Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Untrusted pointer dereference in inplace_shift_moov_meta_offsets () #2003

Closed
ZFeiXQ opened this issue Dec 22, 2021 · 1 comment
Closed

Untrusted pointer dereference in inplace_shift_moov_meta_offsets () #2003

ZFeiXQ opened this issue Dec 22, 2021 · 1 comment

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 22, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC6

POC6.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7910358 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────
 RAX  0x5569555e0d34
 RBX  0x5555555e0000 ◂— 0x7374626c /* 'lbts' */
 RCX  0x0
 RDX  0x14
 RDI  0x5555555db330 —▸ 0x5555555e0640 ◂— 0x5569555dfab4
 RSI  0x1
 R8   0x0
 R9   0x7fffffff7f00 —▸ 0x7ffff76a15c0 (_IO_2_1_stderr_) ◂— 0xfbad2887
 R10  0x7ffff76d927a ◂— 'gf_isom_box_size'
 R11  0x7ffff78fa0d0 (gf_isom_box_size) ◂— endbr64 
 R12  0x5555555da950 ◂— 0x0
 R13  0x14
 R14  0x2
 R15  0x7fffffff7fd0 ◂— 0x0
 RBP  0x1
 RSP  0x7fffffff7fd0 ◂— 0x0
 RIP  0x7ffff7910358 (inplace_shift_moov_meta_offsets+152) ◂— mov    rdi, qword ptr [rax + 0x50]
[ DISASM ]
 ► 0x7ffff7910358 <inplace_shift_moov_meta_offsets+152>    mov    rdi, qword ptr [rax + 0x50]
   0x7ffff791035c <inplace_shift_moov_meta_offsets+156>    mov    rbx, rax
   0x7ffff791035f <inplace_shift_moov_meta_offsets+159>    test   rdi, rdi
   0x7ffff7910362 <inplace_shift_moov_meta_offsets+162>    je     inplace_shift_moov_meta_offsets+176                <inplace_shift_moov_meta_offsets+176>
    ↓
   0x7ffff7910370 <inplace_shift_moov_meta_offsets+176>    mov    rsi, qword ptr [rbx + 0x38]
   0x7ffff7910374 <inplace_shift_moov_meta_offsets+180>    movzx  r8d, byte ptr [r12 + 0x37]
   0x7ffff791037a <inplace_shift_moov_meta_offsets+186>    mov    rax, qword ptr [rsi + 0x40]
   0x7ffff791037e <inplace_shift_moov_meta_offsets+190>    mov    rbx, qword ptr [rax + 0x30]
   0x7ffff7910382 <inplace_shift_moov_meta_offsets+194>    mov    rdi, qword ptr [rbx + 0x58]
   0x7ffff7910386 <inplace_shift_moov_meta_offsets+198>    mov    rdx, qword ptr [rbx + 0x60]
   0x7ffff791038a <inplace_shift_moov_meta_offsets+202>    test   rdi, rdi
[ STACK ]
00:0000│ r15 rsp 0x7fffffff7fd0 ◂— 0x0
01:0008│         0x7fffffff7fd8 ◂— 0x3fa7125e0eb52b00
02:0010│         0x7fffffff7fe0 ◂— 0x0
03:0018│         0x7fffffff7fe8 —▸ 0x5555555da950 ◂— 0x0
04:0020│         0x7fffffff7ff0 —▸ 0x5555555df7a0 —▸ 0x5555555e5720 ◂— 0xfbad2480
05:0028│         0x7fffffff7ff8 ◂— 0x0
06:0030│         0x7fffffff8000 —▸ 0x7fffffff84d8 ◂— 0x14
07:0038│         0x7fffffff8008 —▸ 0x7fffffff84e0 ◂— 0x0
[ BACKTRACE ]
 ► f 0   0x7ffff7910358 inplace_shift_moov_meta_offsets+152
   f 1   0x7ffff7910e3c inplace_shift_mdat+732
   f 2   0x7ffff7915009 WriteToFile+2713
   f 3   0x7ffff7906432 gf_isom_write+370
   f 4   0x7ffff79064b8 gf_isom_close+24
   f 5   0x55555557bd12 mp4boxMain+7410
   f 6   0x7ffff74dc0b3 __libc_start_main+243
─────────────────────────────────────────────────────
@jeanlf
Copy link
Contributor

jeanlf commented Jan 3, 2022

fixed when fixing #1999, thanks for the report

@jeanlf jeanlf closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants