Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in gf_sg_vrml_field_pointer_del () at scenegraph/vrml_tools.c:667 #2024

Closed
3 tasks done
ZFeiXQ opened this issue Jan 3, 2022 · 0 comments
Closed
3 tasks done

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Jan 3, 2022

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
	MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

command:

./bin/gcc/MP4Box -svg POC2

POC2.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
0x00000000004eb82b in gf_sg_vrml_field_pointer_del (field=0x0, FieldType=50) at scenegraph/vrml_tools.c:667
667			gf_sg_mfdouble_del( * ((MFDouble *) field));
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x400788 ◂— 0x0
 RCX  0x0
 RDX  0xe03e5c ◂— 0xff6e7b77ff6e7b77
 RDI  0x0
 RSI  0x32
 R8   0x7
 R9   0x0
 R10  0xffffffd8
 R11  0x246
 R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff8610 —▸ 0x7fffffff8660 —▸ 0x7fffffff86b0 —▸ 0x7fffffff8700 —▸ 0x7fffffff8740 ◂— ...
 RSP  0x7fffffff85f0 ◂— 0x3200000000
 RIP  0x4eb82b (gf_sg_vrml_field_pointer_del+254) ◂— mov    edx, dword ptr [rax]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x4eb82b <gf_sg_vrml_field_pointer_del+254>    mov    edx, dword ptr [rax]
   0x4eb82d <gf_sg_vrml_field_pointer_del+256>    mov    rax, qword ptr [rax + 8]
   0x4eb831 <gf_sg_vrml_field_pointer_del+260>    mov    edi, edx
   0x4eb833 <gf_sg_vrml_field_pointer_del+262>    mov    rsi, rax
   0x4eb836 <gf_sg_vrml_field_pointer_del+265>    call   gf_sg_mfdouble_del                      <gf_sg_mfdouble_del>
 
   0x4eb83b <gf_sg_vrml_field_pointer_del+270>    jmp    gf_sg_vrml_field_pointer_del+682                      <gf_sg_vrml_field_pointer_del+682>
 
   0x4eb840 <gf_sg_vrml_field_pointer_del+275>    mov    rax, qword ptr [rbp - 0x18]
   0x4eb844 <gf_sg_vrml_field_pointer_del+279>    mov    edx, dword ptr [rax]
   0x4eb846 <gf_sg_vrml_field_pointer_del+281>    mov    rax, qword ptr [rax + 8]
   0x4eb84a <gf_sg_vrml_field_pointer_del+285>    mov    edi, edx
   0x4eb84c <gf_sg_vrml_field_pointer_del+287>    mov    rsi, rax
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/vrml_tools.c
   662 		break;
   663 	case GF_SG_VRML_MFFLOAT:
   664 		gf_sg_mffloat_del( * ((MFFloat *) field));
   665 		break;
   666 	case GF_SG_VRML_MFDOUBLE:
 ► 667 		gf_sg_mfdouble_del( * ((MFDouble *) field));
   668 		break;
   669 	case GF_SG_VRML_MFTIME:
   670 		gf_sg_mftime_del( * ((MFTime *)field));
   671 		break;
   672 	case GF_SG_VRML_MFINT32:
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff85f0 ◂— 0x3200000000
01:0008│     0x7fffffff85f8 ◂— 0x0
02:0010│     0x7fffffff8600 —▸ 0x10ecd40 ◂— 0x0
03:0018│     0x7fffffff8608 —▸ 0x10fa7d0 —▸ 0x10fae00 ◂— 0x0
04:0020│ rbp 0x7fffffff8610 —▸ 0x7fffffff8660 —▸ 0x7fffffff86b0 —▸ 0x7fffffff8700 —▸ 0x7fffffff8740 ◂— ...
05:0028│     0x7fffffff8618 —▸ 0x4e6a10 (gf_sg_proto_del_instance+120) ◂— jmp    0x4e6a8f
06:0030│     0x7fffffff8620 ◂— 0x0
07:0038│     0x7fffffff8628 —▸ 0x10fa720 —▸ 0x10fa770 ◂— 0x100000001
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x4eb82b gf_sg_vrml_field_pointer_del+254
   f 1         0x4e6a10 gf_sg_proto_del_instance+120
   f 2         0x47bfc6 gf_node_del+431
   f 3         0x4797a6 gf_node_unregister+897
   f 4         0x4e4916 gf_sg_proto_del+193
   f 5         0x47db5d gf_sg_command_del+675
   f 6         0x6a0b93 gf_sm_au_del+122
   f 7         0x6a0c24 gf_sm_reset_stream+73
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00000000004eb82b in gf_sg_vrml_field_pointer_del (field=0x0, FieldType=50) at scenegraph/vrml_tools.c:667
#1  0x00000000004e6a10 in gf_sg_proto_del_instance (inst=0x10fa720) at scenegraph/vrml_proto.c:846
#2  0x000000000047bfc6 in gf_node_del (node=0x10fa720) at scenegraph/base_scenegraph.c:1899
#3  0x00000000004797a6 in gf_node_unregister (pNode=0x10fa720, parentNode=0x0) at scenegraph/base_scenegraph.c:761
#4  0x00000000004e4916 in gf_sg_proto_del (proto=0x10f9d60) at scenegraph/vrml_proto.c:117
#5  0x000000000047db5d in gf_sg_command_del (com=0x10f9c80) at scenegraph/commands.c:113
#6  0x00000000006a0b93 in gf_sm_au_del (sc=0x10f7ac0, au=0x10f9bd0) at scene_manager/scene_manager.c:113
#7  0x00000000006a0c24 in gf_sm_reset_stream (sc=0x10f7ac0) at scene_manager/scene_manager.c:126
#8  0x00000000006a0c58 in gf_sm_delete_stream (sc=0x10f7ac0) at scene_manager/scene_manager.c:133
#9  0x00000000006a0d03 in gf_sm_del (ctx=0x10ed170) at scene_manager/scene_manager.c:147
#10 0x000000000041797b in dump_isom_scene (file=0x7fffffffe637 "gf_sg_vrml_field_pointer_del-gf_sg_proto_del_instance/POC2", inName=0x10da460 <outfile> "gf_sg_vrml_field_pointer_del-gf_sg_proto_del_instance/POC2", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:216
#11 0x000000000041521f in mp4boxMain (argc=3, argv=0x7fffffffe358) at main.c:6044
#12 0x000000000041719b in main (argc=3, argv=0x7fffffffe358) at main.c:6496
#13 0x0000000000d09a40 in __libc_start_main ()
#14 0x000000000040211e in _start ()
pwndbg> 



@jeanlf jeanlf closed this as completed in 6a5effb Jan 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant