Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segmentation fault in co64_box_new () #2004

Closed
ZFeiXQ opened this issue Dec 22, 2021 · 1 comment
Closed

Segmentation fault in co64_box_new () #2004

ZFeiXQ opened this issue Dec 22, 2021 · 1 comment

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 22, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC7

POC7.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=av@entry=0x7ffff76a0b80 <main_arena>, bytes=bytes@entry=56) at malloc.c:3643
3643	malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[ REGISTERS ]
 RAX  0x7ffff76a0c20 (main_arena+160) —▸ 0x5555555e0ba0 ◂— 0x1400000014
 RBX  0x7ffff76a0b80 (main_arena) ◂— 0x0
 RCX  0x7ffff76a0c10 (main_arena+144) —▸ 0x7ffff76a0c00 (main_arena+128) —▸ 0x5555555e0b00 ◂— 0x1400000014
 RDX  0x8013f76a0c24
 RDI  0x7ffff76a0b80 (main_arena) ◂— 0x0
 RSI  0x7ffff76a0b90 (main_arena+16) ◂— 0x0
 R8   0x5555555e0ba0 ◂— 0x1400000014
 R9   0x7fffffff7f00 ◂— 0x67 /* 'g' */
 R10  0x7ffff76d927a ◂— 'gf_isom_box_size'
 R11  0x7ffff78fa0d0 (gf_isom_box_size) ◂— endbr64 
 R12  0xffffffffffffffb0
 R13  0x40
 R14  0x4
 R15  0x5555555e2a00 ◂— 0x1473746383
 RBP  0x38
 RSP  0x7fffffff7e40 ◂— 0x0
 RIP  0x7ffff754fc5e (_int_malloc+110) ◂— cmp    qword ptr [rdx + 0x10], r8
[ DISASM ]
 ► 0x7ffff754fc5e <_int_malloc+110>     cmp    qword ptr [rdx + 0x10], r8
   0x7ffff754fc62 <_int_malloc+114>     jne    _int_malloc+2760                <_int_malloc+2760>
    ↓
   0x7ffff75506b8 <_int_malloc+2760>    lea    rdi, [rip + 0x121361]
   0x7ffff75506bf <_int_malloc+2767>    call   malloc_printerr                <malloc_printerr>
 
   0x7ffff75506c4 <_int_malloc+2772>    nop    dword ptr [rax]
   0x7ffff75506c8 <_int_malloc+2776>    mov    r9, qword ptr [rdx + 8]
   0x7ffff75506cc <_int_malloc+2780>    test   r9b, 4
   0x7ffff75506d0 <_int_malloc+2784>    jne    _int_malloc+3747                <_int_malloc+3747>
 
   0x7ffff75506d6 <_int_malloc+2790>    mov    rax, qword ptr [rsp + 0x78]
   0x7ffff75506db <_int_malloc+2795>    jmp    _int_malloc+2818                <_int_malloc+2818>
 
   0x7ffff75506dd <_int_malloc+2797>    nop    dword ptr [rax]
[ STACK ]
00:0000│ rsp 0x7fffffff7e40 ◂— 0x0
01:0008│     0x7fffffff7e48 —▸ 0x7ffff78fabec (gf_isom_box_array_read_ex+860) ◂— mov    r12d, eax
02:0010│     0x7fffffff7e50 ◂— 0x0
03:0018│     0x7fffffff7e58 —▸ 0x7ffff7e0cd89 ◂— 0x627473006c627473 /* 'stbl' */
04:0020│     0x7fffffff7e60 —▸ 0x5555555db530 ◂— 0x73747373 /* 'ssts' */
05:0028│     0x7fffffff7e68 ◂— 0x5101650c1f57a700
06:0030│     0x7fffffff7e70 ◂— 0x8
07:0038│     0x7fffffff7e78 —▸ 0x5555555e00d0 ◂— 0x7374626c /* 'lbts' */
[ BACKTRACE ]
 ► f 0   0x7ffff754fc5e _int_malloc+110
   f 1   0x7ffff75522d4 malloc+116
   f 2   0x7ffff78c17d2 co64_box_new+18
   f 3   0x7ffff78f8aa9 gf_isom_box_new+153
   f 4   0x7ffff791009c shift_chunk_offsets.part+284
   f 5   0x7ffff79103a7 inplace_shift_moov_meta_offsets+231
   f 6   0x7ffff7910e3c inplace_shift_mdat+732
   f 7   0x7ffff7915009 WriteToFile+2713

pwndbg> bt
#0  _int_malloc (av=av@entry=0x7ffff76a0b80 <main_arena>, bytes=bytes@entry=56) at malloc.c:3643
#1  0x00007ffff75522d4 in __GI___libc_malloc (bytes=56) at malloc.c:3058
#2  0x00007ffff78c17d2 in co64_box_new () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff78f8aa9 in gf_isom_box_new () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff791009c in shift_chunk_offsets.part () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff79103a7 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x00007ffff7910e3c in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#7  0x00007ffff7915009 in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#8  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#9  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#10 0x000055555557bd12 in mp4boxMain ()
#11 0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=3, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe338) at ../csu/libc-start.c:308
#12 0x000055555556d45e in _start ()
pwndbg> 


@ZFeiXQ ZFeiXQ changed the title Untrusted pointer dereference in co64_box_new () Invalid malloc in co64_box_new () Dec 22, 2021
@ZFeiXQ ZFeiXQ changed the title Invalid malloc in co64_box_new () Segmentation fault in co64_box_new () Dec 28, 2021
@jeanlf
Copy link
Member

jeanlf commented Jan 3, 2022

fixed when fixing #1999, thanks for the report

@jeanlf jeanlf closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants