Skip to content

Untrusted pointer dereference in ShiftMetaOffset.isra.0 () #2006

Closed
@ZFeiXQ

Description

@ZFeiXQ

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC9

POC9.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x5555555e4cc0 --> 0x147472617f 
RBX: 0x5555555e4cc0 --> 0x147472617f 
RCX: 0x0 
RDX: 0x17 
RSI: 0x14 
RDI: 0x1400000054 
RBP: 0x3 
RSP: 0x7fffffff7f78 --> 0x7ffff7910370 (<inplace_shift_moov_meta_offsets+176>:	mov    rsi,QWORD PTR [rbx+0x38])
RIP: 0x7ffff790fe70 (<ShiftMetaOffset.isra.0>:	mov    rax,QWORD PTR [rdi])
R8 : 0x0 
R9 : 0x7fffffff7f00 --> 0x5555555e4c34 --> 0xe8 
R10: 0x7ffff76d927a ("gf_isom_box_size")
R11: 0x7ffff78fa0d0 (<gf_isom_box_size>:	endbr64)
R12: 0x5555555da950 --> 0xffffffec 
R13: 0x14 
R14: 0x7 
R15: 0x7fffffff7f80 --> 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff790fe60 <gf_isom_get_content_light_level_info+128>:	ret    
   0x7ffff790fe61:	nop    WORD PTR cs:[rax+rax*1+0x0]
   0x7ffff790fe6b:	nop    DWORD PTR [rax+rax*1+0x0]
=> 0x7ffff790fe70 <ShiftMetaOffset.isra.0>:	mov    rax,QWORD PTR [rdi]
   0x7ffff790fe73 <ShiftMetaOffset.isra.0+3>:	test   rax,rax
   0x7ffff790fe76 <ShiftMetaOffset.isra.0+6>:	je     0x7ffff790ff60 <ShiftMetaOffset.isra.0+240>
   0x7ffff790fe7c <ShiftMetaOffset.isra.0+12>:	push   r15
   0x7ffff790fe7e <ShiftMetaOffset.isra.0+14>:	push   r14
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f78 --> 0x7ffff7910370 (<inplace_shift_moov_meta_offsets+176>:	mov    rsi,QWORD PTR [rbx+0x38])
0008| 0x7fffffff7f80 --> 0x0 
0016| 0x7fffffff7f88 --> 0x82af77da4fe8b600 
0024| 0x7fffffff7f90 --> 0x0 
0032| 0x7fffffff7f98 --> 0x5555555da950 --> 0xffffffec 
0040| 0x7fffffff7fa0 --> 0x5555555df7a0 --> 0x5555555f02f0 --> 0xfbad2480 
0048| 0x7fffffff7fa8 --> 0x0 
0056| 0x7fffffff7fb0 --> 0x7fffffff8488 --> 0x14 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff790fe70 in ShiftMetaOffset.isra.0 () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0  0x00007ffff790fe70 in ShiftMetaOffset.isra.0 () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff7910370 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff7910e3c in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff7915009 in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x000055555557bd12 in mp4boxMain ()
#7  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#8  0x000055555556d45e in _start ()

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions