Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in gf_node_unregister () at scenegraph/base_scenegraph.c:682 #2023

Closed
3 tasks done
ZFeiXQ opened this issue Jan 3, 2022 · 0 comments
Closed
3 tasks done

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Jan 3, 2022

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
	MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

command:

./bin/gcc/MP4Box -svg POC1

POC1.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
gf_node_unregister (pNode=0x10f9b70, parentNode=0x10fa140) at scenegraph/base_scenegraph.c:682
682		pSG = pNode->sgprivate->scenegraph;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x7
 RCX  0x1
 RDX  0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
 RDI  0x10f9b70 ◂— 0x0
 RSI  0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
 R8   0x0
 R9   0x0
 R10  0xfffffff9
 R11  0x246
 R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff7690 —▸ 0x7fffffff76c0 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 —▸ 0x7fffffff7740 ◂— ...
 RSP  0x7fffffff7650 —▸ 0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
 RIP  0x479467 (gf_node_unregister+66) ◂— mov    rax, qword ptr [rax + 8]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x479467 <gf_node_unregister+66>     mov    rax, qword ptr [rax + 8]
   0x47946b <gf_node_unregister+70>     mov    qword ptr [rbp - 0x28], rax
   0x47946f <gf_node_unregister+74>     cmp    qword ptr [rbp - 0x40], 0
   0x479474 <gf_node_unregister+79>     je     gf_node_unregister+284                      <gf_node_unregister+284>
    ↓
   0x479541 <gf_node_unregister+284>    cmp    qword ptr [rbp - 0x28], 0
   0x479546 <gf_node_unregister+289>    je     gf_node_unregister+320                      <gf_node_unregister+320>
    ↓
   0x479565 <gf_node_unregister+320>    mov    rax, qword ptr [rbp - 0x38]
   0x479569 <gf_node_unregister+324>    mov    rax, qword ptr [rax]
   0x47956c <gf_node_unregister+327>    movzx  eax, word ptr [rax + 2]
   0x479570 <gf_node_unregister+331>    test   ax, ax
   0x479573 <gf_node_unregister+334>    jne    gf_node_unregister+367                      <gf_node_unregister+367>
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/base_scenegraph.c
   677 	Bool detach=0;
   678 #endif
   679 	GF_SceneGraph *pSG;
   680 
   681 	if (!pNode) return GF_OK;
 ► 682 	pSG = pNode->sgprivate->scenegraph;
   683 
   684 	if (parentNode) {
   685 		GF_ParentList *nlist = pNode->sgprivate->parents;
   686 		if (nlist) {
   687 			GF_ParentList *prev = NULL;
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7650 —▸ 0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
01:0008│     0x7fffffff7658 —▸ 0x10f9b70 ◂— 0x0
02:0010│     0x7fffffff7660 ◂— 0x0
03:0018│     0x7fffffff7668 —▸ 0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
04:0020│     0x7fffffff7670 ◂— 0x0
05:0028│     0x7fffffff7678 —▸ 0x450b75 (gf_free+28) ◂— nop    
06:0030│     0x7fffffff7680 ◂— 0x5
07:0038│     0x7fffffff7688 ◂— 0x5789c1222d7c1900
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x479467 gf_node_unregister+66
   f 1         0x47ad0f gf_node_unregister_children+45
   f 2         0x4ea690 gf_sg_vrml_parent_destroy+70
   f 3         0x4c4593 SBBone_Del+318
   f 4         0x4dbb98 gf_sg_mpeg4_node_del+2586
   f 5         0x47bfe4 gf_node_del+461
   f 6         0x4797a6 gf_node_unregister+897
   f 7         0x566822 gf_bifs_dec_node+1888
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  gf_node_unregister (pNode=0x10f9b70, parentNode=0x10fa140) at scenegraph/base_scenegraph.c:682
#1  0x000000000047ad0f in gf_node_unregister_children (container=0x10fa140, child=0x10fa320) at scenegraph/base_scenegraph.c:1369
#2  0x00000000004ea690 in gf_sg_vrml_parent_destroy (pNode=0x10fa140) at scenegraph/vrml_tools.c:162
#3  0x00000000004c4593 in SBBone_Del (node=0x10fa140) at scenegraph/mpeg4_nodes.c:27956
#4  0x00000000004dbb98 in gf_sg_mpeg4_node_del (node=0x10fa140) at scenegraph/mpeg4_nodes.c:37958
#5  0x000000000047bfe4 in gf_node_del (node=0x10fa140) at scenegraph/base_scenegraph.c:1902
#6  0x00000000004797a6 in gf_node_unregister (pNode=0x10fa140, parentNode=0x0) at scenegraph/base_scenegraph.c:761
#7  0x0000000000566822 in gf_bifs_dec_node (codec=0x10f70b0, bs=0x10e4c30, NDT_Tag=1) at bifs/field_decode.c:912
#8  0x000000000055c98c in gf_bifs_dec_proto_list (codec=0x10f70b0, bs=0x10e4c30, proto_list=0x0) at bifs/com_dec.c:1132
#9  0x000000000055c94f in gf_bifs_dec_proto_list (codec=0x10f70b0, bs=0x10e4c30, proto_list=0x10f9600) at bifs/com_dec.c:1125
#10 0x000000000055d37f in BD_DecSceneReplace (codec=0x10f70b0, bs=0x10e4c30, proto_list=0x10f9600) at bifs/com_dec.c:1332
#11 0x000000000056c8d2 in BM_SceneReplace (codec=0x10f70b0, bs=0x10e4c30, com_list=0x10f7430) at bifs/memory_decoder.c:860
#12 0x000000000056cb53 in BM_ParseCommand (codec=0x10f70b0, bs=0x10e4c30, com_list=0x10f7430) at bifs/memory_decoder.c:908
#13 0x000000000056cffd in gf_bifs_decode_command_list (codec=0x10f70b0, ESID=8, data=0x10f74b0 '\320' <repeats 191 times>, <incomplete sequence \372>, data_length=8208, com_list=0x10f7430) at bifs/memory_decoder.c:1009
#14 0x00000000006be1da in gf_sm_load_run_isom (load=0x7fffffff88a0) at scene_manager/loader_isom.c:303
#15 0x00000000006a214a in gf_sm_load_run (load=0x7fffffff88a0) at scene_manager/scene_manager.c:719
#16 0x000000000041786e in dump_isom_scene (file=0x7fffffffe60f "gf_node_unregister-gf_node_unregister_children/id:000515,sig:11,src:007933+012329,op:splice,rep:16", inName=0x10da460 <outfile> "gf_node_unregister-gf_node_unregister_children/id:000515,sig:11,src:007933+012329,op:splice,rep:16", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:199
#17 0x000000000041521f in mp4boxMain (argc=3, argv=0x7fffffffe328) at main.c:6044
#18 0x000000000041719b in main (argc=3, argv=0x7fffffffe328) at main.c:6496
#19 0x0000000000d09a40 in __libc_start_main ()
#20 0x000000000040211e in _start ()

@jeanlf jeanlf closed this as completed in 70c6f6f Jan 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant