Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Untrusted pointer dereference in Media_IsSelfContained () #2011

Closed
ZFeiXQ opened this issue Dec 24, 2021 · 1 comment
Closed

Untrusted pointer dereference in Media_IsSelfContained () #2011

ZFeiXQ opened this issue Dec 24, 2021 · 1 comment

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Dec 24, 2021

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC11

POC11.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x5569555dfdc4 
RBX: 0x1 
RCX: 0x5555555e18c0 --> 0x3712 
RDX: 0x4015 
RSI: 0x1 
RDI: 0x5555555e2840 --> 0x146d646975 
RBP: 0x5555555e2840 --> 0x146d646975 
RSP: 0x7fffffff7f70 --> 0x5555555e0e14 --> 0x4017 
RIP: 0x7ffff79286ca (<Media_IsSelfContained+26>:	mov    rax,QWORD PTR [rax+0x30])
R8 : 0x5555555e18c0 --> 0x3712 
R9 : 0x7fffffff7f00 --> 0x2 
R10: 0x7ffff76d927a ("gf_isom_box_size")
R11: 0x7ffff76a0be0 --> 0x5555555e8770 --> 0x5555555e18d4 --> 0x640204c700000000 
R12: 0x14 
R13: 0x5555555e05c0 --> 0x73747363 ('csts')
R14: 0x5555555e8740 --> 0x636f3648 ('H6oc')
R15: 0x1
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff79286c3 <Media_IsSelfContained+19>:	push   rbx
   0x7ffff79286c4 <Media_IsSelfContained+20>:	mov    rax,QWORD PTR [rdi+0x40]
   0x7ffff79286c8 <Media_IsSelfContained+24>:	mov    ebx,esi
=> 0x7ffff79286ca <Media_IsSelfContained+26>:	mov    rax,QWORD PTR [rax+0x30]
   0x7ffff79286ce <Media_IsSelfContained+30>:	mov    r12,QWORD PTR [rax+0x48]
   0x7ffff79286d2 <Media_IsSelfContained+34>:	test   esi,esi
   0x7ffff79286d4 <Media_IsSelfContained+36>:	je     0x7ffff7928780 <Media_IsSelfContained+208>
   0x7ffff79286da <Media_IsSelfContained+42>:	test   r12,r12
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7f70 --> 0x5555555e0e14 --> 0x4017 
0008| 0x7fffffff7f78 --> 0x5555555e8740 --> 0x636f3648 ('H6oc')
0016| 0x7fffffff7f80 --> 0x14 
0024| 0x7fffffff7f88 --> 0x7ffff790ffcb (<shift_chunk_offsets.part.0+75>:	test   eax,eax)
0032| 0x7fffffff7f90 --> 0x5555555e2840 --> 0x146d646975 
0040| 0x7fffffff7f98 --> 0x5555555e05c0 --> 0x73747363 ('csts')
0048| 0x7fffffff7fa0 --> 0x0 
0056| 0x7fffffff7fa8 --> 0x7fffffff7ff0 --> 0x5555555e8740 --> 0x636f3648 ('H6oc')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff79286ca in Media_IsSelfContained () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0  0x00007ffff79286ca in Media_IsSelfContained () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff790ffcb in shift_chunk_offsets.part () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff79103a7 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff7910e3c in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff7915009 in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#7  0x000055555557bd12 in mp4boxMain ()
#8  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe378) at ../csu/libc-start.c:308
#9  0x000055555556d45e in _start ()
@jeanlf
Copy link
Member

jeanlf commented Jan 3, 2022

fixed when fixing #1999, thanks for the report

@jeanlf jeanlf closed this as completed Jan 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants