Skip to content

Segmentation fault in co64_box_new () #2004

Closed
@ZFeiXQ

Description

@ZFeiXQ

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC7

POC7.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=av@entry=0x7ffff76a0b80 <main_arena>, bytes=bytes@entry=56) at malloc.c:3643
3643	malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[ REGISTERS ]
 RAX  0x7ffff76a0c20 (main_arena+160) —▸ 0x5555555e0ba0 ◂— 0x1400000014
 RBX  0x7ffff76a0b80 (main_arena) ◂— 0x0
 RCX  0x7ffff76a0c10 (main_arena+144) —▸ 0x7ffff76a0c00 (main_arena+128) —▸ 0x5555555e0b00 ◂— 0x1400000014
 RDX  0x8013f76a0c24
 RDI  0x7ffff76a0b80 (main_arena) ◂— 0x0
 RSI  0x7ffff76a0b90 (main_arena+16) ◂— 0x0
 R8   0x5555555e0ba0 ◂— 0x1400000014
 R9   0x7fffffff7f00 ◂— 0x67 /* 'g' */
 R10  0x7ffff76d927a ◂— 'gf_isom_box_size'
 R11  0x7ffff78fa0d0 (gf_isom_box_size) ◂— endbr64 
 R12  0xffffffffffffffb0
 R13  0x40
 R14  0x4
 R15  0x5555555e2a00 ◂— 0x1473746383
 RBP  0x38
 RSP  0x7fffffff7e40 ◂— 0x0
 RIP  0x7ffff754fc5e (_int_malloc+110) ◂— cmp    qword ptr [rdx + 0x10], r8
[ DISASM ]
 ► 0x7ffff754fc5e <_int_malloc+110>     cmp    qword ptr [rdx + 0x10], r8
   0x7ffff754fc62 <_int_malloc+114>     jne    _int_malloc+2760                <_int_malloc+2760>
    ↓
   0x7ffff75506b8 <_int_malloc+2760>    lea    rdi, [rip + 0x121361]
   0x7ffff75506bf <_int_malloc+2767>    call   malloc_printerr                <malloc_printerr>
 
   0x7ffff75506c4 <_int_malloc+2772>    nop    dword ptr [rax]
   0x7ffff75506c8 <_int_malloc+2776>    mov    r9, qword ptr [rdx + 8]
   0x7ffff75506cc <_int_malloc+2780>    test   r9b, 4
   0x7ffff75506d0 <_int_malloc+2784>    jne    _int_malloc+3747                <_int_malloc+3747>
 
   0x7ffff75506d6 <_int_malloc+2790>    mov    rax, qword ptr [rsp + 0x78]
   0x7ffff75506db <_int_malloc+2795>    jmp    _int_malloc+2818                <_int_malloc+2818>
 
   0x7ffff75506dd <_int_malloc+2797>    nop    dword ptr [rax]
[ STACK ]
00:0000│ rsp 0x7fffffff7e40 ◂— 0x0
01:0008│     0x7fffffff7e48 —▸ 0x7ffff78fabec (gf_isom_box_array_read_ex+860) ◂— mov    r12d, eax
02:0010│     0x7fffffff7e50 ◂— 0x0
03:0018│     0x7fffffff7e58 —▸ 0x7ffff7e0cd89 ◂— 0x627473006c627473 /* 'stbl' */
04:0020│     0x7fffffff7e60 —▸ 0x5555555db530 ◂— 0x73747373 /* 'ssts' */
05:0028│     0x7fffffff7e68 ◂— 0x5101650c1f57a700
06:0030│     0x7fffffff7e70 ◂— 0x8
07:0038│     0x7fffffff7e78 —▸ 0x5555555e00d0 ◂— 0x7374626c /* 'lbts' */
[ BACKTRACE ]
 ► f 0   0x7ffff754fc5e _int_malloc+110
   f 1   0x7ffff75522d4 malloc+116
   f 2   0x7ffff78c17d2 co64_box_new+18
   f 3   0x7ffff78f8aa9 gf_isom_box_new+153
   f 4   0x7ffff791009c shift_chunk_offsets.part+284
   f 5   0x7ffff79103a7 inplace_shift_moov_meta_offsets+231
   f 6   0x7ffff7910e3c inplace_shift_mdat+732
   f 7   0x7ffff7915009 WriteToFile+2713

pwndbg> bt
#0  _int_malloc (av=av@entry=0x7ffff76a0b80 <main_arena>, bytes=bytes@entry=56) at malloc.c:3643
#1  0x00007ffff75522d4 in __GI___libc_malloc (bytes=56) at malloc.c:3058
#2  0x00007ffff78c17d2 in co64_box_new () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff78f8aa9 in gf_isom_box_new () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff791009c in shift_chunk_offsets.part () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff79103a7 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x00007ffff7910e3c in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#7  0x00007ffff7915009 in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#8  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#9  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#10 0x000055555557bd12 in mp4boxMain ()
#11 0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=3, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe338) at ../csu/libc-start.c:308
#12 0x000055555556d45e in _start ()
pwndbg> 


Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions