Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Untrusted pointer dereference in gf_hinter_finalize () #2008

Closed
ZFeiXQ opened this issue Dec 22, 2021 · 0 comments
Closed

Untrusted pointer dereference in gf_hinter_finalize () #2008

ZFeiXQ opened this issue Dec 22, 2021 · 0 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 22, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB


command:

./bin/gcc/MP4Box -hint POC5

POC5.zip

Result

Abort

bt

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x400001 
RBX: 0x0 
RCX: 0x0 
RDX: 0x5555555e8080 --> 0x7374737a ('zsts')
RSI: 0x0 
RDI: 0x5555555db330 --> 0x5555555e0620 --> 0x5555555dfa20 --> 0x7472616b ('kart')
RBP: 0x5555555da950 --> 0x0 
RSP: 0x7fffffff5c30 --> 0x7fffffff7040 --> 0xffffffff 
RIP: 0x7ffff7a107d0 (<gf_hinter_finalize+1040>:	movzx  eax,WORD PTR [r15+0x2])
R8 : 0x0 
R9 : 0x5555555eac20 --> 0x5555555eab70 --> 0x5555555ea8a0 --> 0x0 
R10: 0x5555555e3860 --> 0x7374626c ('lbts')
R11: 0x7ffff76a0be0 --> 0x5555555eacc0 --> 0x0 
R12: 0x5555555e82c0 --> 0x10002 
R13: 0x5 
R14: 0x7fffffff5cb0 ("a=x-copyright: MP4/3GP File hinted with GPAC 1.1.0-DEV-rev1574-g8b22f0912-master - (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io")
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff7a107c4 <gf_hinter_finalize+1028>:	call   0x7ffff7768fd0 <gf_isom_sdp_add_line@plt>
   0x7ffff7a107c9 <gf_hinter_finalize+1033>:	jmp    0x7ffff7a1041e <gf_hinter_finalize+94>
   0x7ffff7a107ce <gf_hinter_finalize+1038>:	xchg   ax,ax
=> 0x7ffff7a107d0 <gf_hinter_finalize+1040>:	movzx  eax,WORD PTR [r15+0x2]
   0x7ffff7a107d5 <gf_hinter_finalize+1045>:	cmp    WORD PTR [r15+0x4],ax
   0x7ffff7a107da <gf_hinter_finalize+1050>:	jne    0x7ffff7a10657 <gf_hinter_finalize+663>
   0x7ffff7a107e0 <gf_hinter_finalize+1056>:	jmp    0x7ffff7a10650 <gf_hinter_finalize+656>
   0x7ffff7a107e5 <gf_hinter_finalize+1061>:	nop    DWORD PTR [rax]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff5c30 --> 0x7fffffff7040 --> 0xffffffff 
0008| 0x7fffffff5c38 --> 0x100000000 
0016| 0x7fffffff5c40 --> 0x2 
0024| 0x7fffffff5c48 --> 0x7ffff76a15c0 --> 0xfbad2887 
0032| 0x7fffffff5c50 --> 0x1 
0040| 0x7fffffff5c58 --> 0x25 ('%')
0048| 0x7fffffff5c60 --> 0x25 ('%')
0056| 0x7fffffff5c68 --> 0x7ffff76a24a0 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7a107d0 in gf_hinter_finalize () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0  0x00007ffff7a107d0 in gf_hinter_finalize () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#1  0x000055555557967d in HintFile ()
#2  0x000055555557d257 in mp4boxMain ()
#3  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#4  0x000055555556d45e in _start ()
@jeanlf jeanlf closed this as completed in dd2e8b1 Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant