Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Untrusted pointer dereference in gf_isom_box_size () #2005

Closed
ZFeiXQ opened this issue Dec 22, 2021 · 1 comment
Closed

Untrusted pointer dereference in gf_isom_box_size () #2005

ZFeiXQ opened this issue Dec 22, 2021 · 1 comment

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 22, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC8

POC8.zip

Result

Segmentation fault.

bt

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78fa0da in gf_isom_box_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[ REGISTERS ]
 RAX  0x5b47555e0072
 RBX  0x5b47555e0072
 RCX  0x0
 RDX  0x0
 RDI  0x5b47555e0072
 RSI  0x2
 R8   0x0
 R9   0x7fffffff7f80 ◂— 0x2
 R10  0x7ffff76d4546 ◂— 'gf_list_insert'
 R11  0x7ffff7773a80 (gf_list_insert) ◂— endbr64 
 R12  0x5555555db580 —▸ 0x5555555e2740 —▸ 0x5555555db330 ◂— 0x6d766864 /* 'dhvm' */
 R13  0x5555555e2600 ◂— 0x6d6f6f76 /* 'voom' */
 R14  0x6
 R15  0x0
 RBP  0x2
 RSP  0x7fffffff7f80 ◂— 0x2
 RIP  0x7ffff78fa0da (gf_isom_box_size+10) ◂— mov    rax, qword ptr [rdi + 0x10]
[ DISASM ]
 ► 0x7ffff78fa0da <gf_isom_box_size+10>    mov    rax, qword ptr [rdi + 0x10]
   0x7ffff78fa0de <gf_isom_box_size+14>    mov    rbp, rdi
   0x7ffff78fa0e1 <gf_isom_box_size+17>    mov    edx, dword ptr [rax + 0x58]
   0x7ffff78fa0e4 <gf_isom_box_size+20>    test   edx, edx
   0x7ffff78fa0e6 <gf_isom_box_size+22>    je     gf_isom_box_size+40                <gf_isom_box_size+40>
    ↓
   0x7ffff78fa0f8 <gf_isom_box_size+40>    cmp    dword ptr [rdi], 0x75756964
   0x7ffff78fa0fe <gf_isom_box_size+46>    mov    qword ptr [rdi + 8], 8
   0x7ffff78fa106 <gf_isom_box_size+54>    mov    edx, 0xc
   0x7ffff78fa10b <gf_isom_box_size+59>    jne    gf_isom_box_size+74                <gf_isom_box_size+74>
    ↓
   0x7ffff78fa11a <gf_isom_box_size+74>    cmp    byte ptr [rax + 0x3c], 0
   0x7ffff78fa11e <gf_isom_box_size+78>    je     gf_isom_box_size+84                <gf_isom_box_size+84>
[ STACK ]
00:0000│ r9 rsp 0x7fffffff7f80 ◂— 0x2
01:0008│        0x7fffffff7f88 —▸ 0x7ffff78fa19a (gf_isom_box_array_size+74) ◂— mov    r15d, eax
02:0010│        0x7fffffff7f90 ◂— 0x400000000
03:0018│        0x7fffffff7f98 —▸ 0x5555555da950 ◂— 0x0
04:0020│        0x7fffffff7fa0 —▸ 0x5555555df7a0 —▸ 0x5555555e61c0 ◂— 0xfbad2480
05:0028│        0x7fffffff7fa8 ◂— 0x0
06:0030│        0x7fffffff7fb0 —▸ 0x7fffffff8480 ◂— 0x5f2
07:0038│        0x7fffffff7fb8 —▸ 0x7fffffff8490 ◂— 0x0
[ BACKTRACE ]
 ► f 0   0x7ffff78fa0da gf_isom_box_size+10
   f 1   0x7ffff78fa19a gf_isom_box_array_size+74
   f 2   0x7ffff7910e8d inplace_shift_mdat+813
   f 3   0x7ffff791549c WriteToFile+3884
   f 4   0x7ffff7906432 gf_isom_write+370
   f 5   0x7ffff79064b8 gf_isom_close+24
   f 6   0x55555557bd12 mp4boxMain+7410
   f 7   0x7ffff74dc0b3 __libc_start_main+243

pwndbg> bt
#0  0x00007ffff78fa0da in gf_isom_box_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff78fa19a in gf_isom_box_array_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff7910e8d in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff791549c in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x000055555557bd12 in mp4boxMain ()
#7  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#8  0x000055555556d45e in _start ()

@jeanlf
Copy link
Member

jeanlf commented Jan 3, 2022

fixed when fixing #1999, thanks for the report

@jeanlf jeanlf closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants