In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

Hi @mperham

I have a question regarding this commit. Is it possible to backport it to 6.2/6.3 version branches as well?

Name: sidekiq  
Version: 6.2.2  
CVE: CVE-2022-23837  
GHSA: GHSA-jrfj-98qg-qjgv  
Criticality: High  
URL: 7785ac1  
Title: Denial of service in sidekiq  
Solution: upgrade to >= 6.4.0, ~> 5.2.10

2 major versions upgrade just to get the CVE patch makes it a bit inconvenient.

CVE-2022-23837: Validate `days` parameter to avoid possible DoS in Web UI · sidekiq/sidekiq@7785ac1

The binary MP4Box in GPAC v1.0.1 was discovered to contain a segmentation fault via the function __memmove_avx_unaligned_erms (). This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1615-g9ce097b4a-master
    
    

**command:**

    ./bin/gcc/MP4Box -bt POC2
    

POC2.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000d84a84 in __memmove_avx_unaligned_erms ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────────────────
     RAX  0x1100d60 ◂— 0x0
     RBX  0x400788 ◂— 0x0
     RCX  0x1100d68 ◂— 0x61 /* 'a' */
     RDX  0x8802ff8
     RDI  0x1100d60 ◂— 0x0
     RSI  0x1100d68 ◂— 0x61 /* 'a' */
     R8   0x4
     R9   0x1103bd0 ◂— 0x4e0
     R10  0x1104918 ◂— 0x0
     R11  0x11040e0 —▸ 0x11010c0 —▸ 0x1101010 —▸ 0x1100ec0 —▸ 0x1103180 ◂— ...
     R12  0xd0de10 (__libc_csu_fini) ◂— endbr64 
     R13  0x0
     R14  0x10aa018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd84910 (__memmove_avx_unaligned_erms) ◂— endbr64 
     R15  0x0
     RBP  0x7fffffff8620 —▸ 0x7fffffff8690 —▸ 0x7fffffff86e0 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 ◂— ...
     RSP  0x7fffffff85f8 —▸ 0x445aa6 (gf_list_rem+164) ◂— mov    rax, qword ptr [rbp - 0x18]
     RIP  0xd84a84 (__memmove_avx_unaligned_erms+372) ◂— vmovdqu ymm5, ymmword ptr [rsi + rdx - 0x20]
    ─────────────────────────────────────────────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────────────────────────────────────────────
     ► 0xd84a84 <__memmove_avx_unaligned_erms+372>    vmovdqu ymm5, ymmword ptr [rsi + rdx - 0x20]
       0xd84a8a <__memmove_avx_unaligned_erms+378>    vmovdqu ymm6, ymmword ptr [rsi + rdx - 0x40]
       0xd84a90 <__memmove_avx_unaligned_erms+384>    vmovdqu ymm7, ymmword ptr [rsi + rdx - 0x60]
       0xd84a96 <__memmove_avx_unaligned_erms+390>    vmovdqu ymm8, ymmword ptr [rsi + rdx - 0x80]
       0xd84a9c <__memmove_avx_unaligned_erms+396>    mov    r11, rdi
       0xd84a9f <__memmove_avx_unaligned_erms+399>    lea    rcx, [rdi + rdx - 0x20]
       0xd84aa4 <__memmove_avx_unaligned_erms+404>    mov    r8, rdi
       0xd84aa7 <__memmove_avx_unaligned_erms+407>    and    r8, 0x1f
       0xd84aab <__memmove_avx_unaligned_erms+411>    sub    r8, 0x20
       0xd84aaf <__memmove_avx_unaligned_erms+415>    sub    rsi, r8
       0xd84ab2 <__memmove_avx_unaligned_erms+418>    sub    rdi, r8
    ─────────────────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff85f8 —▸ 0x445aa6 (gf_list_rem+164) ◂— mov    rax, qword ptr [rbp - 0x18]
    01:0008│     0x7fffffff8600 ◂— 0xffff8620
    02:0010│     0x7fffffff8608 —▸ 0x1100710 —▸ 0x1100d60 ◂— 0x0
    03:0018│     0x7fffffff8610 —▸ 0x56df73 (BM_EndOfStream) ◂— endbr64 
    04:0020│     0x7fffffff8618 ◂— 0x11005ff01100710
    05:0028│ rbp 0x7fffffff8620 —▸ 0x7fffffff8690 —▸ 0x7fffffff86e0 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 ◂— ...
    06:0030│     0x7fffffff8628 —▸ 0x56e0ea (gf_bifs_flush_command_list+350) ◂— mov    rax, qword ptr [rbp - 0x18]
    07:0038│     0x7fffffff8630 —▸ 0x7fffffff8670 —▸ 0x10eef50 —▸ 0x1101320 —▸ 0x10ef5b0 ◂— ...
    ───────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────────────────
     ► f 0         0xd84a84 __memmove_avx_unaligned_erms+372
       f 1         0x445aa6 gf_list_rem+164
       f 2         0x56e0ea gf_bifs_flush_command_list+350
       f 3         0x56e3fb gf_bifs_decode_command_list+340
       f 4         0x6c0631 gf_sm_load_run_isom+1994
       f 5         0x6a45a1 gf_sm_load_run+46
       f 6         0x418161 dump_isom_scene+981
       f 7         0x415b12 mp4boxMain+6395
    ─────────────────────────────────────────────────────────

CVE-2021-46313: A segmentation fault in MP4Box · Issue #2039 · gpac/gpac

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_destroy_routes () at scenegraph/vrml_route.c. This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1615-g9ce097b4a-master
    
    

**command:**

    ./bin/gcc/MP4Box -svg POC1
    

POC1.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    0x00000000004e9a35 in gf_sg_destroy_routes (sg=0x10f0c30) at scenegraph/vrml_route.c:126
    126                     if (r->name) gf_free(r->name);
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x400788 ◂— 0x0
     RCX  0x10febd8 —▸ 0x1102210 ◂— 0x100
     RDX  0x0
     RDI  0x10f0ec0 ◂— 0x0
     RSI  0x0
     R8   0xffffffffffffffe0
     R9   0x0
     R10  0x10febf8 ◂— 0x0
     R11  0x10fea60 —▸ 0x10e2210 ◂— 0x6000500040007
     R12  0xd0de10 (__libc_csu_fini) ◂— endbr64 
     R13  0x0
     R14  0x10aa018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd84910 (__memmove_avx_unaligned_erms) ◂— endbr64 
     R15  0x0
     RBP  0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 —▸ 0x7fffffffe170 ◂— ...
     RSP  0x7fffffff86f0 —▸ 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 ◂— ...
     RIP  0x4e9a35 (gf_sg_destroy_routes+93) ◂— mov    rax, qword ptr [rax + 8]
    ───────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x4e9a35 <gf_sg_destroy_routes+93>     mov    rax, qword ptr [rax + 8]
       0x4e9a39 <gf_sg_destroy_routes+97>     test   rax, rax
       0x4e9a3c <gf_sg_destroy_routes+100>    je     gf_sg_destroy_routes+118                      <gf_sg_destroy_routes+118>
        ↓
       0x4e9a4e <gf_sg_destroy_routes+118>    mov    rax, qword ptr [rbp - 8]
       0x4e9a52 <gf_sg_destroy_routes+122>    mov    rdi, rax
       0x4e9a55 <gf_sg_destroy_routes+125>    call   gf_free                      <gf_free>
     
       0x4e9a5a <gf_sg_destroy_routes+130>    mov    rax, qword ptr [rbp - 0x18]
       0x4e9a5e <gf_sg_destroy_routes+134>    mov    rax, qword ptr [rax + 0x110]
       0x4e9a65 <gf_sg_destroy_routes+141>    mov    rdi, rax
       0x4e9a68 <gf_sg_destroy_routes+144>    call   gf_list_count                      <gf_list_count>
     
       0x4e9a6d <gf_sg_destroy_routes+149>    test   eax, eax
    ────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/vrml_route.c
       121 {
       122  while (gf_list_count(sg->routes_to_destroy) ) {
       123          GF_Route *r = (GF_Route *)gf_list_get(sg->routes_to_destroy, 0);
       124          gf_list_rem(sg->routes_to_destroy, 0);
       125          gf_sg_route_unqueue(sg, r);
     ► 126          if (r->name) gf_free(r->name);
       127          gf_free(r);
       128  }
       129 }
       130 
       131 
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff86f0 —▸ 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 ◂— ...
    01:0008│     0x7fffffff86f8 —▸ 0x10f0c30 ◂— 0x0
    02:0010│     0x7fffffff8700 ◂— 0x0
    03:0018│     0x7fffffff8708 ◂— 0x0
    04:0020│ rbp 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 —▸ 0x7fffffffe170 ◂— ...
    05:0028│     0x7fffffff8718 —▸ 0x47a183 (gf_sg_reset+1350) ◂— mov    rax, qword ptr [rbp - 0x88]
    06:0030│     0x7fffffff8720 ◂— 0x0
    07:0038│     0x7fffffff8728 —▸ 0x10f0c30 ◂— 0x0
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0         0x4e9a35 gf_sg_destroy_routes+93
       f 1         0x47a183 gf_sg_reset+1350
       f 2         0x479aa5 gf_sg_del+94
       f 3         0x41827d dump_isom_scene+1265
       f 4         0x415b12 mp4boxMain+6395
       f 5         0x417a8e main+36
       f 6         0xd0d5a0 __libc_start_main+1168
    ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00000000004e9a35 in gf_sg_destroy_routes (sg=0x10f0c30) at scenegraph/vrml_route.c:126
    #1  0x000000000047a183 in gf_sg_reset (sg=0x10f0c30) at scenegraph/base_scenegraph.c:502
    #2  0x0000000000479aa5 in gf_sg_del (sg=0x10f0c30) at scenegraph/base_scenegraph.c:162
    #3  0x000000000041827d in dump_isom_scene (file=0x7fffffffe5cc "gf_sg_destroy_routes-gf_sg_reset/id:000578,sig:11,src:008408+008855,op:splice,rep:8", inName=0x10de4a0 <outfile> "gf_sg_destroy_routes-gf_sg_reset/id:000578,sig:11,src:008408+008855,op:splice,rep:8", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:217
    #4  0x0000000000415b12 in mp4boxMain (argc=3, argv=0x7fffffffe2c8) at main.c:6140
    #5  0x0000000000417a8e in main (argc=3, argv=0x7fffffffe2c8) at main.c:6592
    #6  0x0000000000d0d5a0 in __libc_start_main ()
    #7  0x000000000040211e in _start ()

CVE-2021-46311: Null Pointer Dereference in gf_sg_destroy_routes（）at scenegraph/vrml_route.c:126 · Issue #2038 · gpac/gpac

A Divide By Zero vulnerability exists in HDF5 v1.13.1-1 vis the function H5T__complete_copy () at /hdf5/src/H5T.c. This vulnerability causes an aritmetic exception, leading to a Denial of Service (DoS).

**Version:**

    h5format_convert: Version 1.13.1-1
    

**System information**

    Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
    

**command:**

POC.zip

**Result**

**bt**

    program received signal SIGFPE, Arithmetic exception.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    RCX: 0x21000004 
    RDX: 0x0 
    RSI: 0x0 
    RDI: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    RBP: 0x55555594a250 --> 0x0 
    RSP: 0x7fffffffd290 --> 0x21000004 
    RIP: 0x55555570bb5f (<H5T__complete_copy+543>:	div    rsi)
    R8 : 0x55555570ea80 (<H5T__copy_all>:	endbr64)
    R9 : 0x7ffff7e55c50 --> 0x7ffff7e55c40 --> 0x7ffff7e55c30 --> 0x7ffff7e55c20 --> 0x7ffff7e55c10 --> 0x7ffff7e55c00 (--> ...)
    R10: 0x5555558fc010 --> 0x2000000010000 
    R11: 0x7ffff7e55be0 --> 0x55555594ff50 --> 0x0 
    R12: 0x1 
    R13: 0x55555594e740 --> 0x555555949930 --> 0x0 
    R14: 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    R15: 0x0
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x55555570bb54 <H5T__complete_copy+532>:	imul   rax,rcx
       0x55555570bb58 <H5T__complete_copy+536>:	sub    rcx,rsi
       0x55555570bb5b <H5T__complete_copy+539>:	add    QWORD PTR [rsp],rcx
    => 0x55555570bb5f <H5T__complete_copy+543>:	div    rsi
       0x55555570bb62 <H5T__complete_copy+546>:	mov    QWORD PTR [rbx+0x10],rax
       0x55555570bb66 <H5T__complete_copy+550>:	mov    rax,QWORD PTR [rsp+0x28]
       0x55555570bb6b <H5T__complete_copy+555>:	add    r12d,0x1
       0x55555570bb6f <H5T__complete_copy+559>:	cmp    DWORD PTR [rax+0x34],r12d
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffd290 --> 0x21000004 
    0008| 0x7fffffffd298 --> 0x55555570ea80 (<H5T__copy_all>:	endbr64)
    0016| 0x7fffffffd2a0 --> 0x555555949f80 --> 0x55555594a050 --> 0x7ffff7e55b00 --> 0x0 
    0024| 0x7fffffffd2a8 --> 0x55555593f2d0 --> 0x0 
    0032| 0x7fffffffd2b0 --> 0x555555922020 --> 0x0 
    0040| 0x7fffffffd2b8 --> 0x55555593f340 --> 0x0 
    0048| 0x7fffffffd2c0 --> 0x55555594e740 --> 0x555555949930 --> 0x0 
    0056| 0x7fffffffd2c8 --> 0x555555949fa0 --> 0x55555594a230 --> 0x7ffff7e55b00 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGFPE
    0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
        copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
    3613	                        new_dt->shared->u.compnd.memb[i].size =
    gdb-peda$ bt
    #0  0x000055555570bb5f in H5T__complete_copy (new_dt=new_dt@entry=0x55555593f2d0, old_dt=old_dt@entry=0x555555922020, reopened_fo=reopened_fo@entry=0x0, set_memory_type=set_memory_type@entry=0x0, 
        copyfn=0x55555570ea80 <H5T__copy_all>) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3613
    #1  0x000055555570c1f6 in H5T_copy (old_dt=0x555555922020, method=method@entry=H5T_COPY_ALL) at /home/zxq/CVE_testing/source/hdf5/src/H5T.c:3774
    #2  0x0000555555680aa8 in H5O__dtype_copy (_src=<optimized out>, _dst=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:1215
    #3  0x000055555568fe89 in H5O_msg_read_oh (f=0x555555941400, oh=oh@entry=0x55555594e470, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:521
    #4  0x0000555555690129 in H5O_msg_read (loc=loc@entry=0x555555947d60, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:455
    #5  0x00005555555cb237 in H5D__open_oid (dapl_id=0xb00000000000007, dataset=0x555555947d60) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1707
    #6  H5D_open (loc=loc@entry=0x7fffffffd520, dapl_id=dapl_id@entry=0xb00000000000007) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1512
    #7  0x00005555555cbfe8 in H5D__open_name (loc=loc@entry=0x7fffffffd5a0, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=dapl_id@entry=0xb00000000000007)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1447
    #8  0x00005555557a09e2 in H5VL__native_dataset_open (obj=<optimized out>, loc_params=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=<optimized out>, 
        req=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_dataset.c:251
    #9  0x000055555578c488 in H5VL__dataset_open (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, dapl_id=0xb00000000000007, name=0x55555594e230 "/BAG_root/tracking_list", loc_params=0x7fffffffd630, 
        obj=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1944
    #10 H5VL_dataset_open (vol_obj=0x555555944740, loc_params=loc_params@entry=0x7fffffffd630, name=name@entry=0x55555594e230 "/BAG_root/tracking_list", dapl_id=0xb00000000000007, dxpl_id=0xb00000000000008, 
        req=req@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:1976
    #11 0x00005555555bb5e2 in H5D__open_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, dapl_id=<optimized out>, name=0x55555594e230 "/BAG_root/tracking_list", loc_id=0x100000000000000)
        at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:356
    #12 H5Dopen2 (loc_id=0x100000000000000, name=0x55555594e230 "/BAG_root/tracking_list", dapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5D.c:396
    #13 0x0000555555563784 in convert (fid=<optimized out>, dname=0x55555594e230 "/BAG_root/tracking_list") at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:213
    #14 0x0000555555563d88 in convert_dsets_cb (path=0x55555594e230 "/BAG_root/tracking_list", oi=<optimized out>, already_visited=<optimized out>, _fid=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:363
    #15 0x000055555557c8ca in traverse_cb (loc_id=<optimized out>, path=<optimized out>, linfo=<optimized out>, _udata=0x7fffffffe150) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:218
    #16 0x00005555556296a6 in H5G__visit_cb (lnk=0x7fffffffd8f0, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1016
    #17 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x8a0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffda30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
    #18 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x348, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffda30)
        at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
    #19 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffda30) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
    #20 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x7fffffffdbb0, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
        op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
    #21 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x7fffffffdbb0, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
        op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
    #22 0x00005555556299e6 in H5G__visit_cb (lnk=<optimized out>, _udata=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1101
    #23 0x000055555563036e in H5G__node_iterate (f=f@entry=0x555555941400, _lt_key=<optimized out>, addr=0x5e0, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffddc0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
    #24 0x00005555557cfe40 in H5B__iterate_helper (f=0x555555941400, type=0x5555558f3f20 <H5B_SNODE>, addr=0x88, op=0x555555630280 <H5G__node_iterate>, udata=udata@entry=0x7fffffffddc0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
    #25 0x00005555557d131b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffddc0) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
    #26 0x0000555555635146 in H5G__stab_iterate (oloc=oloc@entry=0x555555944ac8, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, op=op@entry=0x5555556295f0 <H5G__visit_cb>, 
        op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
    #27 0x0000555555632cc5 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x555555944ac8, idx_type=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x0, 
        op=op@entry=0x5555556295f0 <H5G__visit_cb>, op_data=0x7fffffffdf40) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
    #28 0x000055555562b044 in H5G_visit (loc=loc@entry=0x7fffffffdfd0, group_name=<optimized out>, idx_type=<optimized out>, order=H5_ITER_INC, op=<optimized out>, op_data=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:1243
    #29 0x00005555557a53b5 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffe050, args=0x7fffffffe080, dxpl_id=<optimized out>, req=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:374
    #30 0x00005555557943c0 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffe080, loc_params=0x7fffffffe050, obj=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
    #31 H5VL_link_specific (vol_obj=vol_obj@entry=0x555555944740, loc_params=loc_params@entry=0x7fffffffe050, args=args@entry=0x7fffffffe080, dxpl_id=0xb00000000000008, req=req@entry=0x0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
    #32 0x000055555565f021 in H5Lvisit_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x555555810903 "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, 
        op=op@entry=0x55555557c710 <traverse_cb>, op_data=op_data@entry=0x7fffffffe150, lapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1984
    #33 0x000055555557dd7e in traverse (fields=0x1, visitor=0x7fffffffe110, recurse=0x1, visit_start=<optimized out>, grp_name=0x555555810903 "/", file_id=0x100000000000000)
        at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:288
    #34 h5trav_visit (fid=0x100000000000000, grp_name=0x555555810903 "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, visit_lnk=<optimized out>, udata=0x7fffffffe220, 
        fields=0x1) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
    #35 0x000055555556324d in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe338) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:426
    #36 0x00007ffff7c910b3 in __libc_start_main (main=0x555555562f20 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
        at ../csu/libc-start.c:308
    #37 0x00005555555633ee in _start () at /home/zxq/CVE_testing/source/hdf5/tools/src/h5format_convert/h5format_convert.c:166

CVE-2021-46244: Divide By Zero in H5T__complete_copy () at /hdf5/src/H5T.c:3613 · Issue #1327 · HDFGroup/hdf5

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c. This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --enable-debug --
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**command:**

    ./bin/gcc/MP4Box -svg POC1
    

POC1.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    gf_node_unregister (pNode=0x10f9b70, parentNode=0x10fa140) at scenegraph/base_scenegraph.c:682
    682		pSG = pNode->sgprivate->scenegraph;
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x7
     RCX  0x1
     RDX  0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
     RDI  0x10f9b70 ◂— 0x0
     RSI  0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
     R8   0x0
     R9   0x0
     R10  0xfffffff9
     R11  0x246
     R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
     R13  0x0
     R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
     R15  0x0
     RBP  0x7fffffff7690 —▸ 0x7fffffff76c0 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 —▸ 0x7fffffff7740 ◂— ...
     RSP  0x7fffffff7650 —▸ 0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
     RIP  0x479467 (gf_node_unregister+66) ◂— mov    rax, qword ptr [rax + 8]
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x479467 <gf_node_unregister+66>     mov    rax, qword ptr [rax + 8]
       0x47946b <gf_node_unregister+70>     mov    qword ptr [rbp - 0x28], rax
       0x47946f <gf_node_unregister+74>     cmp    qword ptr [rbp - 0x40], 0
       0x479474 <gf_node_unregister+79>     je     gf_node_unregister+284                      <gf_node_unregister+284>
        ↓
       0x479541 <gf_node_unregister+284>    cmp    qword ptr [rbp - 0x28], 0
       0x479546 <gf_node_unregister+289>    je     gf_node_unregister+320                      <gf_node_unregister+320>
        ↓
       0x479565 <gf_node_unregister+320>    mov    rax, qword ptr [rbp - 0x38]
       0x479569 <gf_node_unregister+324>    mov    rax, qword ptr [rax]
       0x47956c <gf_node_unregister+327>    movzx  eax, word ptr [rax + 2]
       0x479570 <gf_node_unregister+331>    test   ax, ax
       0x479573 <gf_node_unregister+334>    jne    gf_node_unregister+367                      <gf_node_unregister+367>
    ────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/base_scenegraph.c
       677 	Bool detach=0;
       678 #endif
       679 	GF_SceneGraph *pSG;
       680 
       681 	if (!pNode) return GF_OK;
     ► 682 	pSG = pNode->sgprivate->scenegraph;
       683 
       684 	if (parentNode) {
       685 		GF_ParentList *nlist = pNode->sgprivate->parents;
       686 		if (nlist) {
       687 			GF_ParentList *prev = NULL;
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7650 —▸ 0x10fa140 —▸ 0x10fa290 ◂— 0x300000095
    01:0008│     0x7fffffff7658 —▸ 0x10f9b70 ◂— 0x0
    02:0010│     0x7fffffff7660 ◂— 0x0
    03:0018│     0x7fffffff7668 —▸ 0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
    04:0020│     0x7fffffff7670 ◂— 0x0
    05:0028│     0x7fffffff7678 —▸ 0x450b75 (gf_free+28) ◂— nop    
    06:0030│     0x7fffffff7680 ◂— 0x5
    07:0038│     0x7fffffff7688 ◂— 0x5789c1222d7c1900
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0         0x479467 gf_node_unregister+66
       f 1         0x47ad0f gf_node_unregister_children+45
       f 2         0x4ea690 gf_sg_vrml_parent_destroy+70
       f 3         0x4c4593 SBBone_Del+318
       f 4         0x4dbb98 gf_sg_mpeg4_node_del+2586
       f 5         0x47bfe4 gf_node_del+461
       f 6         0x4797a6 gf_node_unregister+897
       f 7         0x566822 gf_bifs_dec_node+1888
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  gf_node_unregister (pNode=0x10f9b70, parentNode=0x10fa140) at scenegraph/base_scenegraph.c:682
    #1  0x000000000047ad0f in gf_node_unregister_children (container=0x10fa140, child=0x10fa320) at scenegraph/base_scenegraph.c:1369
    #2  0x00000000004ea690 in gf_sg_vrml_parent_destroy (pNode=0x10fa140) at scenegraph/vrml_tools.c:162
    #3  0x00000000004c4593 in SBBone_Del (node=0x10fa140) at scenegraph/mpeg4_nodes.c:27956
    #4  0x00000000004dbb98 in gf_sg_mpeg4_node_del (node=0x10fa140) at scenegraph/mpeg4_nodes.c:37958
    #5  0x000000000047bfe4 in gf_node_del (node=0x10fa140) at scenegraph/base_scenegraph.c:1902
    #6  0x00000000004797a6 in gf_node_unregister (pNode=0x10fa140, parentNode=0x0) at scenegraph/base_scenegraph.c:761
    #7  0x0000000000566822 in gf_bifs_dec_node (codec=0x10f70b0, bs=0x10e4c30, NDT_Tag=1) at bifs/field_decode.c:912
    #8  0x000000000055c98c in gf_bifs_dec_proto_list (codec=0x10f70b0, bs=0x10e4c30, proto_list=0x0) at bifs/com_dec.c:1132
    #9  0x000000000055c94f in gf_bifs_dec_proto_list (codec=0x10f70b0, bs=0x10e4c30, proto_list=0x10f9600) at bifs/com_dec.c:1125
    #10 0x000000000055d37f in BD_DecSceneReplace (codec=0x10f70b0, bs=0x10e4c30, proto_list=0x10f9600) at bifs/com_dec.c:1332
    #11 0x000000000056c8d2 in BM_SceneReplace (codec=0x10f70b0, bs=0x10e4c30, com_list=0x10f7430) at bifs/memory_decoder.c:860
    #12 0x000000000056cb53 in BM_ParseCommand (codec=0x10f70b0, bs=0x10e4c30, com_list=0x10f7430) at bifs/memory_decoder.c:908
    #13 0x000000000056cffd in gf_bifs_decode_command_list (codec=0x10f70b0, ESID=8, data=0x10f74b0 '\320' <repeats 191 times>, <incomplete sequence \372>, data_length=8208, com_list=0x10f7430) at bifs/memory_decoder.c:1009
    #14 0x00000000006be1da in gf_sm_load_run_isom (load=0x7fffffff88a0) at scene_manager/loader_isom.c:303
    #15 0x00000000006a214a in gf_sm_load_run (load=0x7fffffff88a0) at scene_manager/scene_manager.c:719
    #16 0x000000000041786e in dump_isom_scene (file=0x7fffffffe60f "gf_node_unregister-gf_node_unregister_children/id:000515,sig:11,src:007933+012329,op:splice,rep:16", inName=0x10da460 <outfile> "gf_node_unregister-gf_node_unregister_children/id:000515,sig:11,src:007933+012329,op:splice,rep:16", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:199
    #17 0x000000000041521f in mp4boxMain (argc=3, argv=0x7fffffffe328) at main.c:6044
    #18 0x000000000041719b in main (argc=3, argv=0x7fffffffe328) at main.c:6496
    #19 0x0000000000d09a40 in __libc_start_main ()
    #20 0x000000000040211e in _start ()

CVE-2021-46234: Null Pointer Dereference in gf_node_unregister () at scenegraph/base_scenegraph.c:682 · Issue #2023 · gpac/gpac

The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid free vulnerability via the function gf_free () at utils/alloc.c. This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --enable-debug --
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**command:**

    ./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC1
    

POC1.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000d43f7d in free ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x400788 ◂— 0x0
     RCX  0x110ac60 ◂— 0x0
     RDX  0xe0bfa8 ◂— 0xff71f347ff71f31e
     RDI  0x21
     RSI  0x110ac60 ◂— 0x0
     R8   0x7
     R9   0x0
     R10  0xffffffd8
     R11  0x246
     R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
     R13  0x0
     R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
     R15  0x0
     RBP  0x7fffffff7600 —▸ 0x7fffffff7660 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 ◂— ...
     RSP  0x7fffffff75d0 —▸ 0x7fffffff7610 —▸ 0x7fffffff7630 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 ◂— ...
     RIP  0xd43f7d (free+29) ◂— mov    rax, qword ptr [rdi - 8]
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0xd43f7d <free+29>         mov    rax, qword ptr [rdi - 8]
       0xd43f81 <free+33>         lea    rsi, [rdi - 0x10]
       0xd43f85 <free+37>         test   al, 2
       0xd43f87 <free+39>         jne    free+96                      <free+96>
        ↓
       0xd43fc0 <free+96>         mov    edx, dword ptr [rip + 0x387f0e] <0x10cbed4>
       0xd43fc6 <free+102>        test   edx, edx
       0xd43fc8 <free+104>        jne    free+123                      <free+123>
        ↓
       0xd43fdb <free+123>        mov    rdi, rsi
       0xd43fde <free+126>        add    rsp, 0x18
       0xd43fe2 <free+130>        jmp    munmap_chunk                      <munmap_chunk>
        ↓
       0xd3ee70 <munmap_chunk>    sub    rsp, 8
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff75d0 —▸ 0x7fffffff7610 —▸ 0x7fffffff7630 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 ◂— ...
    01:0008│     0x7fffffff75d8 —▸ 0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
    02:0010│     0x7fffffff75e0 ◂— 0x0
    03:0018│     0x7fffffff75e8 —▸ 0x450b75 (gf_free+28) ◂— nop    
    04:0020│     0x7fffffff75f0 ◂— 0x0
    05:0028│     0x7fffffff75f8 ◂— 0x21 /* '!' */
    06:0030│ rbp 0x7fffffff7600 —▸ 0x7fffffff7660 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 ◂— ...
    07:0038│     0x7fffffff7608 —▸ 0x52b08f (gf_svg_delete_attribute_value+324) ◂— mov    rax, qword ptr [rbp - 0x40]
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0         0xd43f7d free+29
       f 1         0x450b75 gf_free+28
       f 2         0x52b08f gf_svg_delete_attribute_value+324
       f 3         0x52aea9 svg_delete_one_anim_value+54
       f 4         0x52b1ae gf_svg_delete_attribute_value+611
       f 5         0x551ed6 gf_node_delete_attributes+70
       f 6         0x52aaa7 gf_svg_node_del+642
       f 7         0x47c020 gf_node_del+521
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x0000000000d43f7d in free ()
    #1  0x0000000000450b75 in gf_free (ptr=0x21) at utils/alloc.c:165
    #2  0x000000000052b08f in gf_svg_delete_attribute_value (type=71, value=0x110ac60, sg=0x10ebe70) at scenegraph/svg_types.c:425
    #3  0x000000000052aea9 in svg_delete_one_anim_value (anim_datatype=71 'G', anim_value=0x110ac60, sg=0x10ebe70) at scenegraph/svg_types.c:363
    #4  0x000000000052b1ae in gf_svg_delete_attribute_value (type=52, value=0x110ac40, sg=0x10ebe70) at scenegraph/svg_types.c:462
    #5  0x0000000000551ed6 in gf_node_delete_attributes (node=0x10fdea0) at scenegraph/xml_ns.c:722
    #6  0x000000000052aaa7 in gf_svg_node_del (node=0x10fdea0) at scenegraph/svg_types.c:124
    #7  0x000000000047c020 in gf_node_del (node=0x10fdea0) at scenegraph/base_scenegraph.c:1909
    #8  0x00000000004797a6 in gf_node_unregister (pNode=0x10fdea0, parentNode=0x10fbce0) at scenegraph/base_scenegraph.c:761
    #9  0x000000000047ad0f in gf_node_unregister_children (container=0x10fbce0, child=0x10fe340) at scenegraph/base_scenegraph.c:1369
    #10 0x000000000047b27f in gf_sg_parent_reset (node=0x10fbce0) at scenegraph/base_scenegraph.c:1582
    #11 0x000000000052aab3 in gf_svg_node_del (node=0x10fbce0) at scenegraph/svg_types.c:125
    #12 0x000000000047c020 in gf_node_del (node=0x10fbce0) at scenegraph/base_scenegraph.c:1909
    #13 0x00000000004797a6 in gf_node_unregister (pNode=0x10fbce0, parentNode=0x10fb7c0) at scenegraph/base_scenegraph.c:761
    #14 0x000000000047ad0f in gf_node_unregister_children (container=0x10fb7c0, child=0x10fe300) at scenegraph/base_scenegraph.c:1369
    #15 0x000000000047b27f in gf_sg_parent_reset (node=0x10fb7c0) at scenegraph/base_scenegraph.c:1582
    #16 0x000000000052aab3 in gf_svg_node_del (node=0x10fb7c0) at scenegraph/svg_types.c:125
    #17 0x000000000047c020 in gf_node_del (node=0x10fb7c0) at scenegraph/base_scenegraph.c:1909
    #18 0x00000000004797a6 in gf_node_unregister (pNode=0x10fb7c0, parentNode=0x10fb2a0) at scenegraph/base_scenegraph.c:761
    #19 0x000000000047ad0f in gf_node_unregister_children (container=0x10fb2a0, child=0x10fe2c0) at scenegraph/base_scenegraph.c:1369
    #20 0x000000000047b27f in gf_sg_parent_reset (node=0x10fb2a0) at scenegraph/base_scenegraph.c:1582
    #21 0x000000000052aab3 in gf_svg_node_del (node=0x10fb2a0) at scenegraph/svg_types.c:125
    #22 0x000000000047c020 in gf_node_del (node=0x10fb2a0) at scenegraph/base_scenegraph.c:1909
    #23 0x00000000004797a6 in gf_node_unregister (pNode=0x10fb2a0, parentNode=0x10fad80) at scenegraph/base_scenegraph.c:761
    #24 0x000000000047ad0f in gf_node_unregister_children (container=0x10fad80, child=0x10fe200) at scenegraph/base_scenegraph.c:1369
    #25 0x000000000047b27f in gf_sg_parent_reset (node=0x10fad80) at scenegraph/base_scenegraph.c:1582
    #26 0x000000000052aab3 in gf_svg_node_del (node=0x10fad80) at scenegraph/svg_types.c:125
    #27 0x000000000047c020 in gf_node_del (node=0x10fad80) at scenegraph/base_scenegraph.c:1909
    #28 0x00000000004797a6 in gf_node_unregister (pNode=0x10fad80, parentNode=0x10fa860) at scenegraph/base_scenegraph.c:761
    #29 0x000000000047ad0f in gf_node_unregister_children (container=0x10fa860, child=0x110aa40) at scenegraph/base_scenegraph.c:1369
    #30 0x000000000047b27f in gf_sg_parent_reset (node=0x10fa860) at scenegraph/base_scenegraph.c:1582
    #31 0x000000000052aab3 in gf_svg_node_del (node=0x10fa860) at scenegraph/svg_types.c:125
    #32 0x000000000047c020 in gf_node_del (node=0x10fa860) at scenegraph/base_scenegraph.c:1909
    #33 0x00000000004797a6 in gf_node_unregister (pNode=0x10fa860, parentNode=0x10fa340) at scenegraph/base_scenegraph.c:761
    #34 0x000000000047ad0f in gf_node_unregister_children (container=0x10fa340, child=0x110aa80) at scenegraph/base_scenegraph.c:1369
    #35 0x000000000047b27f in gf_sg_parent_reset (node=0x10fa340) at scenegraph/base_scenegraph.c:1582
    #36 0x000000000052aab3 in gf_svg_node_del (node=0x10fa340) at scenegraph/svg_types.c:125
    #37 0x000000000047c020 in gf_node_del (node=0x10fa340) at scenegraph/base_scenegraph.c:1909
    #38 0x00000000004797a6 in gf_node_unregister (pNode=0x10fa340, parentNode=0x10f9e20) at scenegraph/base_scenegraph.c:761
    #39 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9e20, child=0x110aac0) at scenegraph/base_scenegraph.c:1369
    #40 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9e20) at scenegraph/base_scenegraph.c:1582
    #41 0x000000000052aab3 in gf_svg_node_del (node=0x10f9e20) at scenegraph/svg_types.c:125
    #42 0x000000000047c020 in gf_node_del (node=0x10f9e20) at scenegraph/base_scenegraph.c:1909
    #43 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9e20, parentNode=0x10f9900) at scenegraph/base_scenegraph.c:761
    #44 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9900, child=0x110aa00) at scenegraph/base_scenegraph.c:1369
    #45 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9900) at scenegraph/base_scenegraph.c:1582
    #46 0x000000000052aab3 in gf_svg_node_del (node=0x10f9900) at scenegraph/svg_types.c:125
    #47 0x000000000047c020 in gf_node_del (node=0x10f9900) at scenegraph/base_scenegraph.c:1909
    #48 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9900, parentNode=0x10f9320) at scenegraph/base_scenegraph.c:761
    #49 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9320, child=0x110a940) at scenegraph/base_scenegraph.c:1369
    #50 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9320) at scenegraph/base_scenegraph.c:1582
    #51 0x000000000052aab3 in gf_svg_node_del (node=0x10f9320) at scenegraph/svg_types.c:125
    #52 0x000000000047c020 in gf_node_del (node=0x10f9320) at scenegraph/base_scenegraph.c:1909
    #53 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9320, parentNode=0x10f9220) at scenegraph/base_scenegraph.c:761
    #54 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9220, child=0x110a980) at scenegraph/base_scenegraph.c:1369
    #55 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9220) at scenegraph/base_scenegraph.c:1582
    #56 0x000000000052aab3 in gf_svg_node_del (node=0x10f9220) at scenegraph/svg_types.c:125
    #57 0x000000000047c020 in gf_node_del (node=0x10f9220) at scenegraph/base_scenegraph.c:1909
    #58 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9220, parentNode=0x0) at scenegraph/base_scenegraph.c:761
    #59 0x0000000000479423 in gf_node_try_destroy (sg=0x10ebe70, pNode=0x10f9220, parentNode=0x0) at scenegraph/base_scenegraph.c:667
    #60 0x000000000047dac7 in gf_sg_command_del (com=0x10f8fd0) at scenegraph/commands.c:97
    #61 0x00000000006a0b93 in gf_sm_au_del (sc=0x10f6470, au=0x10f85a0) at scene_manager/scene_manager.c:113
    #62 0x00000000006a0c24 in gf_sm_reset_stream (sc=0x10f6470) at scene_manager/scene_manager.c:126
    #63 0x00000000006a0c58 in gf_sm_delete_stream (sc=0x10f6470) at scene_manager/scene_manager.c:133
    #64 0x00000000006a0d03 in gf_sm_del (ctx=0x10ec2a0) at scene_manager/scene_manager.c:147
    #65 0x000000000041797b in dump_isom_scene (file=0x7fffffffe654 "free-gf_free/POC1", inName=0x7fffffffe64a "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:216
    #66 0x000000000041521f in mp4boxMain (argc=11, argv=0x7fffffffe2e8) at main.c:6044
    #67 0x000000000041719b in main (argc=11, argv=0x7fffffffe2e8) at main.c:6496
    #68 0x0000000000d09a40 in __libc_start_main ()
    #69 0x000000000040211e in _start ()
    pwndbg>

CVE-2021-46239: Invalid free in MP4Box  · Issue #2026 · gpac/gpac

GPAC v1.1.0 was discovered to contain a stack overflow via the function gf_node_get_name () at scenegraph/base_scenegraph.c. This vulnerability can lead to a program crash, causing a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --enable-debug --
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**command:**

    ./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC2
    

POC2.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    0x000000000047aa77 in gf_node_get_name (p=0x4747474747474747) at scenegraph/base_scenegraph.c:1293
    1293		if (!p || !(p->sgprivate->flags & GF_NODE_IS_DEF)) return NULL;
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x4747474747474747 ('GGGGGGGG')
     RBX  0x400788 ◂— 0x0
     RCX  0x474747 (gf_xml_parse_bit_sequence_bs+486) ◂— sti    
     RDX  0x7
     RDI  0x4747474747474747 ('GGGGGGGG')
     RSI  0x10fd740 ◂— 0x47474747474747 /* 'GGGGGGG' */
     R8   0x10fc550 —▸ 0x10fce00 —▸ 0x10eccb0 ◂— 0x0
     R9   0x2
     R10  0x0
     R11  0x0
     R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
     R13  0x0
     R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
     R15  0x0
     RBP  0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
     RSP  0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
     RIP  0x47aa77 (gf_node_get_name+23) ◂— mov    rax, qword ptr [rax]
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x47aa77 <gf_node_get_name+23>    mov    rax, qword ptr [rax]
       0x47aa7a <gf_node_get_name+26>    mov    eax, dword ptr [rax + 4]
       0x47aa7d <gf_node_get_name+29>    test   eax, eax
       0x47aa7f <gf_node_get_name+31>    js     gf_node_get_name+40                      <gf_node_get_name+40>
        ↓
       0x47aa88 <gf_node_get_name+40>    mov    rax, qword ptr [rbp - 0x18]
       0x47aa8c <gf_node_get_name+44>    mov    rax, qword ptr [rax]
       0x47aa8f <gf_node_get_name+47>    mov    rax, qword ptr [rax + 8]
       0x47aa93 <gf_node_get_name+51>    mov    qword ptr [rbp - 0x10], rax
       0x47aa97 <gf_node_get_name+55>    mov    rax, qword ptr [rbp - 0x10]
       0x47aa9b <gf_node_get_name+59>    mov    rax, qword ptr [rax + 0xf0]
       0x47aaa2 <gf_node_get_name+66>    cmp    qword ptr [rbp - 0x18], rax
    ────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/base_scenegraph.c
       1288 GF_EXPORT
       1289 const char *gf_node_get_name(GF_Node*p)
       1290 {
       1291 	GF_SceneGraph *sg;
       1292 	NodeIDedItem *reg_node;
     ► 1293 	if (!p || !(p->sgprivate->flags & GF_NODE_IS_DEF)) return NULL;
       1294 
       1295 	sg = p->sgprivate->scenegraph;
       1296 #ifndef GPAC_DISABLE_VRML
       1297 	/*if this is a proto, look in parent graph*/
       1298 	if (p == (GF_Node*)sg->pOwningProto) sg = sg->parent_scene;
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rbp rsp 0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
    01:0008│         0x7fffffff8108 —▸ 0x6e1eee (gf_dump_vrml_route+415) ◂— mov    qword ptr [rbp - 0x488], rax
    02:0010│         0x7fffffff8110 —▸ 0x10f9bc0 ◂— 0x333
    03:0018│         0x7fffffff8118 ◂— 0x10
    04:0020│         0x7fffffff8120 —▸ 0x7fffffff8610 ◂— 0x4747474747474747 ('GGGGGGGG')
    05:0028│         0x7fffffff8128 —▸ 0x10f75f0 —▸ 0x10eccb0 ◂— 0x0
    06:0030│         0x7fffffff8130 —▸ 0xdba6f0 (funlockfile) ◂— endbr64 
    07:0038│         0x7fffffff8138 ◂— 0x1
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0         0x47aa77 gf_node_get_name+23
       f 1         0x6e1eee gf_dump_vrml_route+415
       f 2 0x4747474747474747
       f 3 0x4747474747474747
       f 4 0x4747474747474747
       f 5 0x4747474747474747
       f 6 0x4747474747474747
       f 7 0x4747474747474747
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x000000000047aa77 in gf_node_get_name (p=0x4747474747474747) at scenegraph/base_scenegraph.c:1293
    #1  0x00000000006e1eee in gf_dump_vrml_route (sdump=0x10f75f0, r=0x7fffffff8610, dump_type=0) at scene_manager/scene_dump.c:2344
    #2  0x4747474747474747 in ?? ()
    #3  0x4747474747474747 in ?? ()
    #4  0x4747474747474747 in ?? ()
    #5  0x4747474747474747 in ?? ()
    #6  0x4747474747474747 in ?? ()
    #7  0x4747474747474747 in ?? ()
    #8  0x4747474747474747 in ?? ()
    #9  0x4747474747474747 in ?? ()
    #10 0x4747474747474747 in ?? ()
    #11 0x4747474747474747 in ?? ()
    #12 0x4747474747474747 in ?? ()
    #13 0x4747474747474747 in ?? ()
    #14 0x4747474747474747 in ?? ()
    #15 0x4747474747474747 in ?? ()
    #16 0x4747474747474747 in ?? ()
    #17 0x4747474747474747 in ?? ()
    #18 0x4747474747474747 in ?? ()
    #19 0x4747474747474747 in ?? ()
    #20 0x4747474747474747 in ?? ()
    #21 0x4747474747474747 in ?? ()
    #22 0x4747474747474747 in ?? ()
    #23 0x4747474747474747 in ?? ()
    #24 0x4747474747474747 in ?? ()
    #25 0x4747474747474747 in ?? ()
    #26 0x4747474747474747 in ?? ()
    #27 0x4747474747474747 in ?? ()
    #28 0x4747474747474747 in ?? ()
    #29 0x4747474747474747 in ?? ()
    #30 0x4747474747474747 in ?? ()
    #31 0x4747474747474747 in ?? ()
    #32 0x4747474747474747 in ?? ()
    #33 0x4747474747474747 in ?? ()
    #34 0x4747474747474747 in ?? ()
    #35 0x4747474747474747 in ?? ()
    #36 0x4747474747474747 in ?? ()
    #37 0x4747474747474747 in ?? ()
    #38 0x4747474747474747 in ?? ()
    #39 0x4747474747474747 in ?? ()
    #40 0x4747474747474747 in ?? ()
    #41 0x4747474747474747 in ?? ()
    #42 0x4747474747474747 in ?? ()
    #43 0x4747474747474747 in ?? ()
    #44 0x4747474747474747 in ?? ()
    #45 0x4747474747474747 in ?? ()
    #46 0x4747474747474747 in ?? ()
    #47 0x4747474747474747 in ?? ()
    #48 0x4747474747474747 in ?? ()
    #49 0x4747474747474747 in ?? ()
    #50 0x4747474747474747 in ?? ()
    #51 0x4747474747474747 in ?? ()
    #52 0x4747474747474747 in ?? ()
    #53 0x4747474747474747 in ?? ()
    #54 0x4747474747474747 in ?? ()
    #55 0x47474747ef474747 in ?? ()
    #56 0x4747474747474747 in ?? ()
    #57 0x4747474747474747 in ?? ()
    #58 0x4747474747474747 in ?? ()
    #59 0x0047474747474747 in ?? ()
    #60 0x868bc44dfe5d4600 in ?? ()
    #61 0x00007fffffff98b0 in ?? ()
    #62 0x0000000000417966 in dump_isom_scene (file=<error reading variable: Cannot access memory at address 0x474747474747366f>, inName=<error reading variable: Cannot access memory at address 0x4747474747473667>, is_final_name=<error reading variable: Cannot access memory at address 0x4747474747473663>, dump_mode=<error reading variable: Cannot access memory at address 0x474747474747365f>, do_log=<error reading variable: Cannot access memory at address 0x474747474747365b>, no_odf_conv=<error reading variable: Cannot access memory at address 0x4747474747473657>) at filedump.c:213
    Backtrace stopped: Cannot access memory at address 0x474747474747474f

CVE-2021-46238: stack overflow in gf_node_get_name () at scenegraph/base_scenegraph.c:1293 · Issue #2027 · gpac/gpac

An untrusted pointer dereference vulnerability exists in HDF5 v1.13.1-1 via the function H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c. This vulnerability can lead to a Denial of Service (DoS).

Untrusted Pointer Dereference in H5O\_\_dtype\_decode\_helper () at hdf5/src/H5Odtype.c:499  
**Version**

**command:**

POC.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x7ffec4695010 --> 0x0 
    RBX: 0x2 
    RCX: 0x5555559305d0 --> 0x0 
    RDX: 0x133350000 
    RSI: 0x5555559552ce --> 0x0 
    RDI: 0x7ffec4695010 --> 0x0 
    RBP: 0x555555930560 --> 0x0 
    RSP: 0x7fffffffc378 --> 0x55555568861f (<H5O__dtype_decode_helper+3375>:	mov    rax,QWORD PTR [rbp+0x28])
    RIP: 0x7ffff7df8898 (<__memmove_avx_unaligned_erms+552>:	vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20])
    R8 : 0x55555595abd0 --> 0x0 
    R9 : 0x7ffec4695010 --> 0x0 
    R10: 0x22 ('"')
    R11: 0x7ffff7e55be0 --> 0x55555595abe0 --> 0x0 
    R12: 0xf5 
    R13: 0x5555559552c6 --> 0x0 
    R14: 0x7fffffffc680 --> 0x5555559552ce --> 0x0 
    R15: 0x0
    EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff7df8889 <__memmove_avx_unaligned_erms+537>:	vmovdqu ymm5,YMMWORD PTR [rsi+0x20]
       0x7ffff7df888e <__memmove_avx_unaligned_erms+542>:	vmovdqu ymm6,YMMWORD PTR [rsi+0x40]
       0x7ffff7df8893 <__memmove_avx_unaligned_erms+547>:	vmovdqu ymm7,YMMWORD PTR [rsi+0x60]
    => 0x7ffff7df8898 <__memmove_avx_unaligned_erms+552>:	vmovdqu ymm8,YMMWORD PTR [rsi+rdx*1-0x20]
       0x7ffff7df889e <__memmove_avx_unaligned_erms+558>:	lea    r11,[rdi+rdx*1-0x20]
       0x7ffff7df88a3 <__memmove_avx_unaligned_erms+563>:	lea    rcx,[rsi+rdx*1-0x20]
       0x7ffff7df88a8 <__memmove_avx_unaligned_erms+568>:	mov    r9,r11
       0x7ffff7df88ab <__memmove_avx_unaligned_erms+571>:	mov    r8,r11
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffc378 --> 0x55555568861f (<H5O__dtype_decode_helper+3375>:	mov    rax,QWORD PTR [rbp+0x28])
    0008| 0x7fffffffc380 --> 0x1ffff0 
    0016| 0x7fffffffc388 --> 0x7ffff7d04af9 (<sysmalloc+1913>:	cmp    rax,0xffffffffffffffff)
    0024| 0x7fffffffc390 --> 0x0 
    0032| 0x7fffffffc398 --> 0x0 
    0040| 0x7fffffffc3a0 --> 0x0 
    0048| 0x7fffffffc3a8 --> 0x0 
    0056| 0x7fffffffc3b0 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
    440	../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
    gdb-peda$ bt
    #0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:440
    #1  0x000055555568861f in H5O__dtype_decode_helper (ioflags=ioflags@entry=0x7fffffffc6c4, pp=pp@entry=0x7fffffffc680, dt=dt@entry=0x555555930560) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:499
    #2  0x00005555556881a4 in H5O__dtype_decode_helper (ioflags=ioflags@entry=0x7fffffffc6c4, pp=pp@entry=0x7fffffffc680, dt=dt@entry=0x5555559303a0) at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:330
    #3  0x0000555555689497 in H5O__dtype_decode (f=<optimized out>, open_oh=<optimized out>, mesg_flags=<optimized out>, p_size=<optimized out>, p=<optimized out>, ioflags=0x7fffffffc6c4)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Odtype.c:1137
    #4  H5O__dtype_shared_decode (f=<optimized out>, open_oh=<optimized out>, mesg_flags=<optimized out>, ioflags=0x7fffffffc6c4, p_size=<optimized out>, p=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Oshared.h:81
    #5  0x00005555556987bb in H5O_msg_read_oh (f=0x55555594f480, oh=oh@entry=0x555555954880, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:514
    #6  0x00005555556989d9 in H5O_msg_read (loc=loc@entry=0x555555955e70, type_id=type_id@entry=0x3, mesg=mesg@entry=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5Omessage.c:455
    #7  0x00005555555d0657 in H5D__open_oid (dapl_id=0xb00000000000007, dataset=0x555555955e70) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1707
    #8  H5D_open (loc=loc@entry=0x7fffffffc8b0, dapl_id=dapl_id@entry=0xb00000000000007) at /home/zxq/CVE_testing/source/hdf5/src/H5Dint.c:1512
    #9  0x00005555557f84fa in H5O__dset_open (obj_loc=0x7fffffffc8b0, opened_type=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5Doh.c:246
    #10 0x0000555555690728 in H5O_open_by_loc (obj_loc=0x7fffffffc8b0, opened_type=0x7fffffffc9b4) at /home/zxq/CVE_testing/source/hdf5/src/H5Oint.c:758
    #11 0x0000555555690823 in H5O_open_name (loc=loc@entry=0x7fffffffc940, name=0x555555954390 "/dset1", opened_type=opened_type@entry=0x7fffffffc9b4) at /home/zxq/CVE_testing/source/hdf5/src/H5Oint.c:625
    #12 0x00005555557afd3f in H5VL__native_object_open (obj=<optimized out>, loc_params=0x7fffffffc9c0, opened_type=0x7fffffffc9b4, dxpl_id=<optimized out>, req=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_object.c:88
    #13 0x000055555579f0cc in H5VL__object_open (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, opened_type=0x7fffffffc9b4, params=0x7fffffffc9c0, obj=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5569
    #14 H5VL_object_open (vol_obj=0x555555951b40, params=params@entry=0x7fffffffc9c0, opened_type=opened_type@entry=0x7fffffffc9b4, dxpl_id=0xb00000000000008, req=req@entry=0x0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5601
    #15 0x0000555555673145 in H5O__open_api_common (_vol_obj_ptr=0x0, token_ptr=0x0, lapl_id=0x0, name=0x555555954390 "/dset1", loc_id=0x100000000000000) at /home/zxq/CVE_testing/source/hdf5/src/H5O.c:119
    #16 H5Oopen (loc_id=0x100000000000000, name=0x555555954390 "/dset1", lapl_id=0x0) at /home/zxq/CVE_testing/source/hdf5/src/H5O.c:163
    #17 0x0000555555567295 in list_obj (name=0x555555954390 "/dset1", oinfo=0x7fffffffd060, first_seen=0x0, _iter=0x7fffffffdd00) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:2226
    #18 0x000055555558262a in traverse_cb (loc_id=<optimized out>, path=<optimized out>, linfo=<optimized out>, _udata=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:218
    #19 0x000055555563244d in H5G__iterate_cb (_udata=0x7fffffffd3c0, lnk=0x7fffffffd150) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:866
    #20 H5G__iterate_cb (lnk=0x7fffffffd150, _udata=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:839
    #21 0x0000555555638c1e in H5G__node_iterate (f=f@entry=0x55555594f480, _lt_key=<optimized out>, addr=0x430, _rt_key=<optimized out>, _udata=_udata@entry=0x7fffffffd290)
        at /home/zxq/CVE_testing/source/hdf5/src/H5Gnode.c:967
    #22 0x00005555557daac0 in H5B__iterate_helper (f=0x55555594f480, type=0x555555902060 <H5B_SNODE>, addr=0x88, op=0x555555638b30 <H5G__node_iterate>, udata=udata@entry=0x7fffffffd290)
        at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1152
    #23 0x00005555557dbf9b in H5B_iterate (f=<optimized out>, type=<optimized out>, addr=<optimized out>, op=<optimized out>, udata=udata@entry=0x7fffffffd290) at /home/zxq/CVE_testing/source/hdf5/src/H5B.c:1194
    #24 0x000055555563d9f6 in H5G__stab_iterate (oloc=oloc@entry=0x5555559532b8, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x7fffffffd448, 
        op=op@entry=0x5555556323f0 <H5G__iterate_cb>, op_data=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gstab.c:536
    #25 0x000055555563b575 in H5G__obj_iterate (grp_oloc=grp_oloc@entry=0x5555559532b8, idx_type=idx_type@entry=H5_INDEX_NAME, order=order@entry=H5_ITER_INC, skip=skip@entry=0x0, 
        last_lnk=last_lnk@entry=0x7fffffffd448, op=op@entry=0x5555556323f0 <H5G__iterate_cb>, op_data=0x7fffffffd3c0) at /home/zxq/CVE_testing/source/hdf5/src/H5Gobj.c:672
    #26 0x0000555555633558 in H5G_iterate (loc=<optimized out>, group_name=<optimized out>, idx_type=H5_INDEX_NAME, order=H5_ITER_INC, skip=skip@entry=0x0, last_lnk=last_lnk@entry=0x7fffffffd448, 
        lnk_op=0x7fffffffd450, op_data=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/src/H5Gint.c:921
    #27 0x000055555566b93a in H5L_iterate (loc=loc@entry=0x7fffffffd490, group_name=<optimized out>, idx_type=<optimized out>, order=<optimized out>, idx_p=<optimized out>, op=<optimized out>, 
        op_data=0x7fffffffd610) at /home/zxq/CVE_testing/source/hdf5/src/H5Lint.c:2243
    #28 0x00005555557af715 in H5VL__native_link_specific (obj=<optimized out>, loc_params=0x7fffffffd510, args=0x7fffffffd540, dxpl_id=<optimized out>, req=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLnative_link.c:381
    #29 0x000055555579e570 in H5VL__link_specific (cls=<optimized out>, req=0x0, dxpl_id=0xb00000000000008, args=0x7fffffffd540, loc_params=0x7fffffffd510, obj=<optimized out>)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5305
    #30 H5VL_link_specific (vol_obj=vol_obj@entry=0x555555951b40, loc_params=loc_params@entry=0x7fffffffd510, args=args@entry=0x7fffffffd540, dxpl_id=0xb00000000000008, req=req@entry=0x0)
        at /home/zxq/CVE_testing/source/hdf5/src/H5VLcallback.c:5339
    #31 0x000055555566722d in H5Literate_by_name2 (loc_id=loc_id@entry=0x100000000000000, group_name=group_name@entry=0x555555900010 <root_name> "/", idx_type=H5_INDEX_NAME, order=H5_ITER_INC, 
        idx_p=idx_p@entry=0x0, op=op@entry=0x555555582470 <traverse_cb>, op_data=0x7fffffffd610, lapl_id=<optimized out>) at /home/zxq/CVE_testing/source/hdf5/src/H5L.c:1823
    #32 0x0000555555583b7d in traverse (fields=0x3, visitor=0x7fffffffd5d0, recurse=0x0, visit_start=<optimized out>, grp_name=0x555555900010 <root_name> "/", file_id=0x100000000000000)
        at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:294
    #33 h5trav_visit (fid=0x100000000000000, grp_name=0x555555900010 <root_name> "/", visit_start=<optimized out>, recurse=<optimized out>, visit_obj=<optimized out>, visit_lnk=<optimized out>, 
        udata=0x7fffffffdd00, fields=0x3) at /home/zxq/CVE_testing/source/hdf5/tools/lib/h5trav.c:1057
    #34 0x0000555555567464 in visit_obj (file=0x100000000000000, oname=0x555555900010 <root_name> "/", iter=0x7fffffffdd00) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:2499
    #35 0x000055555556363a in main (argc=argc@entry=0x2, argv=argv@entry=0x7fffffffe338) at /home/zxq/CVE_testing/source/hdf5/tools/src/h5ls/h5ls.c:3105
    #36 0x00007ffff7c910b3 in __libc_start_main (main=0x555555562f50 <main>, argc=0x2, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe328)
        at ../csu/libc-start.c:308
    #37 0x000055555556419e in _start () at /usr/include/x86_64-linux-gnu/bits/stdio2.h:100

CVE-2021-46243: Untrusted Pointer Dereference in H5O__dtype_decode_helper () at hdf5/src/H5Odtype.c:499 · Issue #1326 · HDFGroup/hdf5

An untrusted pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_node_unregister () at scenegraph/base_scenegraph.c. This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    
    MP4Box - GPAC version 1.1.0-DEV-rev1593-g786b21cdb-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --enable-debug --prefix=/home/zxq/CVE_testing/source/gpac/cmakebuild
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    
    

**command:**

    ./bin/gcc/MP4Box -svg POC2
    

POC2.zip

POC2.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000479ab6 in gf_node_unregister (pNode=0x10fc910, parentNode=0x0) at scenegraph/base_scenegraph.c:710
    710		if (pSG && (pNode == (GF_Node*)pSG->pOwningProto)) pSG = pSG->parent_scene;
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x21
     RBX  0x10ee520 ◂— 0x0
     RCX  0x10fc910 —▸ 0x10fc9c0 ◂— 0x0
     RDX  0x0
     RDI  0x10fc910 —▸ 0x10fc9c0 ◂— 0x0
     RSI  0x0
     R8   0x4
     R9   0x0
     R10  0x10cdfa0 (main_arena+96) —▸ 0x10fcab0 ◂— 0x0
     R11  0x10cdfa0 (main_arena+96) —▸ 0x10fcab0 ◂— 0x0
     R12  0xd0bad0 (__libc_csu_fini) ◂— endbr64 
     R13  0x0
     R14  0x10a8018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd825d0 (__memmove_avx_unaligned_erms) ◂— endbr64 
     R15  0x0
     RBP  0x7fffffff7ff0 —▸ 0x7fffffff8030 —▸ 0x7fffffff80d0 —▸ 0x7fffffff80f0 —▸ 0x7fffffff8130 ◂— ...
     RSP  0x7fffffff7fb0 ◂— 0x0
     RIP  0x479ab6 (gf_node_unregister+295) ◂— mov    rax, qword ptr [rax + 0xf0]
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x479ab6 <gf_node_unregister+295>    mov    rax, qword ptr [rax + 0xf0]
       0x479abd <gf_node_unregister+302>    cmp    qword ptr [rbp - 0x38], rax
       0x479ac1 <gf_node_unregister+306>    jne    gf_node_unregister+320                      <gf_node_unregister+320>
        ↓
       0x479acf <gf_node_unregister+320>    mov    rax, qword ptr [rbp - 0x38]
       0x479ad3 <gf_node_unregister+324>    mov    rax, qword ptr [rax]
       0x479ad6 <gf_node_unregister+327>    movzx  eax, word ptr [rax + 2]
       0x479ada <gf_node_unregister+331>    test   ax, ax
       0x479add <gf_node_unregister+334>    jne    gf_node_unregister+367                      <gf_node_unregister+367>
        ↓
       0x479afe <gf_node_unregister+367>    mov    rax, qword ptr [rbp - 0x38]
       0x479b02 <gf_node_unregister+371>    mov    rax, qword ptr [rax]
       0x479b05 <gf_node_unregister+374>    movzx  edx, word ptr [rax + 2]

CVE-2021-46237: Untrusted pointer dereference in gf_node_unregister () at scenegraph/base_scenegraph.c:710 · Issue #2033 · gpac/gpac

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_vrml_field_pointer_del () at scenegraph/vrml_tools.c. This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --enable-debug --
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**command:**

    ./bin/gcc/MP4Box -svg POC2
    

POC2.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    0x00000000004eb82b in gf_sg_vrml_field_pointer_del (field=0x0, FieldType=50) at scenegraph/vrml_tools.c:667
    667			gf_sg_mfdouble_del( * ((MFDouble *) field));
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
     RAX  0x0
     RBX  0x400788 ◂— 0x0
     RCX  0x0
     RDX  0xe03e5c ◂— 0xff6e7b77ff6e7b77
     RDI  0x0
     RSI  0x32
     R8   0x7
     R9   0x0
     R10  0xffffffd8
     R11  0x246
     R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
     R13  0x0
     R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
     R15  0x0
     RBP  0x7fffffff8610 —▸ 0x7fffffff8660 —▸ 0x7fffffff86b0 —▸ 0x7fffffff8700 —▸ 0x7fffffff8740 ◂— ...
     RSP  0x7fffffff85f0 ◂— 0x3200000000
     RIP  0x4eb82b (gf_sg_vrml_field_pointer_del+254) ◂— mov    edx, dword ptr [rax]
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
     ► 0x4eb82b <gf_sg_vrml_field_pointer_del+254>    mov    edx, dword ptr [rax]
       0x4eb82d <gf_sg_vrml_field_pointer_del+256>    mov    rax, qword ptr [rax + 8]
       0x4eb831 <gf_sg_vrml_field_pointer_del+260>    mov    edi, edx
       0x4eb833 <gf_sg_vrml_field_pointer_del+262>    mov    rsi, rax
       0x4eb836 <gf_sg_vrml_field_pointer_del+265>    call   gf_sg_mfdouble_del                      <gf_sg_mfdouble_del>
     
       0x4eb83b <gf_sg_vrml_field_pointer_del+270>    jmp    gf_sg_vrml_field_pointer_del+682                      <gf_sg_vrml_field_pointer_del+682>
     
       0x4eb840 <gf_sg_vrml_field_pointer_del+275>    mov    rax, qword ptr [rbp - 0x18]
       0x4eb844 <gf_sg_vrml_field_pointer_del+279>    mov    edx, dword ptr [rax]
       0x4eb846 <gf_sg_vrml_field_pointer_del+281>    mov    rax, qword ptr [rax + 8]
       0x4eb84a <gf_sg_vrml_field_pointer_del+285>    mov    edi, edx
       0x4eb84c <gf_sg_vrml_field_pointer_del+287>    mov    rsi, rax
    ────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
    In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/vrml_tools.c
       662 		break;
       663 	case GF_SG_VRML_MFFLOAT:
       664 		gf_sg_mffloat_del( * ((MFFloat *) field));
       665 		break;
       666 	case GF_SG_VRML_MFDOUBLE:
     ► 667 		gf_sg_mfdouble_del( * ((MFDouble *) field));
       668 		break;
       669 	case GF_SG_VRML_MFTIME:
       670 		gf_sg_mftime_del( * ((MFTime *)field));
       671 		break;
       672 	case GF_SG_VRML_MFINT32:
    ────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff85f0 ◂— 0x3200000000
    01:0008│     0x7fffffff85f8 ◂— 0x0
    02:0010│     0x7fffffff8600 —▸ 0x10ecd40 ◂— 0x0
    03:0018│     0x7fffffff8608 —▸ 0x10fa7d0 —▸ 0x10fae00 ◂— 0x0
    04:0020│ rbp 0x7fffffff8610 —▸ 0x7fffffff8660 —▸ 0x7fffffff86b0 —▸ 0x7fffffff8700 —▸ 0x7fffffff8740 ◂— ...
    05:0028│     0x7fffffff8618 —▸ 0x4e6a10 (gf_sg_proto_del_instance+120) ◂— jmp    0x4e6a8f
    06:0030│     0x7fffffff8620 ◂— 0x0
    07:0038│     0x7fffffff8628 —▸ 0x10fa720 —▸ 0x10fa770 ◂— 0x100000001
    ──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
     ► f 0         0x4eb82b gf_sg_vrml_field_pointer_del+254
       f 1         0x4e6a10 gf_sg_proto_del_instance+120
       f 2         0x47bfc6 gf_node_del+431
       f 3         0x4797a6 gf_node_unregister+897
       f 4         0x4e4916 gf_sg_proto_del+193
       f 5         0x47db5d gf_sg_command_del+675
       f 6         0x6a0b93 gf_sm_au_del+122
       f 7         0x6a0c24 gf_sm_reset_stream+73
    ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00000000004eb82b in gf_sg_vrml_field_pointer_del (field=0x0, FieldType=50) at scenegraph/vrml_tools.c:667
    #1  0x00000000004e6a10 in gf_sg_proto_del_instance (inst=0x10fa720) at scenegraph/vrml_proto.c:846
    #2  0x000000000047bfc6 in gf_node_del (node=0x10fa720) at scenegraph/base_scenegraph.c:1899
    #3  0x00000000004797a6 in gf_node_unregister (pNode=0x10fa720, parentNode=0x0) at scenegraph/base_scenegraph.c:761
    #4  0x00000000004e4916 in gf_sg_proto_del (proto=0x10f9d60) at scenegraph/vrml_proto.c:117
    #5  0x000000000047db5d in gf_sg_command_del (com=0x10f9c80) at scenegraph/commands.c:113
    #6  0x00000000006a0b93 in gf_sm_au_del (sc=0x10f7ac0, au=0x10f9bd0) at scene_manager/scene_manager.c:113
    #7  0x00000000006a0c24 in gf_sm_reset_stream (sc=0x10f7ac0) at scene_manager/scene_manager.c:126
    #8  0x00000000006a0c58 in gf_sm_delete_stream (sc=0x10f7ac0) at scene_manager/scene_manager.c:133
    #9  0x00000000006a0d03 in gf_sm_del (ctx=0x10ed170) at scene_manager/scene_manager.c:147
    #10 0x000000000041797b in dump_isom_scene (file=0x7fffffffe637 "gf_sg_vrml_field_pointer_del-gf_sg_proto_del_instance/POC2", inName=0x10da460 <outfile> "gf_sg_vrml_field_pointer_del-gf_sg_proto_del_instance/POC2", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:216
    #11 0x000000000041521f in mp4boxMain (argc=3, argv=0x7fffffffe358) at main.c:6044
    #12 0x000000000041719b in main (argc=3, argv=0x7fffffffe358) at main.c:6496
    #13 0x0000000000d09a40 in __libc_start_main ()
    #14 0x000000000040211e in _start ()
    pwndbg>

Tag

#dos