Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid free in MP4Box #2026

Closed
3 tasks done
ZFeiXQ opened this issue Jan 3, 2022 · 0 comments
Closed
3 tasks done

Invalid free in MP4Box #2026

ZFeiXQ opened this issue Jan 3, 2022 · 0 comments

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Jan 3, 2022

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
	MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

command:

./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC1

POC1.zip

Result

Segmentation fault.

bt

Program received signal SIGSEGV, Segmentation fault.
0x0000000000d43f7d in free ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x400788 ◂— 0x0
 RCX  0x110ac60 ◂— 0x0
 RDX  0xe0bfa8 ◂— 0xff71f347ff71f31e
 RDI  0x21
 RSI  0x110ac60 ◂— 0x0
 R8   0x7
 R9   0x0
 R10  0xffffffd8
 R11  0x246
 R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff7600 —▸ 0x7fffffff7660 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 ◂— ...
 RSP  0x7fffffff75d0 —▸ 0x7fffffff7610 —▸ 0x7fffffff7630 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 ◂— ...
 RIP  0xd43f7d (free+29) ◂— mov    rax, qword ptr [rdi - 8]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0xd43f7d <free+29>         mov    rax, qword ptr [rdi - 8]
   0xd43f81 <free+33>         lea    rsi, [rdi - 0x10]
   0xd43f85 <free+37>         test   al, 2
   0xd43f87 <free+39>         jne    free+96                      <free+96>
    ↓
   0xd43fc0 <free+96>         mov    edx, dword ptr [rip + 0x387f0e] <0x10cbed4>
   0xd43fc6 <free+102>        test   edx, edx
   0xd43fc8 <free+104>        jne    free+123                      <free+123>
    ↓
   0xd43fdb <free+123>        mov    rdi, rsi
   0xd43fde <free+126>        add    rsp, 0x18
   0xd43fe2 <free+130>        jmp    munmap_chunk                      <munmap_chunk>
    ↓
   0xd3ee70 <munmap_chunk>    sub    rsp, 8
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff75d0 —▸ 0x7fffffff7610 —▸ 0x7fffffff7630 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 ◂— ...
01:0008│     0x7fffffff75d8 —▸ 0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
02:0010│     0x7fffffff75e0 ◂— 0x0
03:0018│     0x7fffffff75e8 —▸ 0x450b75 (gf_free+28) ◂— nop    
04:0020│     0x7fffffff75f0 ◂— 0x0
05:0028│     0x7fffffff75f8 ◂— 0x21 /* '!' */
06:0030│ rbp 0x7fffffff7600 —▸ 0x7fffffff7660 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 ◂— ...
07:0038│     0x7fffffff7608 —▸ 0x52b08f (gf_svg_delete_attribute_value+324) ◂— mov    rax, qword ptr [rbp - 0x40]
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0xd43f7d free+29
   f 1         0x450b75 gf_free+28
   f 2         0x52b08f gf_svg_delete_attribute_value+324
   f 3         0x52aea9 svg_delete_one_anim_value+54
   f 4         0x52b1ae gf_svg_delete_attribute_value+611
   f 5         0x551ed6 gf_node_delete_attributes+70
   f 6         0x52aaa7 gf_svg_node_del+642
   f 7         0x47c020 gf_node_del+521
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x0000000000d43f7d in free ()
#1  0x0000000000450b75 in gf_free (ptr=0x21) at utils/alloc.c:165
#2  0x000000000052b08f in gf_svg_delete_attribute_value (type=71, value=0x110ac60, sg=0x10ebe70) at scenegraph/svg_types.c:425
#3  0x000000000052aea9 in svg_delete_one_anim_value (anim_datatype=71 'G', anim_value=0x110ac60, sg=0x10ebe70) at scenegraph/svg_types.c:363
#4  0x000000000052b1ae in gf_svg_delete_attribute_value (type=52, value=0x110ac40, sg=0x10ebe70) at scenegraph/svg_types.c:462
#5  0x0000000000551ed6 in gf_node_delete_attributes (node=0x10fdea0) at scenegraph/xml_ns.c:722
#6  0x000000000052aaa7 in gf_svg_node_del (node=0x10fdea0) at scenegraph/svg_types.c:124
#7  0x000000000047c020 in gf_node_del (node=0x10fdea0) at scenegraph/base_scenegraph.c:1909
#8  0x00000000004797a6 in gf_node_unregister (pNode=0x10fdea0, parentNode=0x10fbce0) at scenegraph/base_scenegraph.c:761
#9  0x000000000047ad0f in gf_node_unregister_children (container=0x10fbce0, child=0x10fe340) at scenegraph/base_scenegraph.c:1369
#10 0x000000000047b27f in gf_sg_parent_reset (node=0x10fbce0) at scenegraph/base_scenegraph.c:1582
#11 0x000000000052aab3 in gf_svg_node_del (node=0x10fbce0) at scenegraph/svg_types.c:125
#12 0x000000000047c020 in gf_node_del (node=0x10fbce0) at scenegraph/base_scenegraph.c:1909
#13 0x00000000004797a6 in gf_node_unregister (pNode=0x10fbce0, parentNode=0x10fb7c0) at scenegraph/base_scenegraph.c:761
#14 0x000000000047ad0f in gf_node_unregister_children (container=0x10fb7c0, child=0x10fe300) at scenegraph/base_scenegraph.c:1369
#15 0x000000000047b27f in gf_sg_parent_reset (node=0x10fb7c0) at scenegraph/base_scenegraph.c:1582
#16 0x000000000052aab3 in gf_svg_node_del (node=0x10fb7c0) at scenegraph/svg_types.c:125
#17 0x000000000047c020 in gf_node_del (node=0x10fb7c0) at scenegraph/base_scenegraph.c:1909
#18 0x00000000004797a6 in gf_node_unregister (pNode=0x10fb7c0, parentNode=0x10fb2a0) at scenegraph/base_scenegraph.c:761
#19 0x000000000047ad0f in gf_node_unregister_children (container=0x10fb2a0, child=0x10fe2c0) at scenegraph/base_scenegraph.c:1369
#20 0x000000000047b27f in gf_sg_parent_reset (node=0x10fb2a0) at scenegraph/base_scenegraph.c:1582
#21 0x000000000052aab3 in gf_svg_node_del (node=0x10fb2a0) at scenegraph/svg_types.c:125
#22 0x000000000047c020 in gf_node_del (node=0x10fb2a0) at scenegraph/base_scenegraph.c:1909
#23 0x00000000004797a6 in gf_node_unregister (pNode=0x10fb2a0, parentNode=0x10fad80) at scenegraph/base_scenegraph.c:761
#24 0x000000000047ad0f in gf_node_unregister_children (container=0x10fad80, child=0x10fe200) at scenegraph/base_scenegraph.c:1369
#25 0x000000000047b27f in gf_sg_parent_reset (node=0x10fad80) at scenegraph/base_scenegraph.c:1582
#26 0x000000000052aab3 in gf_svg_node_del (node=0x10fad80) at scenegraph/svg_types.c:125
#27 0x000000000047c020 in gf_node_del (node=0x10fad80) at scenegraph/base_scenegraph.c:1909
#28 0x00000000004797a6 in gf_node_unregister (pNode=0x10fad80, parentNode=0x10fa860) at scenegraph/base_scenegraph.c:761
#29 0x000000000047ad0f in gf_node_unregister_children (container=0x10fa860, child=0x110aa40) at scenegraph/base_scenegraph.c:1369
#30 0x000000000047b27f in gf_sg_parent_reset (node=0x10fa860) at scenegraph/base_scenegraph.c:1582
#31 0x000000000052aab3 in gf_svg_node_del (node=0x10fa860) at scenegraph/svg_types.c:125
#32 0x000000000047c020 in gf_node_del (node=0x10fa860) at scenegraph/base_scenegraph.c:1909
#33 0x00000000004797a6 in gf_node_unregister (pNode=0x10fa860, parentNode=0x10fa340) at scenegraph/base_scenegraph.c:761
#34 0x000000000047ad0f in gf_node_unregister_children (container=0x10fa340, child=0x110aa80) at scenegraph/base_scenegraph.c:1369
#35 0x000000000047b27f in gf_sg_parent_reset (node=0x10fa340) at scenegraph/base_scenegraph.c:1582
#36 0x000000000052aab3 in gf_svg_node_del (node=0x10fa340) at scenegraph/svg_types.c:125
#37 0x000000000047c020 in gf_node_del (node=0x10fa340) at scenegraph/base_scenegraph.c:1909
#38 0x00000000004797a6 in gf_node_unregister (pNode=0x10fa340, parentNode=0x10f9e20) at scenegraph/base_scenegraph.c:761
#39 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9e20, child=0x110aac0) at scenegraph/base_scenegraph.c:1369
#40 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9e20) at scenegraph/base_scenegraph.c:1582
#41 0x000000000052aab3 in gf_svg_node_del (node=0x10f9e20) at scenegraph/svg_types.c:125
#42 0x000000000047c020 in gf_node_del (node=0x10f9e20) at scenegraph/base_scenegraph.c:1909
#43 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9e20, parentNode=0x10f9900) at scenegraph/base_scenegraph.c:761
#44 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9900, child=0x110aa00) at scenegraph/base_scenegraph.c:1369
#45 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9900) at scenegraph/base_scenegraph.c:1582
#46 0x000000000052aab3 in gf_svg_node_del (node=0x10f9900) at scenegraph/svg_types.c:125
#47 0x000000000047c020 in gf_node_del (node=0x10f9900) at scenegraph/base_scenegraph.c:1909
#48 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9900, parentNode=0x10f9320) at scenegraph/base_scenegraph.c:761
#49 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9320, child=0x110a940) at scenegraph/base_scenegraph.c:1369
#50 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9320) at scenegraph/base_scenegraph.c:1582
#51 0x000000000052aab3 in gf_svg_node_del (node=0x10f9320) at scenegraph/svg_types.c:125
#52 0x000000000047c020 in gf_node_del (node=0x10f9320) at scenegraph/base_scenegraph.c:1909
#53 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9320, parentNode=0x10f9220) at scenegraph/base_scenegraph.c:761
#54 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9220, child=0x110a980) at scenegraph/base_scenegraph.c:1369
#55 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9220) at scenegraph/base_scenegraph.c:1582
#56 0x000000000052aab3 in gf_svg_node_del (node=0x10f9220) at scenegraph/svg_types.c:125
#57 0x000000000047c020 in gf_node_del (node=0x10f9220) at scenegraph/base_scenegraph.c:1909
#58 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9220, parentNode=0x0) at scenegraph/base_scenegraph.c:761
#59 0x0000000000479423 in gf_node_try_destroy (sg=0x10ebe70, pNode=0x10f9220, parentNode=0x0) at scenegraph/base_scenegraph.c:667
#60 0x000000000047dac7 in gf_sg_command_del (com=0x10f8fd0) at scenegraph/commands.c:97
#61 0x00000000006a0b93 in gf_sm_au_del (sc=0x10f6470, au=0x10f85a0) at scene_manager/scene_manager.c:113
#62 0x00000000006a0c24 in gf_sm_reset_stream (sc=0x10f6470) at scene_manager/scene_manager.c:126
#63 0x00000000006a0c58 in gf_sm_delete_stream (sc=0x10f6470) at scene_manager/scene_manager.c:133
#64 0x00000000006a0d03 in gf_sm_del (ctx=0x10ec2a0) at scene_manager/scene_manager.c:147
#65 0x000000000041797b in dump_isom_scene (file=0x7fffffffe654 "free-gf_free/POC1", inName=0x7fffffffe64a "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:216
#66 0x000000000041521f in mp4boxMain (argc=11, argv=0x7fffffffe2e8) at main.c:6044
#67 0x000000000041719b in main (argc=11, argv=0x7fffffffe2e8) at main.c:6496
#68 0x0000000000d09a40 in __libc_start_main ()
#69 0x000000000040211e in _start ()
pwndbg> 

@jeanlf jeanlf closed this as completed in 4e12157 Jan 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant