Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

untrusted pointer dereference in unlink_chunk.isra #2000

Closed
ZFeiXQ opened this issue Dec 22, 2021 · 1 comment
Closed

untrusted pointer dereference in unlink_chunk.isra #2000

ZFeiXQ opened this issue Dec 22, 2021 · 1 comment

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 22, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version

command:

./bin/gcc/MP4Box -hint POC2

POC2.zip

Result

segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff754da2f in unlink_chunk (p=p@entry=0x5555555e1480, av=0x7ffff76a0b80 <main_arena>) at malloc.c:1453
1453	malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[ REGISTERS ]
 RAX  0x14000007a0
 RBX  0x7ffff76a0b80 (main_arena) ◂— 0x0
 RCX  0x14000007a5
 RDX  0x7ffff76a10b0 (main_arena+1328) —▸ 0x7ffff76a10a0 (main_arena+1312) —▸ 0x7ffff76a1090 (main_arena+1296) —▸ 0x7ffff76a1080 (main_arena+1280) —▸ 0x7ffff76a1070 (main_arena+1264) ◂— ...
 RDI  0x5555555e1480 ◂— 0x8013f76a1f74
 RSI  0x4000
 R8   0x7ffff76a0c10 (main_arena+144) —▸ 0x7ffff76a0c00 (main_arena+128) —▸ 0x5555555e0f10 ◂— 0x1400000014
 R9   0x0
 R10  0x7ffff7e0e94e ◂— ' but no data reference entry found\n'
 R11  0x7ffff76a0be0 (main_arena+96) —▸ 0x5555555e69e0 ◂— 0x0
 R12  0x1400000760
 R13  0x40
 R14  0x14000007a0
 R15  0x2
 RBP  0x38
 RSP  0x7fffffff7e30 —▸ 0x5555555e2a00 ◂— 0x1473746383
 RIP  0x7ffff754da2f (unlink_chunk.isra+15) ◂— cmp    rax, qword ptr [rdi + rax]
[ DISASM ]
 ► 0x7ffff754da2f <unlink_chunk.isra+15>     cmp    rax, qword ptr [rdi + rax]
   0x7ffff754da33 <unlink_chunk.isra+19>     jne    unlink_chunk.isra+191                <unlink_chunk.isra+191>
    ↓
   0x7ffff754dadf <unlink_chunk.isra+191>    lea    rdi, [rip + 0x11f954]
   0x7ffff754dae6 <unlink_chunk.isra+198>    call   malloc_printerr                <malloc_printerr>
 
   0x7ffff754daeb <unlink_chunk.isra+203>    lea    rdi, [rip + 0x123756]
   0x7ffff754daf2 <unlink_chunk.isra+210>    call   malloc_printerr                <malloc_printerr>
 
   0x7ffff754daf7                            nop    word ptr [rax + rax]
   0x7ffff754db00 <malloc_consolidate>       push   r15
   0x7ffff754db02 <malloc_consolidate+2>     lea    rax, [rdi + 0x60]
   0x7ffff754db06 <malloc_consolidate+6>     mov    r15, rdi
   0x7ffff754db09 <malloc_consolidate+9>     push   r14
[ STACK ]
00:0000│ rsp 0x7fffffff7e30 —▸ 0x5555555e2a00 ◂— 0x1473746383
01:0008│     0x7fffffff7e38 —▸ 0x7ffff7550773 (_int_malloc+2947) ◂— cmp    r12, 0x1f
02:0010│     0x7fffffff7e40 —▸ 0x5555555e1480 ◂— 0x8013f76a1f74
03:0018│     0x7fffffff7e48 —▸ 0x7ffff76a0be0 (main_arena+96) —▸ 0x5555555e69e0 ◂— 0x0
04:0020│     0x7fffffff7e50 —▸ 0x7fffffff7e60 ◂— 0x38 /* '8' */
05:0028│     0x7fffffff7e58 ◂— 0xdab84f8dc31ec400
06:0030│     0x7fffffff7e60 ◂— 0x38 /* '8' */
07:0038│     0x7fffffff7e68 ◂— 0x4
[ BACKTRACE ]
 ► f 0   0x7ffff754da2f unlink_chunk.isra+15
   f 1   0x7ffff7550773 _int_malloc+2947
   f 2   0x7ffff75522d4 malloc+116
   f 3   0x7ffff78c17d2 co64_box_new+18
   f 4   0x7ffff78f8aa9 gf_isom_box_new+153
   f 5   0x7ffff791009c shift_chunk_offsets.part+284
   f 6   0x7ffff79103a7 inplace_shift_moov_meta_offsets+231
   f 7   0x7ffff7910e3c inplace_shift_mdat+732

@ZFeiXQ ZFeiXQ changed the title untrusted pointer dereference inunlink_chunk.isra untrusted pointer dereference in unlink_chunk.isra Dec 22, 2021
@jeanlf
Copy link
Member

jeanlf commented Jan 3, 2022

fixed when fixing #1999, thanks for the report

@jeanlf jeanlf closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants