GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_list_last(). This vulnerability allows attackers to cause a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in dump\_od\_to\_saf.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_3.zip

**Result**

    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 2 systems streams
    [1]    1390552 segmentation fault  ./MP4Box -lsr ./poc/poc_3
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555df630 —▸ 0x5555555df601 ◂— 0x2100000000000000
     RCX  0x0
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x5555555e0400 ◂— 0xfbad2c84
     RSI  0x5555555df440 ◂— 0x7
     R8   0x0
     R9   0x23
     R10  0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
     R11  0x7fffffff70c7 ◂— 0x4d0552ab398a0031 /* '1' */
     R12  0x0
     R13  0x5555555df4d0 ◂— 0x0
     R14  0x5555555df070 —▸ 0x5555555e0400 ◂— 0xfbad2c84
     R15  0x5555555dfcb0 ◂— 0x700010003
     RBP  0x1
     RSP  0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
     RIP  0x7ffff7ab7e3b (dump_od_to_saf.isra+299) ◂— movzx  edx, byte ptr [rax + 8]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ab7e3b <dump_od_to_saf.isra+299>    movzx  edx, byte ptr [rax + 8]
       0x7ffff7ab7e3f <dump_od_to_saf.isra+303>    mov    ecx, dword ptr [rax + 4]
       0x7ffff7ab7e42 <dump_od_to_saf.isra+306>    xor    eax, eax
       0x7ffff7ab7e44 <dump_od_to_saf.isra+308>    mov    r8d, dword ptr [rsi + 0x18]
       0x7ffff7ab7e48 <dump_od_to_saf.isra+312>    lea    rsi, [rip + 0x38eac1]
       0x7ffff7ab7e4f <dump_od_to_saf.isra+319>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ab7e54 <dump_od_to_saf.isra+324>    mov    rdx, qword ptr [r13]
       0x7ffff7ab7e58 <dump_od_to_saf.isra+328>    mov    r9, qword ptr [rsp]
       0x7ffff7ab7e5c <dump_od_to_saf.isra+332>    test   rdx, rdx
       0x7ffff7ab7e5f <dump_od_to_saf.isra+335>    jne    dump_od_to_saf.isra+464                <dump_od_to_saf.isra+464>
    
       0x7ffff7ab7e61 <dump_od_to_saf.isra+337>    mov    rdi, qword ptr [r14]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
    01:0008│     0x7fffffff7208 ◂— 0x100000002
    02:0010│     0x7fffffff7210 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    03:0018│     0x7fffffff7218 ◂— 0x0
    04:0020│     0x7fffffff7220 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    05:0028│     0x7fffffff7228 ◂— 0x0
    06:0030│     0x7fffffff7230 ◂— 0x0
    07:0038│     0x7fffffff7238 —▸ 0x5555555df4d0 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ab7e3b dump_od_to_saf.isra+299
       f 1   0x7ffff7ac282d gf_sm_dump+1853
       f 2   0x555555584418 dump_isom_scene+616
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac282d in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x0000555555584418 in dump_isom_scene ()
    #3  0x000055555557b42c in mp4boxMain ()
    #4  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #5  0x000055555556c45e in _start ()

CVE-2021-45760: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1966 · gpac/gpac

File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources. It would be more difficult for an authenticated attacker to now traverse through the files and directories. This can only be exploited once an attacker has already found a way to get authenticated access to the device. 



**WDC Tracking Number:** WDC-22003  
**Product Line:** EdgeRover  
**Published:** January 13, 2022

**Last Updated:**  January 13, 2022

**Description**

EdgeRover 1.5.0-576 includes two major security fixes to help keep your content secure.

Multiple vulnerabilities have been discovered in the FFmpeg multimedia framework which could cause a denial of service or code execution vulnerability if malformed files or streams are processed.

Insecure file and directory permissions were in place that could allow resources to be read or modified by unintended actors.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

EdgeRover Mac Desktop App

1.5.0-576

January 10, 2022

EdgeRover Windows Desktop App

1.5.0-576

January 10, 2022

**Advisory Summary**

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291

File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources.

**CVE Number:** CVE-2022-22988

*      
    
    {{ skuObj.title.length < 15 ? skuObj.title : skuObj.title.substring(0,14) + "..." }}

CVE-2022-22988: WDC-22003 EdgeRover Desktop App Version 1.5.0-576 | Western Digital

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

**WDC Tracking Number:** WDC-22002  
**Published:** January 13, 2022

**Last Updated:** June 6, 2022

**Description**

My Cloud OS 5 Firmware 5.19.117 includes updates to help improve the security of your My Cloud OS 5 devices.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

**Advisory Summary**

A flaw was discovered in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to gain potential privilege escalation. Addressed this vulnerability by updating Debian (buster) version to 2:4.9.5+dfsg-5+deb10u2.

A use-after-free vulnerability was found in the International Components for Unicode (ICU) library which could result in denial of service or potentially the execution of arbitrary code. Addressed this vulnerability by updating the Debian (buster) version to 63.1-6+deb10u2.

**CVE Number:** CVE-2020-21913

Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.

**CVE Number:** CVE-2022-22991, CVE-2022-22994  
Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative

My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service. Addressed the vulnerability by adding defenses against stack overflow issues.

**CVE Number:** CVE-2022-22989

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

**CVE Number:** CVE-2022-22990  
Reported By: Sam Thomas (@\_s\_n\_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

CVE-2022-22990: WDC-22002 My Cloud OS 5 Firmware 5.19.117 | Western Digital

A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.

**WDC Tracking Number:** WDC-22002  
**Published:** January 13, 2022

**Last Updated:** January 13, 2022

**Description**

My Cloud OS 5 Firmware 5.19.117 includes updates to help improve the security of your My Cloud OS 5 devices.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

My Cloud PR2100

5.19.117

January 10, 2022

My Cloud PR4100

5.19.117

January 10, 2022

My Cloud EX4100

5.19.117

January 10, 2022

My Cloud EX2 Ultra

5.19.117

January 10, 2022

My Cloud Mirror Gen 2

5.19.117

January 10, 2022

My Cloud DL2100

5.19.117

January 10, 2022

My Cloud DL4100

5.19.117

January 10, 2022

My Cloud EX2100

5.19.117

January 10, 2022

My Cloud

5.19.117

January 10, 2022

WD Cloud

5.19.117

January 10, 2022

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

**Advisory Summary**

A flaw was discovered in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to gain potential privilege escalation. Addressed this vulnerability by updating Debian (buster) version to 2:4.9.5+dfsg-5+deb10u2.

A use-after-free vulnerability was found in the International Components for Unicode (ICU) library which could result in denial of service or potentially the execution of arbitrary code. Addressed this vulnerability by updating the Debian (buster) version to 63.1-6+deb10u2.

**CVE Number:** CVE-2020-21913

A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.

**CVE Number:** CVE-2022-22991  
Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative

My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service. Addressed the vulnerability by adding defenses against stack overflow issues.

**CVE Number:** CVE-2022-22989

A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.

**CVE Number:** CVE-2022-22990  
Reported By: Sam Thomas (@\_s\_n\_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

CVE-2022-22991: WDC-22002 My Cloud OS 5 Firmware 5.19.117 | Western Digital

File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources.

**WDC Tracking Number:** WDC-22003  
**Published:** January 13, 2022

**Last Updated:**  January 13, 2022

**Description**

EdgeRover 1.5.0-576 includes two major security fixes to help keep your content secure.

Multiple vulnerabilities have been discovered in the FFmpeg multimedia framework which could cause a denial of service or code execution vulnerability if malformed files or streams are processed.

Insecure file and directory permissions were in place that could allow resources to be read or modified by unintended actors.

**Product Impact**

**Minimum Fix Version**

**Last Updated**

EdgeRover Mac Desktop App

January 10, 2022

EdgeRover Windows Desktop App

January 10, 2022

**Advisory Summary**

Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.

**CVE Number:** CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291

File and directory permissions have been corrected to prevent unintended users from modifying or accessing resources.

**CVE Number:** CVE-2022-22988

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_text_get_utf8_line function in load_text.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a buffer overflow in gf\_text\_get\_utf8\_line, in commit 592ba26 that results in system abort (core dumped).

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

This is the output of the program:

    *** stack smashing detected ***: <unknown> terminated
    Aborted (core dumped)
    

Here is the trace reported by gdb (the stack is smashed):

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f70a92 in __fortify_fail ()
    #4  0x0000000001f70a3e in __stack_chk_fail ()
    #5  0x000000000127f3ad in gf_text_get_utf8_line (szLine=<optimized out>, lineSize=<optimized out>, txt_in=<optimized out>, unicode_type=0x0) at /mnt/data/playground/gpac/src/filters/load_text.c:337
    #6  0xc2657485c3a5c37e in ?? ()
    #7  0xbcc3739fc3314583 in ?? ()
    #8  0x0748654e86c3aac3 in ?? ()
    ....
    #14 0x609ec3a0c3a7c26e in ?? ()
    #15 0x11bdcd643758a5c3 in ?? ()
    #16 0x00000000009ac35e in gf_isom_load_extra_boxes (movie=0xc53f89c4114aacc2, moov_boxes=<optimized out>, moov_boxes_size=<optimized out>, udta_only=(unknown: 2747429506)) at /mnt/data/playground/gpac/src/isomedia/isom_write.c:615
    #17 0x0000000000000000 in ?? ()

CVE-2021-40574: System abort (Core dumped) caused by buffer overflow using MP4Box in gf_text_get_utf8_line · Issue #1897 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_finalize function in reframe_av1.c, which allows attackers to cause a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault in av1dmx\_finalize, reframe\_av1.c:1075 in commit 592ba26 caused by double free issue.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f2da76 in _int_free ()
    #4  0x0000000001f31af7 in free ()
    #5  0x000000000053de4d in gf_free (ptr=<optimized out>) at /mnt/data/playground/gpac/src/utils/alloc.c:165
    #6  0x00000000013e3d4d in av1dmx_finalize (filter=<optimized out>) at /mnt/data/playground/gpac/src/filters/reframe_av1.c:1075
    #7  0x0000000000f9949c in gf_fs_del (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:646
    #8  0x0000000000c1a86a in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1242
    #9  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #10 0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #11 0x0000000001f06bb6 in generic_start_main ()
    #12 0x0000000001f071a5 in __libc_start_main ()
    #13 0x000000000041c4e9 in _start ()

CVE-2021-40572: Segmentation fault caused by double free using mp4box in av1dmx_finalize, reframe_av1.c:1075 · Issue #1893 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the gf_isom_get_payt_count function in hint_track.c, which allows attackers to cause a denial of service.

Permalink

Browse files

*   Loading branch information

![@jeanlf](https://avatars.githubusercontent.com/u/7303785?s=40&v=4)

1 parent b07a6ac commit ad18ece95fa064efc0995c4ab2c985f77fb166ec

Showing with **1 addition** and **1 deletion**.

1.  +1 −1 src/isomedia/hint\_track.c

@@ -43,7 +43,7 @@ Bool IsHintTrack(GF\_TrackBox \*trak)

u32 GetHintFormat(GF\_TrackBox \*trak)

{

GF\_HintMediaHeaderBox \*hmhd = (GF\_HintMediaHeaderBox \*)trak->Media\->information\->InfoHeader;

if (hmhd->type != GF\_ISOM\_BOX\_TYPE\_HMHD)

if (!hmhd || (hmhd\->type != GF\_ISOM\_BOX\_TYPE\_HMHD))

return 0;

  

if (!hmhd || !hmhd->subType) {

**0 comments on commit `ad18ece`**

Please sign in to comment.

CVE-2021-40576: fixed #1904 · gpac/gpac@ad18ece

The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the mpgviddmx_process function in reframe_mpgvid.c, which allows attackers to cause a denial of service. This vulnerability is possibly due to an incomplete fix for CVE-2021-40566.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx\_process, reframe\_mpgvid.c:643 in commit d003a57. It seems to be an incomplete fix of issue #1887 and causes another problem.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1191-g55d6dbc-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x000000000141a950 in memcpy (__len=0xffffffffffffffff, __src=0x24ada59, __dest=0x24a5770) at /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #1  mpgviddmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:643
    #2  0x0000000000fe3e78 in gf_filter_process_task (task=0x2492f30) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x0000000000f7ab69 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000f927b8 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x0000000000c17c8b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x0000000000497345 in convert_file_info (inName=0x7fffffffe15b "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000001f06976 in generic_start_main ()
    #9  0x0000000001f06f65 in __libc_start_main ()
    #10 0x000000000041c4e9 in _start ()
    

Here is the trace reported by ASAN:

    ==29762==ERROR: AddressSanitizer: negative-size-param: (size=-1)
         #0 0x7fdaf42ff813  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79813)
         #1 0x7fdaf2897f1c in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
         #2 0x7fdaf2897f1c in mpgviddmx_process /playground/gpac/src/filters/reframe_mpgvid.c:643
         #3 0x7fdaf254efa0 in gf_filter_process_task /playground/gpac/src/filter_core/filter.c:2441
         #4 0x7fdaf250f0e2 in gf_fs_thread_proc /playground/gpac/src/filter_core/filter_session.c:1640
         #5 0x7fdaf2519fb0 in gf_fs_run /playground/gpac/src/filter_core/filter_session.c:1877
         #6 0x7fdaf1ff21f5 in gf_media_import /playground/gpac/src/media_tools/media_import.c:1178
         #7 0x55ce40c3484f in convert_file_info /playground/gpac/applications/mp4box/fileimport.c:128
         #8 0x55ce40c07635 in mp4boxMain /playground/gpac/applications/mp4box/main.c:5925
         #9 0x7fdaef9a6bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
         #10 0x55ce40be83f9 in _start (/playground/gpac/build-a/bin/gcc/MP4Box+0x873f9)
     
     0x622000007489 is located 0 bytes to the right of 5001-byte region [0x622000006100,0x622000007489)
     allocated by thread T0 here:
         #0 0x7fdaf4364b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
         #1 0x7fdaf26a0289 in filein_initialize /playground/gpac/src/filters/in_file.c:193
         #2 0x7fdaf253b0f0 in gf_filter_new_finalize /playground/gpac/src/filter_core/filter.c:425
         #3 0x7fdaf253f294 in gf_filter_new /playground/gpac/src/filter_core/filter.c:382
         #4 0x7fdaf2519310 in gf_fs_load_source_dest_internal /playground/gpac/src/filter_core/filter_session.c:2833
         #5 0x7fdaf2524a82 in gf_fs_load_source /playground/gpac/src/filter_core/filter_session.c:2873
         #6 0x7fdaf1ff21a6 in gf_media_import /playground/gpac/src/media_tools/media_import.c:1165
         #7 0x55ce40c3484f in convert_file_info /playground/gpac/applications/mp4box/fileimport.c:128
         #8 0x55ce40c07635 in mp4boxMain /playground/gpac/applications/mp4box/main.c:5925
         #9 0x7fdaef9a6bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
     
     SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79813) 
     ==29762==ABORTING

CVE-2021-40575: Segmentation fault casued by null pointer dereference using mp4box in mpgviddmx_process, reframe_mpgvid.c:643 · Issue #1905 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the ilst_box_read function in box_code_apple.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

Permalink

Browse files

fixed #1895

*   Loading branch information

![@jeanlf](https://avatars.githubusercontent.com/u/7303785?s=40&v=4)

jeanlf committed

Aug 30, 2021

1 parent 86c1566 commit a69b567b8c95c72f9560c873c5ab348be058f340

Showing with **1 addition** and **0 deletions**.

1.  +1 −0 src/odf/descriptors.c

1 src/odf/descriptors.c

Show comments View file

@@ -1613,6 +1613,7 @@ GF\_AV1Config \*gf\_odf\_av1\_cfg\_read\_bs\_size(GF\_BitStream \*bs, u32 size)

size -= (u32) obu\_size;

}

gf\_av1\_reset\_state(& state, GF\_TRUE);

gf\_bs\_align(bs);

return cfg;

#else

return NULL;

**0 comments on commit `a69b567`**

Please sign in to comment.

Tag

#dos