Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null Pointer Dereference in gf_sg_destroy_routes()at scenegraph/vrml_route.c:126 #2038

Closed
3 tasks done
ZFeiXQ opened this issue Jan 9, 2022 · 0 comments
Closed
3 tasks done

Comments

@ZFeiXQ
Copy link

ZFeiXQ commented Jan 9, 2022

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1615-g9ce097b4a-master

command:

./bin/gcc/MP4Box -svg POC1

POC1.zip

Result

Segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
0x00000000004e9a35 in gf_sg_destroy_routes (sg=0x10f0c30) at scenegraph/vrml_route.c:126
126                     if (r->name) gf_free(r->name);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x400788 ◂— 0x0
 RCX  0x10febd8 —▸ 0x1102210 ◂— 0x100
 RDX  0x0
 RDI  0x10f0ec0 ◂— 0x0
 RSI  0x0
 R8   0xffffffffffffffe0
 R9   0x0
 R10  0x10febf8 ◂— 0x0
 R11  0x10fea60 —▸ 0x10e2210 ◂— 0x6000500040007
 R12  0xd0de10 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10aa018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd84910 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 —▸ 0x7fffffffe170 ◂— ...
 RSP  0x7fffffff86f0 —▸ 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 ◂— ...
 RIP  0x4e9a35 (gf_sg_destroy_routes+93) ◂— mov    rax, qword ptr [rax + 8]
───────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x4e9a35 <gf_sg_destroy_routes+93>     mov    rax, qword ptr [rax + 8]
   0x4e9a39 <gf_sg_destroy_routes+97>     test   rax, rax
   0x4e9a3c <gf_sg_destroy_routes+100>    je     gf_sg_destroy_routes+118                      <gf_sg_destroy_routes+118>
    ↓
   0x4e9a4e <gf_sg_destroy_routes+118>    mov    rax, qword ptr [rbp - 8]
   0x4e9a52 <gf_sg_destroy_routes+122>    mov    rdi, rax
   0x4e9a55 <gf_sg_destroy_routes+125>    call   gf_free                      <gf_free>
 
   0x4e9a5a <gf_sg_destroy_routes+130>    mov    rax, qword ptr [rbp - 0x18]
   0x4e9a5e <gf_sg_destroy_routes+134>    mov    rax, qword ptr [rax + 0x110]
   0x4e9a65 <gf_sg_destroy_routes+141>    mov    rdi, rax
   0x4e9a68 <gf_sg_destroy_routes+144>    call   gf_list_count                      <gf_list_count>
 
   0x4e9a6d <gf_sg_destroy_routes+149>    test   eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/vrml_route.c
   121 {
   122  while (gf_list_count(sg->routes_to_destroy) ) {
   123          GF_Route *r = (GF_Route *)gf_list_get(sg->routes_to_destroy, 0);
   124          gf_list_rem(sg->routes_to_destroy, 0);
   125          gf_sg_route_unqueue(sg, r);
 ► 126          if (r->name) gf_free(r->name);
   127          gf_free(r);
   128  }
   129 }
   130 
   131 
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff86f0 —▸ 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 ◂— ...
01:0008│     0x7fffffff86f8 —▸ 0x10f0c30 ◂— 0x0
02:0010│     0x7fffffff8700 ◂— 0x0
03:0018│     0x7fffffff8708 ◂— 0x0
04:0020│ rbp 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 —▸ 0x7fffffffe170 ◂— ...
05:0028│     0x7fffffff8718 —▸ 0x47a183 (gf_sg_reset+1350) ◂— mov    rax, qword ptr [rbp - 0x88]
06:0030│     0x7fffffff8720 ◂— 0x0
07:0038│     0x7fffffff8728 —▸ 0x10f0c30 ◂— 0x0
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x4e9a35 gf_sg_destroy_routes+93
   f 1         0x47a183 gf_sg_reset+1350
   f 2         0x479aa5 gf_sg_del+94
   f 3         0x41827d dump_isom_scene+1265
   f 4         0x415b12 mp4boxMain+6395
   f 5         0x417a8e main+36
   f 6         0xd0d5a0 __libc_start_main+1168
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00000000004e9a35 in gf_sg_destroy_routes (sg=0x10f0c30) at scenegraph/vrml_route.c:126
#1  0x000000000047a183 in gf_sg_reset (sg=0x10f0c30) at scenegraph/base_scenegraph.c:502
#2  0x0000000000479aa5 in gf_sg_del (sg=0x10f0c30) at scenegraph/base_scenegraph.c:162
#3  0x000000000041827d in dump_isom_scene (file=0x7fffffffe5cc "gf_sg_destroy_routes-gf_sg_reset/id:000578,sig:11,src:008408+008855,op:splice,rep:8", inName=0x10de4a0 <outfile> "gf_sg_destroy_routes-gf_sg_reset/id:000578,sig:11,src:008408+008855,op:splice,rep:8", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:217
#4  0x0000000000415b12 in mp4boxMain (argc=3, argv=0x7fffffffe2c8) at main.c:6140
#5  0x0000000000417a8e in main (argc=3, argv=0x7fffffffe2c8) at main.c:6592
#6  0x0000000000d0d5a0 in __libc_start_main ()
#7  0x000000000040211e in _start ()
@jeanlf jeanlf closed this as completed in ad19e0c Jan 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant