Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Untrusted Pointer Dereference in gf_list_count () #2001

Closed
ZFeiXQ opened this issue Dec 22, 2021 · 1 comment
Closed

Untrusted Pointer Dereference in gf_list_count () #2001

ZFeiXQ opened this issue Dec 22, 2021 · 1 comment

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 22, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version

command:

./bin/gcc/MP4Box -hint POC3

POC3.zip

Result

segmentation fault

bt

0x00007ffff7773949 in gf_list_count () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────
 RAX  0x5555555e0010 ◂— 0x7374626c /* 'lbts' */
 RBX  0x15
 RCX  0x5555555e8230 ◂— 0x33483
 RDX  0x2315
 RDI  0x5569555e0124
 RSI  0x15
 R8   0x5555555e8230 ◂— 0x33483
 R9   0x7fffffff7f00 ◂— 0x158
 R10  0x7ffff76d927a ◂— 'gf_isom_box_size'
 R11  0x7ffff76a0be0 (main_arena+96) —▸ 0x5555555e8380 ◂— 0x14
 R12  0x5555555e29d0 ◂— 0x1473747378
 R13  0x5555555e0530 ◂— 0x73747363 /* 'csts' */
 R14  0x5555555e81f0 ◂— 0x636f3634 /* '46oc' */
 R15  0x1
 RBP  0x5555555dfc30 ◂— 0x6d646961 /* 'aidm' */
 RSP  0x7fffffff7f28 —▸ 0x7ffff79286ed (Media_IsSelfContained+61) ◂— cmp    ebx, eax
 RIP  0x7ffff7773949 (gf_list_count+9) ◂— mov    eax, dword ptr [rdi + 8]
─[ DISASM ]─
 ► 0x7ffff7773949 <gf_list_count+9>     mov    eax, dword ptr [rdi + 8]
   0x7ffff777394c <gf_list_count+12>    ret    
 
   0x7ffff777394d <gf_list_count+13>    nop    dword ptr [rax]
   0x7ffff7773950 <gf_list_count+16>    xor    eax, eax
   0x7ffff7773952 <gf_list_count+18>    ret    
 
   0x7ffff7773953                       nop    word ptr cs:[rax + rax]
   0x7ffff777395e                       nop    
   0x7ffff7773960 <gf_list_get>         endbr64 
   0x7ffff7773964 <gf_list_get+4>       test   rdi, rdi
   0x7ffff7773967 <gf_list_get+7>       je     gf_list_get+32                <gf_list_get+32>
    ↓
   0x7ffff7773980 <gf_list_get+32>      xor    eax, eax
[ STACK ]
00:0000│ rsp 0x7fffffff7f28 —▸ 0x7ffff79286ed (Media_IsSelfContained+61) ◂— cmp    ebx, eax
01:0008│     0x7fffffff7f30 —▸ 0x5555555e2974 ◂— 0x140000232b /* '+#' */
02:0010│     0x7fffffff7f38 —▸ 0x5555555e81f0 ◂— 0x636f3634 /* '46oc' */
03:0018│     0x7fffffff7f40 ◂— 0x14
04:0020│     0x7fffffff7f48 —▸ 0x7ffff790ffcb (shift_chunk_offsets.part+75) ◂— test   eax, eax
05:0028│     0x7fffffff7f50 —▸ 0x5555555dfc30 ◂— 0x6d646961 /* 'aidm' */
06:0030│     0x7fffffff7f58 —▸ 0x5555555e0530 ◂— 0x73747363 /* 'csts' */
07:0038│     0x7fffffff7f60 ◂— 0x0
──────[ BACKTRACE ]────
 ► f 0   0x7ffff7773949 gf_list_count+9
   f 1   0x7ffff79286ed Media_IsSelfContained+61
   f 2   0x7ffff790ffcb shift_chunk_offsets.part+75
   f 3   0x7ffff79103a7 inplace_shift_moov_meta_offsets+231
   f 4   0x7ffff7910e3c inplace_shift_mdat+732
   f 5   0x7ffff7915009 WriteToFile+2713
   f 6   0x7ffff7906432 gf_isom_write+370
   f 7   0x7ffff79064b8 gf_isom_close+24



@jeanlf
Copy link
Contributor

jeanlf commented Jan 3, 2022

fixed when fixing #1999, thanks for the report

@jeanlf jeanlf closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants