RDI  0xffffffff
 RSI  0xf3c000
 R8   0x0
 R9   0x7fffffff7f00 —▸ 0xf22fd0 ◂— 0x6d646961 /* 'aidm' */
 R10  0xdda2e0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
 R11  0x246
 R12  0x14
 R13  0xffff7f00
 R14  0xf9000016
 R15  0xf1e710 ◂— 0x7374636f /* 'octs' */
 RBP  0x0
 RSP  0x7fffffff7f00 —▸ 0xf22fd0 ◂— 0x6d646961 /* 'aidm' */
 RIP  0x544b81 (shift_chunk_offsets.part+257) ◂— mov    eax, dword ptr [rsi]

 ► 0x544b81 <shift_chunk_offsets.part+257>    mov    eax, dword ptr [rsi]
   0x544b83 <shift_chunk_offsets.part+259>    mov    rdx, rax
   0x544b86 <shift_chunk_offsets.part+262>    add    rax, r12
   0x544b89 <shift_chunk_offsets.part+265>    cmp    rax, rdi
   0x544b8c <shift_chunk_offsets.part+268>    jbe    shift_chunk_offsets.part+488                      <shift_chunk_offsets.part+488>
    ↓
   0x544c68 <shift_chunk_offsets.part+488>    add    edx, r12d
   0x544c6b <shift_chunk_offsets.part+491>    xor    ebp, ebp
   0x544c6d <shift_chunk_offsets.part+493>    mov    dword ptr [rsi], edx
   0x544c6f <shift_chunk_offsets.part+495>    jmp    shift_chunk_offsets.part+402                      <shift_chunk_offsets.part+402>
    ↓
   0x544c12 <shift_chunk_offsets.part+402>    add    ebx, 1
   0x544c15 <shift_chunk_offsets.part+405>    cmp    r14d, ebx

00:0000│ r9 rsp 0x7fffffff7f00 —▸ 0xf22fd0 ◂— 0x6d646961 /* 'aidm' */
01:0008│        0x7fffffff7f08 —▸ 0xf23e50 ◂— 0x73747363 /* 'csts' */
02:0010│        0x7fffffff7f10 ◂— 0x0
03:0018│        0x7fffffff7f18 —▸ 0x7fffffff7f60 ◂— 0x0
04:0020│        0x7fffffff7f20 ◂— 0x2
05:0028│        0x7fffffff7f28 —▸ 0xf233b0 ◂— 0x7374626c /* 'lbts' */
06:0030│        0x7fffffff7f30 ◂— 0x0
07:0038│        0x7fffffff7f38 —▸ 0xf1d6e0 ◂— 0x0

 ► f 0         0x544b81 shift_chunk_offsets.part+257
   f 1         0x544ea7 inplace_shift_moov_meta_offsets+231
   f 2         0x54593c inplace_shift_mdat+732
   f 3         0x549b09 WriteToFile+2713
   f 4         0x53af32 gf_isom_write+370
   f 5         0x53afb8 gf_isom_close+24
   f 6         0x4115b2 mp4boxMain+7410
   f 7         0xb57340 __libc_start_main+1168

pwndbg> bt
#0  0x0000000000544b81 in shift_chunk_offsets.part ()
#1  0x0000000000544ea7 in inplace_shift_moov_meta_offsets ()
#2  0x000000000054593c in inplace_shift_mdat ()
#3  0x0000000000549b09 in WriteToFile ()
#4  0x000000000053af32 in gf_isom_write ()
#5  0x000000000053afb8 in gf_isom_close ()
#6  0x00000000004115b2 in mp4boxMain ()
#7  0x0000000000b57340 in __libc_start_main ()
#8  0x0000000000402cbe in _start ()