Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack overflow in gf_node_get_name () at scenegraph/base_scenegraph.c:1293 #2027

Closed
3 tasks done
ZFeiXQ opened this issue Jan 3, 2022 · 0 comments
Closed
3 tasks done

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Jan 3, 2022

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
	MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

command:

./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC2

POC2.zip

Result

Segmentation fault.

bt

Program received signal SIGSEGV, Segmentation fault.
0x000000000047aa77 in gf_node_get_name (p=0x4747474747474747) at scenegraph/base_scenegraph.c:1293
1293		if (!p || !(p->sgprivate->flags & GF_NODE_IS_DEF)) return NULL;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x4747474747474747 ('GGGGGGGG')
 RBX  0x400788 ◂— 0x0
 RCX  0x474747 (gf_xml_parse_bit_sequence_bs+486) ◂— sti    
 RDX  0x7
 RDI  0x4747474747474747 ('GGGGGGGG')
 RSI  0x10fd740 ◂— 0x47474747474747 /* 'GGGGGGG' */
 R8   0x10fc550 —▸ 0x10fce00 —▸ 0x10eccb0 ◂— 0x0
 R9   0x2
 R10  0x0
 R11  0x0
 R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
 RSP  0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
 RIP  0x47aa77 (gf_node_get_name+23) ◂— mov    rax, qword ptr [rax]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x47aa77 <gf_node_get_name+23>    mov    rax, qword ptr [rax]
   0x47aa7a <gf_node_get_name+26>    mov    eax, dword ptr [rax + 4]
   0x47aa7d <gf_node_get_name+29>    test   eax, eax
   0x47aa7f <gf_node_get_name+31>    js     gf_node_get_name+40                      <gf_node_get_name+40>
    ↓
   0x47aa88 <gf_node_get_name+40>    mov    rax, qword ptr [rbp - 0x18]
   0x47aa8c <gf_node_get_name+44>    mov    rax, qword ptr [rax]
   0x47aa8f <gf_node_get_name+47>    mov    rax, qword ptr [rax + 8]
   0x47aa93 <gf_node_get_name+51>    mov    qword ptr [rbp - 0x10], rax
   0x47aa97 <gf_node_get_name+55>    mov    rax, qword ptr [rbp - 0x10]
   0x47aa9b <gf_node_get_name+59>    mov    rax, qword ptr [rax + 0xf0]
   0x47aaa2 <gf_node_get_name+66>    cmp    qword ptr [rbp - 0x18], rax
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/base_scenegraph.c
   1288 GF_EXPORT
   1289 const char *gf_node_get_name(GF_Node*p)
   1290 {
   1291 	GF_SceneGraph *sg;
   1292 	NodeIDedItem *reg_node;
 ► 1293 	if (!p || !(p->sgprivate->flags & GF_NODE_IS_DEF)) return NULL;
   1294 
   1295 	sg = p->sgprivate->scenegraph;
   1296 #ifndef GPAC_DISABLE_VRML
   1297 	/*if this is a proto, look in parent graph*/
   1298 	if (p == (GF_Node*)sg->pOwningProto) sg = sg->parent_scene;
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rbp rsp 0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
01:0008│         0x7fffffff8108 —▸ 0x6e1eee (gf_dump_vrml_route+415) ◂— mov    qword ptr [rbp - 0x488], rax
02:0010│         0x7fffffff8110 —▸ 0x10f9bc0 ◂— 0x333
03:0018│         0x7fffffff8118 ◂— 0x10
04:0020│         0x7fffffff8120 —▸ 0x7fffffff8610 ◂— 0x4747474747474747 ('GGGGGGGG')
05:0028│         0x7fffffff8128 —▸ 0x10f75f0 —▸ 0x10eccb0 ◂— 0x0
06:0030│         0x7fffffff8130 —▸ 0xdba6f0 (funlockfile) ◂— endbr64 
07:0038│         0x7fffffff8138 ◂— 0x1
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x47aa77 gf_node_get_name+23
   f 1         0x6e1eee gf_dump_vrml_route+415
   f 2 0x4747474747474747
   f 3 0x4747474747474747
   f 4 0x4747474747474747
   f 5 0x4747474747474747
   f 6 0x4747474747474747
   f 7 0x4747474747474747
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x000000000047aa77 in gf_node_get_name (p=0x4747474747474747) at scenegraph/base_scenegraph.c:1293
#1  0x00000000006e1eee in gf_dump_vrml_route (sdump=0x10f75f0, r=0x7fffffff8610, dump_type=0) at scene_manager/scene_dump.c:2344
#2  0x4747474747474747 in ?? ()
#3  0x4747474747474747 in ?? ()
#4  0x4747474747474747 in ?? ()
#5  0x4747474747474747 in ?? ()
#6  0x4747474747474747 in ?? ()
#7  0x4747474747474747 in ?? ()
#8  0x4747474747474747 in ?? ()
#9  0x4747474747474747 in ?? ()
#10 0x4747474747474747 in ?? ()
#11 0x4747474747474747 in ?? ()
#12 0x4747474747474747 in ?? ()
#13 0x4747474747474747 in ?? ()
#14 0x4747474747474747 in ?? ()
#15 0x4747474747474747 in ?? ()
#16 0x4747474747474747 in ?? ()
#17 0x4747474747474747 in ?? ()
#18 0x4747474747474747 in ?? ()
#19 0x4747474747474747 in ?? ()
#20 0x4747474747474747 in ?? ()
#21 0x4747474747474747 in ?? ()
#22 0x4747474747474747 in ?? ()
#23 0x4747474747474747 in ?? ()
#24 0x4747474747474747 in ?? ()
#25 0x4747474747474747 in ?? ()
#26 0x4747474747474747 in ?? ()
#27 0x4747474747474747 in ?? ()
#28 0x4747474747474747 in ?? ()
#29 0x4747474747474747 in ?? ()
#30 0x4747474747474747 in ?? ()
#31 0x4747474747474747 in ?? ()
#32 0x4747474747474747 in ?? ()
#33 0x4747474747474747 in ?? ()
#34 0x4747474747474747 in ?? ()
#35 0x4747474747474747 in ?? ()
#36 0x4747474747474747 in ?? ()
#37 0x4747474747474747 in ?? ()
#38 0x4747474747474747 in ?? ()
#39 0x4747474747474747 in ?? ()
#40 0x4747474747474747 in ?? ()
#41 0x4747474747474747 in ?? ()
#42 0x4747474747474747 in ?? ()
#43 0x4747474747474747 in ?? ()
#44 0x4747474747474747 in ?? ()
#45 0x4747474747474747 in ?? ()
#46 0x4747474747474747 in ?? ()
#47 0x4747474747474747 in ?? ()
#48 0x4747474747474747 in ?? ()
#49 0x4747474747474747 in ?? ()
#50 0x4747474747474747 in ?? ()
#51 0x4747474747474747 in ?? ()
#52 0x4747474747474747 in ?? ()
#53 0x4747474747474747 in ?? ()
#54 0x4747474747474747 in ?? ()
#55 0x47474747ef474747 in ?? ()
#56 0x4747474747474747 in ?? ()
#57 0x4747474747474747 in ?? ()
#58 0x4747474747474747 in ?? ()
#59 0x0047474747474747 in ?? ()
#60 0x868bc44dfe5d4600 in ?? ()
#61 0x00007fffffff98b0 in ?? ()
#62 0x0000000000417966 in dump_isom_scene (file=<error reading variable: Cannot access memory at address 0x474747474747366f>, inName=<error reading variable: Cannot access memory at address 0x4747474747473667>, is_final_name=<error reading variable: Cannot access memory at address 0x4747474747473663>, dump_mode=<error reading variable: Cannot access memory at address 0x474747474747365f>, do_log=<error reading variable: Cannot access memory at address 0x474747474747365b>, no_odf_conv=<error reading variable: Cannot access memory at address 0x4747474747473657>) at filedump.c:213
Backtrace stopped: Cannot access memory at address 0x474747474747474f


@jeanlf jeanlf closed this as completed in 4b9736a Jan 4, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant