Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When open a crafted mp4 file, The program could be Segmentation fault
mp4
Segmentation fault
lsl@yhk-RH2485-V2:~/workplace/untrunc-master$ ./untrunc ~/pocs/untrunc_null_ptr_ref_poc Reading: /home/lsl/pocs/untrunc_null_ptr_ref_poc [mov,mp4,m4a,3gp,3g2,mj2 @ 0x2ebf1c0] Could not find codec parameters (Audio: [0][0][0][0] / 0x0000 0 channels, 127 kb/s) Input #0, mov,mp4,m4a,3gp,3g2,mj2, from '/home/lsl/pocs/untrunc_null_ptr_ref_poc': Metadata: major_brand : isom minor_version : 512 compatible_brands: isomiso2mp41 encoder : Lavf56.40.101 Duration: 00:00:00.04, start: 0.000000, bitrate: 257 kb/s Stream #0:0(und): Audio: [0][0][0][0] / 0x0000 0 channels, 127 kb/s (default) Metadata: handler_name : SoundHandler Segmentation fault
Now let see in gdb
[----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x1 RCX: 0x1562940 --> 0x1561be8 --> 0x0 RDX: 0x7ffff6f5c770 --> 0x1560e00 --> 0x0 RSI: 0xffffffff RDI: 0x7fffffffde7f --> 0x7fffffffdff000 RBP: 0x7fffffffdec0 --> 0x7fffffffdff0 --> 0x7fffffffe0e0 --> 0x7fffffffe180 --> 0x7fffffffe250 --> 0x0 RSP: 0x7fffffffde50 --> 0x1565a00 --> 0xa4aa90 --> 0x44b1ba (<_ZN4AtomD2Ev>: push rbp) RIP: 0x443a0a (<_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+126>: mov rax,QWORD PTR [rax]) R8 : 0x0 R9 : 0x1560e10 --> 0x1562940 --> 0x1561be8 --> 0x0 R10: 0x2 R11: 0x7ffff6d24150 --> 0xfffda660fffda38f R12: 0x0 R13: 0x0 R14: 0x1 R15: 0x0 EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x4439fe <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+114>: mov rdi,rax 0x443a01 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+117>: call 0x404500 <_ZNSaIcED1Ev@plt> 0x443a06 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+122>: mov rax,QWORD PTR [rbp-0x28] => 0x443a0a <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+126>: mov rax,QWORD PTR [rax] 0x443a0d <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+129>: add rax,0x28 0x443a11 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+133>: mov rax,QWORD PTR [rax] 0x443a14 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+136>: mov rdx,QWORD PTR [rbp-0x28] 0x443a18 <_ZN5Codec5parseEP4AtomRSt6vectorIiSaIiEES1_+140>: mov esi,0x4 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde50 --> 0x1565a00 --> 0xa4aa90 --> 0x44b1ba (<_ZN4AtomD2Ev>: push rbp) 0008| 0x7fffffffde58 --> 0x7fffffffe088 --> 0x1564110 --> 0x19f0000002c 0016| 0x7fffffffde60 --> 0x1565b50 --> 0xa4aa90 --> 0x44b1ba (<_ZN4AtomD2Ev>: push rbp) 0024| 0x7fffffffde68 --> 0x7fffffffe050 --> 0x7ffff7792878 --> 0x0 0032| 0x7fffffffde70 --> 0x7fffffffdea0 --> 0x0 0040| 0x7fffffffde78 --> 0x1 0048| 0x7fffffffde80 --> 0x7fffffffdff0 --> 0x7fffffffe0e0 --> 0x7fffffffe180 --> 0x7fffffffe250 --> 0x0 0056| 0x7fffffffde88 --> 0x0 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000443a0a in Codec::parse(Atom*, std::vector<int, std::allocator<int> >&, Atom*) () gdb-peda$ bt #0 0x0000000000443a0a in Codec::parse(Atom*, std::vector<int, std::allocator<int> >&, Atom*) () #1 0x0000000000445565 in Track::parse(Atom*, Atom*) () #2 0x000000000045227e in Mp4::parseTracks() () #3 0x0000000000450a10 in Mp4::open(std::string) () #4 0x0000000000443512 in main () #5 0x00007ffff6bbbf45 in __libc_start_main (main=0x4432d3 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328) at libc-start.c:287 #6 0x0000000000442400 in _start () gdb-peda$
Crash at 0x443a0a, the asm code are as below
0x443a0a
mov rax,QWORD PTR [rax]
and rax=0 , so null pointer reference
rax=0
The vulnerability is in track.cpp
void Codec::parse(Atom *trak, vector<int> &offsets, Atom *mdat) { Atom *stsd = trak->atomByName("stsd"); int entries = stsd->readInt(4); // crash at there if(entries != 1) throw string("Multiplexed stream! Not supported"); .......................... .......................... .......................... }
From the debug session , I find that the following line tigger the vulnerability
int entries = stsd->readInt(4); // crash at there
stsd obj is a null pointer , let's see in trak->atomByName
stsd
trak->atomByName
Atom *Atom::atomByName(std::string name) { for(unsigned int i = 0; i < children.size(); i++) { if(children[i]->name == name) return children[i]; Atom *a = children[i]->atomByName(name); if(a) return a; } return NULL; }
The function could return NULL, but Codec::parse don't consider it.
NULL
Codec::parse
To fix it , may be only need to check the Atom::atomByName 's return value
Atom::atomByName
The poc file
poc
https://gitee.com/hac425/fuzz_data/blob/master/untrunc_null_ptr_ref_poc
The text was updated successfully, but these errors were encountered:
There are several Maintenance: Pull Requests that address issues like this. Let me know, if you have bugs like this null-pointer dereference with these Maintenance: patches.
Maintenance:
Alternatively, you could use @anthwlock Untrunc repository.
Sorry, something went wrong.
No branches or pull requests
When open a crafted
mp4file, The program could beSegmentation faultNow let see in gdb
Crash at
0x443a0a, the asm code are as belowand
rax=0, so null pointer referenceThe vulnerability is in track.cpp
From the debug session , I find that the following line tigger the vulnerability
stsdobj is a null pointer , let's see intrak->atomByNameThe function could return
NULL, butCodec::parsedon't consider it.To fix it , may be only need to check the
Atom::atomByName's return valueThe
pocfileThe text was updated successfully, but these errors were encountered: