Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

null pointer reference in libav #131

Open
jinyu00 opened this issue Jul 19, 2018 · 1 comment
Open

null pointer reference in libav #131

jinyu00 opened this issue Jul 19, 2018 · 1 comment

Comments

@jinyu00
Copy link

jinyu00 commented Jul 19, 2018

When open a crafted mp4 file, The program could be Segmentation fault

lsl@yhk-RH2485-V2:~/workplace/untrunc-master$ ./untrunc ~/pocs/untrunc_null_ptr_ref_poc 
Reading: /home/lsl/pocs/untrunc_null_ptr_ref_poc
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x2ebf1c0] Could not find codec parameters (Audio: [0][0][0][0] / 0x0000
      0 channels, 127 kb/s)
Input #0, mov,mp4,m4a,3gp,3g2,mj2, from '/home/lsl/pocs/untrunc_null_ptr_ref_poc':
  Metadata:
    major_brand     : isom
    minor_version   : 512
    compatible_brands: isomiso2mp41
    encoder         : Lavf56.40.101
  Duration: 00:00:00.04, start: 0.000000, bitrate: 257 kb/s
    Stream #0:0(und): Audio: [0][0][0][0] / 0x0000
      0 channels, 127 kb/s (default)
    Metadata:
      handler_name    : SoundHandler
Segmentation fault

Now let see in gdb


[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x1 
RCX: 0x1562940 --> 0x1561be8 --> 0x0 
RDX: 0x7ffff6f5c770 --> 0x1560e00 --> 0x0 
RSI: 0xffffffff 
RDI: 0x7fffffffde7f --> 0x7fffffffdff000 
RBP: 0x7fffffffdec0 --> 0x7fffffffdff0 --> 0x7fffffffe0e0 --> 0x7fffffffe180 --> 0x7fffffffe250 --> 0x0 
RSP: 0x7fffffffde50 --> 0x1565a00 --> 0xa4aa90 --> 0x44b1ba (<_ZN4AtomD2Ev>:	push   rbp)
RIP: 0x443a0a (<_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+126>:	mov    rax,QWORD PTR [rax])
R8 : 0x0 
R9 : 0x1560e10 --> 0x1562940 --> 0x1561be8 --> 0x0 
R10: 0x2 
R11: 0x7ffff6d24150 --> 0xfffda660fffda38f 
R12: 0x0 
R13: 0x0 
R14: 0x1 
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x4439fe <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+114>:	mov    rdi,rax
   0x443a01 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+117>:	call   0x404500 <_ZNSaIcED1Ev@plt>
   0x443a06 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+122>:	mov    rax,QWORD PTR [rbp-0x28]
=> 0x443a0a <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+126>:	mov    rax,QWORD PTR [rax]
   0x443a0d <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+129>:	add    rax,0x28
   0x443a11 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+133>:	mov    rax,QWORD PTR [rax]
   0x443a14 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+136>:	mov    rdx,QWORD PTR [rbp-0x28]
   0x443a18 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+140>:	mov    esi,0x4
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde50 --> 0x1565a00 --> 0xa4aa90 --> 0x44b1ba (<_ZN4AtomD2Ev>:	push   rbp)
0008| 0x7fffffffde58 --> 0x7fffffffe088 --> 0x1564110 --> 0x19f0000002c 
0016| 0x7fffffffde60 --> 0x1565b50 --> 0xa4aa90 --> 0x44b1ba (<_ZN4AtomD2Ev>:	push   rbp)
0024| 0x7fffffffde68 --> 0x7fffffffe050 --> 0x7ffff7792878 --> 0x0 
0032| 0x7fffffffde70 --> 0x7fffffffdea0 --> 0x0 
0040| 0x7fffffffde78 --> 0x1 
0048| 0x7fffffffde80 --> 0x7fffffffdff0 --> 0x7fffffffe0e0 --> 0x7fffffffe180 --> 0x7fffffffe250 --> 0x0 
0056| 0x7fffffffde88 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000443a0a in Codec::parse(Atom*, std::vector<int, std::allocator<int> >&, Atom*) ()
gdb-peda$ bt
#0  0x0000000000443a0a in Codec::parse(Atom*, std::vector<int, std::allocator<int> >&, Atom*) ()
#1  0x0000000000445565 in Track::parse(Atom*, Atom*) ()
#2  0x000000000045227e in Mp4::parseTracks() ()
#3  0x0000000000450a10 in Mp4::open(std::string) ()
#4  0x0000000000443512 in main ()
#5  0x00007ffff6bbbf45 in __libc_start_main (main=0x4432d3 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328) at libc-start.c:287
#6  0x0000000000442400 in _start ()
gdb-peda$ 

Crash at 0x443a0a, the asm code are as below

mov    rax,QWORD PTR [rax]

and rax=0 , so null pointer reference

The vulnerability is in track.cpp


void Codec::parse(Atom *trak, vector<int> &offsets, Atom *mdat) {
	Atom *stsd = trak->atomByName("stsd");
	int entries = stsd->readInt(4);  // crash at there
	if(entries != 1)
		throw string("Multiplexed stream! Not supported");
    ..........................
    ..........................
    ..........................
}

From the debug session , I find that the following line tigger the vulnerability

int entries = stsd->readInt(4);  // crash at there

stsd obj is a null pointer , let's see in trak->atomByName

Atom *Atom::atomByName(std::string name) {
    for(unsigned int i = 0; i < children.size(); i++) {
        if(children[i]->name == name)
            return children[i];
        Atom *a = children[i]->atomByName(name);
        if(a) return a;
    }
    return NULL;
}

The function could return NULL, but Codec::parse don't consider it.

To fix it , may be only need to check the Atom::atomByName 's return value

The poc file

https://gitee.com/hac425/fuzz_data/blob/master/untrunc_null_ptr_ref_poc
@Hacklin
Copy link
Contributor

Hacklin commented Aug 5, 2018

There are several Maintenance: Pull Requests that address issues like this.
Let me know, if you have bugs like this null-pointer dereference with these Maintenance: patches.

Alternatively, you could use @anthwlock Untrunc repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants