The binary MP4Box in Gpac through 1.0.1 has a double-free vulnerability in the iloc_entry_del funciton in box_code_meta.c, which allows attackers to cause a denial of service.

@@ -282,7 +282,8 @@ GF\_Err iloc\_box\_read(GF\_Box \*s, GF\_BitStream \*bs) }  
for (i = 0; i < item\_count; i++) { GF\_ItemLocationEntry \*location\_entry = (GF\_ItemLocationEntry \*)gf\_malloc(sizeof(GF\_ItemLocationEntry)); GF\_ItemLocationEntry \*location\_entry; GF\_SAFEALLOC(location\_entry, GF\_ItemLocationEntry); if (!location\_entry) return GF\_OUT\_OF\_MEM;  
gf\_list\_add(ptr->location\_entries, location\_entry); @@ -311,7 +312,8 @@ GF\_Err iloc\_box\_read(GF\_Box \*s, GF\_BitStream \*bs) extent\_count = gf\_bs\_read\_u16(bs); location\_entry->extent\_entries = gf\_list\_new(); for (j = 0; j < extent\_count; j++) { GF\_ItemExtentEntry \*extent\_entry = (GF\_ItemExtentEntry \*)gf\_malloc(sizeof(GF\_ItemExtentEntry)); GF\_ItemExtentEntry \*extent\_entry; GF\_SAFEALLOC(extent\_entry, GF\_ItemExtentEntry); if (!extent\_entry) return GF\_OUT\_OF\_MEM;  
gf\_list\_add(location\_entry->extent\_entries, extent\_entry);

CVE-2021-40569: fixed #1890 · gpac/gpac@b03c9f2

The IBM i 7.1, 7.2, 7.3, and 7.4 Extended Dynamic Remote SQL server (EDRSQL) could allow a remote authenticated user to send a specially crafted request and cause a denial of service.  IBM X-Force ID:  214537.

CVE-2021-39056: IBM i denial of service CVE-2021-39056 Vulnerability Report

A buffer overflow vulnerability exists in Gpac through 1.0.1 via a malformed MP4 file in the svc_parse_slice function in av_parsers.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

@@ -4690,20 +4690,23 @@ u32 gf\_bs\_read\_ue\_log\_idx3(GF\_BitStream \*bs, const char \*fname, s32 idx1, s32 id

u32 bits = 0;

for (code=0; !code; nb\_lead++) {

if (nb\_lead>=32) {

//gf\_bs\_read\_int keeps returning 0 on EOS, so if no more bits available, rbsp was truncated otherwise code is broken in rbsp)

//we only test once nb\_lead>=32 to avoid testing at each bit read

if (!gf\_bs\_available(bs)) {

GF\_LOG(GF\_LOG\_ERROR, GF\_LOG\_CODING, ("\[Core\] exp-golomb read failed, not enough bits in bitstream !\\n"));

} else {

GF\_LOG(GF\_LOG\_ERROR, GF\_LOG\_CODING, ("\[Core\] corrupted exp-golomb code, %d leading zeros, max 31 allowed !\\n", nb\_lead));

}

return 0;

break;

}

  

code = gf\_bs\_read\_int(bs, 1);

bits++;

}

  

if (nb\_lead>=32) {

//gf\_bs\_read\_int keeps returning 0 on EOS, so if no more bits available, rbsp was truncated otherwise code is broken in rbsp)

//we only test once nb\_lead>=32 to avoid testing at each bit read

if (!gf\_bs\_available(bs)) {

GF\_LOG(GF\_LOG\_ERROR, GF\_LOG\_CODING, ("\[Core\] exp-golomb read failed, not enough bits in bitstream !\\n"));

} else {

GF\_LOG(GF\_LOG\_ERROR, GF\_LOG\_CODING, ("\[Core\] corrupted exp-golomb code, %d leading zeros, max 31 allowed !\\n", nb\_lead));

}

return 0;

}

  

if (nb\_lead) {

u32 leads=1;

val = gf\_bs\_read\_int(bs, nb\_lead);

@@ -5785,7 +5788,7 @@ static s32 svc\_parse\_slice(GF\_BitStream \*bs, AVCState \*avc, AVCSliceInfo \*si)

if (si->slice\_type > 9) return -1;

  

pps\_id = gf\_bs\_read\_ue\_log(bs, "pps\_id");

if (pps\_id \> 255)

if ((pps\_id<0) || (pps\_id \> 255))

return -1;

si->pps = &avc->pps\[pps\_id\];

si->pps\->id = pps\_id;

CVE-2021-40568: fixed #1900 · gpac/gpac@f1ae01d

Improper validation of function pointer type with actual function signature can lead to assertion in Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Voice & Music, Snapdragon Wearables

CVE-2021-30353: January 2022 Security Bulletin | Qualcomm

A Segmentation fault casued by heap use after free vulnerability exists in Gpac through 1.0.1 via the mpgviddmx_process function in reframe_mpgvid.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx\_process, reframe\_mpgvid.c:851 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000cf5a9b in memcpy ()
    #1  0x00000000008a24a7 in mpgviddmx_process (filter=0x124cbd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:851
    #2  0x00000000007480a0 in gf_filter_process_task (task=0x123a0e0) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x000000000073798c in gf_fs_thread_proc (sess_thread=0x12382b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000738305 in gf_fs_run (fsess=0x1238220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x00000000006571ea in gf_media_import (importer=0x7fffffff5c20) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x000000000042cdf9 in convert_file_info (inName=0x7fffffffe163 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x00000000004168c3 in mp4boxMain (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000000418d6b in main (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:6455
    #9  0x0000000000caaa06 in generic_start_main ()
    #10 0x0000000000caaff5 in __libc_start_main ()
    #11 0x0000000000403f39 in _start ()
    
    

The reason for this bug is that the program does not check the nullity of the pointer before copy memory to it.  
![image](https://user-images.githubusercontent.com/7632714/130580112-09339006-e245-4ade-8697-da5e6fab037d.png)

CVE-2021-40566: Segmentation fault casued by heap use after free using mp4box in mpgviddmx_process, reframe_mpgvid.c:851 · Issue #1887 · gpac/gpac

A Segmentation fault caused by a null pointer dereference vulnerability exists in Gpac through 1.0.1 via the gf_avc_parse_nalu function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by nod in gf\_avc\_parse\_nalu, av\_parsers.c:6112 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Program output:

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    Segmentation fault (core dumped)
    

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bd0648 in gf_avc_parse_nalu (bs=<optimized out>, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6112
    #1  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x3b, data=0x2491e67 "$1", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #2  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #3  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #4  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #5  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #6  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #7  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #8  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #9  0x0000000001f06bb6 in generic_start_main ()
    #10 0x0000000001f071a5 in __libc_start_main ()
    #11 0x000000000041c4e9 in _start ()

CVE-2021-40565: Segmentation fault caused by null pointer dereference using mp4box in gf_avc_parse_nalu, av_parsers.c:6112 · Issue #1902 · gpac/gpac

A Segmentation fault caused by null pointer dereference vulnerability eists in Gpac through 1.0.2 via the avc_parse_slice function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in avc\_parse\_slice, av\_parsers.c:5678 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bcd59d in avc_parse_slice (svc_idr_flag=GF_FALSE, si=0x7fffffff5020, avc=0x24ae050, bs=0x248df40) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:5678
    #1  gf_avc_parse_nalu (bs=0x248df40, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6087
    #2  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x4f, data=0x2491e5b "$1\200", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #3  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #4  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #5  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #6  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #7  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #8  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #9  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #10 0x0000000001f06bb6 in generic_start_main ()
    #11 0x0000000001f071a5 in __libc_start_main ()
    #12 0x000000000041c4e9 in _start ()
    

The reason for this bug is that the program does not check the nullity of the pointer.  
![image](https://user-images.githubusercontent.com/7632714/130955606-eefd9dbd-049a-48b2-ab9f-fa46197e9d99.png)

CVE-2021-40564: Segmentation fault caused by null pointer dereference using mp4box in avc_parse_slice, av_parsers.c:5678 · Issue #1898 · gpac/gpac

A Segmentation fault exists casued by null pointer dereference exists in Gpac through 1.0.1 via the naludmx_create_avc_decoder_config function in reframe_nalu.c when using mp4box, which causes a denial of service.

@@ -1680,8 +1680,10 @@ static void naludmx\_queue\_param\_set(GF\_NALUDmxCtx \*ctx, char \*data, u32 size, u3

{

GF\_List \*list = NULL, \*alt\_list = NULL;

GF\_NALUFFParam \*sl;

u32 i, count;

u32 crc = gf\_crc\_32(data, size);

u32 i, count, crc;

  

if (!size) return;

crc = gf\_crc\_32(data, size);

  

if (ctx->codecid\==GF\_CODECID\_HEVC) {

switch (ps\_type) {

CVE-2021-40563: fixed #1892 · gpac/gpac@5ce0c90

A Segmentation fault caused by a floating point exception exists in Gpac through 1.0.1 using mp4box via the naludmx_enqueue_or_dispatch function in reframe_nalu.c, which causes a denial of service.

@@ -1352,9 +1352,9 @@ void naludmx\_create\_avc\_decoder\_config(GF\_NALUDmxCtx \*ctx, u8 \*\*dsi, u32 \*dsi\_si

else

DeltaTfiDivisorIdx = (ctx->avc\_state\->sei.pic\_timing.pic\_struct+1) / 2;

}

if (!ctx->timescale) {

if (!ctx->timescale && sps->vui.time\_scale && sps->vui.num\_units\_in\_tick) {

ctx->cur\_fps.num = 2 \* sps->vui.time\_scale;

ctx->cur\_fps.den = 2 \* sps->vui.num\_units\_in\_tick \* DeltaTfiDivisorIdx;

ctx->cur\_fps.den = 2 \* sps->vui.num\_units\_in\_tick \* DeltaTfiDivisorIdx;

  

if (!ctx->fps.num && ctx->dts\==ctx->fps.den)

ctx->dts = ctx->cur\_fps.den;

CVE-2021-40562: fixed #1901 · gpac/gpac@5dd71c7

A denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c.

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
\[1\]    13064 segmentation fault  ~/AlphaFuzz-Experiment/projects/baseline0711/afl-fig2dev/fuzz\_bin/fig2dev -L

**AddressSanitizer output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
ASAN:SIGSEGV
\=================================================================
\==6829\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000051a094 bp 0x7fff3739baa0 sp 0x7fff3739b8f0 T0)
    #0 0x51a093 in open\_stream /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215
    #1 0x4b2aa8 in genps\_line /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/genps.c:1672
    #2 0x412a7d in gendev\_objects /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:1008
    #3 0x411481 in main /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:485
    #4 0x7f25954e683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215 open\_stream
\==6829\==ABORTING

Tag

#dos