Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46046: Untrusted pointer dereference in gf_isom_box_size () · Issue #2005 · gpac/gpac

A Pointer Derefernce Vulnerbility exists GPAC 1.0.1 the gf_isom_box_size function, which could cause a Denial of Service (context-dependent).

CVE
Open in Source
#linux#dos#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • [Yes ] I looked for a similar issue and couldn’t find any.
  • [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC8

POC8.zip

Result

bt

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78fa0da in gf_isom_box_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[ REGISTERS ]
 RAX  0x5b47555e0072
 RBX  0x5b47555e0072
 RCX  0x0
 RDX  0x0
 RDI  0x5b47555e0072
 RSI  0x2
 R8   0x0
 R9   0x7fffffff7f80 ◂— 0x2
 R10  0x7ffff76d4546 ◂— 'gf_list_insert'
 R11  0x7ffff7773a80 (gf_list_insert) ◂— endbr64 
 R12  0x5555555db580 —▸ 0x5555555e2740 —▸ 0x5555555db330 ◂— 0x6d766864 /* 'dhvm' */
 R13  0x5555555e2600 ◂— 0x6d6f6f76 /* 'voom' */
 R14  0x6
 R15  0x0
 RBP  0x2
 RSP  0x7fffffff7f80 ◂— 0x2
 RIP  0x7ffff78fa0da (gf_isom_box_size+10) ◂— mov    rax, qword ptr [rdi + 0x10]
[ DISASM ]
 ► 0x7ffff78fa0da <gf_isom_box_size+10>    mov    rax, qword ptr [rdi + 0x10]
   0x7ffff78fa0de <gf_isom_box_size+14>    mov    rbp, rdi
   0x7ffff78fa0e1 <gf_isom_box_size+17>    mov    edx, dword ptr [rax + 0x58]
   0x7ffff78fa0e4 <gf_isom_box_size+20>    test   edx, edx
   0x7ffff78fa0e6 <gf_isom_box_size+22>    je     gf_isom_box_size+40                <gf_isom_box_size+40>
    ↓
   0x7ffff78fa0f8 <gf_isom_box_size+40>    cmp    dword ptr [rdi], 0x75756964
   0x7ffff78fa0fe <gf_isom_box_size+46>    mov    qword ptr [rdi + 8], 8
   0x7ffff78fa106 <gf_isom_box_size+54>    mov    edx, 0xc
   0x7ffff78fa10b <gf_isom_box_size+59>    jne    gf_isom_box_size+74                <gf_isom_box_size+74>
    ↓
   0x7ffff78fa11a <gf_isom_box_size+74>    cmp    byte ptr [rax + 0x3c], 0
   0x7ffff78fa11e <gf_isom_box_size+78>    je     gf_isom_box_size+84                <gf_isom_box_size+84>
[ STACK ]
00:0000│ r9 rsp 0x7fffffff7f80 ◂— 0x2
01:0008│        0x7fffffff7f88 —▸ 0x7ffff78fa19a (gf_isom_box_array_size+74) ◂— mov    r15d, eax
02:0010│        0x7fffffff7f90 ◂— 0x400000000
03:0018│        0x7fffffff7f98 —▸ 0x5555555da950 ◂— 0x0
04:0020│        0x7fffffff7fa0 —▸ 0x5555555df7a0 —▸ 0x5555555e61c0 ◂— 0xfbad2480
05:0028│        0x7fffffff7fa8 ◂— 0x0
06:0030│        0x7fffffff7fb0 —▸ 0x7fffffff8480 ◂— 0x5f2
07:0038│        0x7fffffff7fb8 —▸ 0x7fffffff8490 ◂— 0x0
[ BACKTRACE ]
 ► f 0   0x7ffff78fa0da gf_isom_box_size+10
   f 1   0x7ffff78fa19a gf_isom_box_array_size+74
   f 2   0x7ffff7910e8d inplace_shift_mdat+813
   f 3   0x7ffff791549c WriteToFile+3884
   f 4   0x7ffff7906432 gf_isom_write+370
   f 5   0x7ffff79064b8 gf_isom_close+24
   f 6   0x55555557bd12 mp4boxMain+7410
   f 7   0x7ffff74dc0b3 __libc_start_main+243

pwndbg> bt
#0  0x00007ffff78fa0da in gf_isom_box_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff78fa19a in gf_isom_box_array_size () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff7910e8d in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff791549c in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x000055555557bd12 in mp4boxMain ()
#7  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#8  0x000055555556d45e in _start ()

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE