GPAC v1.1.0 was discovered to contain an invalid call in the function gf_node_changed(). This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid call was discovered in gf\_node\_changed(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -bt ./poc/poc_11
    

poc\_11.zip

**Result**

    ./MP4Box -bt ./poc/poc_10
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type traI in parent moov
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type traI in parent moov
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1142870 segmentation fault  ./MP4Box -bt ./poc/poc_10
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000000001 in ?? ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
     RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
     RIP  0x1
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
    Invalid address 0x1
    
    
    
    
    
    
    
    
    
    
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    01:0008│     0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    07:0038│     0x7fffffff6ac0 ◂— 0x2
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0              0x1
       f 1   0x7ffff784a1ca gf_node_changed+218
       f 2   0x7ffff784b675 gf_sg_reset+805
       f 3   0x7ffff784ba47 gf_sg_del+55
       f 4   0x7ffff788b7f8 gf_sg_proto_del+424
       f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 6   0x7ffff7913a11 BM_ParseInsert+769
       f 7   0x7ffff7914fe1 BM_ParseCommand+113
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x0000000000000001 in ?? ()
    #1  0x00007ffff784a1ca in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff784b675 in gf_sg_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff784ba47 in gf_sg_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff788b7f8 in gf_sg_proto_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff7905f88 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff7913a11 in BM_ParseInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7914fe1 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00005555555844a8 in dump_isom_scene ()
    #11 0x000055555557b42c in mp4boxMain ()
    #12 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1a8) at ../csu/libc-start.c:308
    #13 0x000055555556c45e in _start ()
    

`break gf_node_changed`

    pwndbg>
    0x00007ffff784a1c8 in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
    *RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RSP  0x7fffffff6a90 ◂— 0x0
    *RIP  0x7ffff784a1c8 (gf_node_changed+216) ◂— call   rax
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff784a1b6 <gf_node_changed+198>    je     gf_node_changed+223                <gf_node_changed+223>
    
       0x7ffff784a1b8 <gf_node_changed+200>    mov    rdi, qword ptr [r12 + 0x28]
       0x7ffff784a1bd <gf_node_changed+205>    mov    rcx, rbx
       0x7ffff784a1c0 <gf_node_changed+208>    mov    rdx, rbp
       0x7ffff784a1c3 <gf_node_changed+211>    mov    esi, 1
     ► 0x7ffff784a1c8 <gf_node_changed+216>    call   rax                           <1>
    
       0x7ffff784a1ca <gf_node_changed+218>    test   rbx, rbx
       0x7ffff784a1cd <gf_node_changed+221>    je     gf_node_changed+233                <gf_node_changed+233>
    
       0x7ffff784a1cf <gf_node_changed+223>    mov    eax, dword ptr [rbx]
       0x7ffff784a1d1 <gf_node_changed+225>    sub    eax, 0x63
       0x7ffff784a1d4 <gf_node_changed+228>    and    eax, 0xfffffffd
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    04:0020│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    05:0028│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ac0 ◂— 0x2
    07:0038│     0x7fffffff6ac8 ◂— 0x8000000000000006
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784a1c8 gf_node_changed+216
       f 1   0x7ffff784b675 gf_sg_reset+805
       f 2   0x7ffff784ba47 gf_sg_del+55
       f 3   0x7ffff788b7f8 gf_sg_proto_del+424
       f 4   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 5   0x7ffff7913a11 BM_ParseInsert+769
       f 6   0x7ffff7914fe1 BM_ParseCommand+113
       f 7   0x7ffff7915353 gf_bifs_decode_command_list+163
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000000001 in ?? ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
     RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
    *RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    *RIP  0x1
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
    Invalid address 0x1
    
    
    
    
    
    
    
    
    
    
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    01:0008│     0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    07:0038│     0x7fffffff6ac0 ◂— 0x2
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0              0x1
       f 1   0x7ffff784a1ca gf_node_changed+218
       f 2   0x7ffff784b675 gf_sg_reset+805
       f 3   0x7ffff784ba47 gf_sg_del+55
       f 4   0x7ffff788b7f8 gf_sg_proto_del+424
       f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 6   0x7ffff7913a11 BM_ParseInsert+769
       f 7   0x7ffff7914fe1 BM_ParseCommand+113
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-45763: Invalid call in gf_node_changed() · Issue #1974 · gpac/gpac

GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_list_last(). This vulnerability allows attackers to cause a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in dump\_od\_to\_saf.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_3.zip

**Result**

    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 2 systems streams
    [1]    1390552 segmentation fault  ./MP4Box -lsr ./poc/poc_3
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555df630 —▸ 0x5555555df601 ◂— 0x2100000000000000
     RCX  0x0
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x5555555e0400 ◂— 0xfbad2c84
     RSI  0x5555555df440 ◂— 0x7
     R8   0x0
     R9   0x23
     R10  0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
     R11  0x7fffffff70c7 ◂— 0x4d0552ab398a0031 /* '1' */
     R12  0x0
     R13  0x5555555df4d0 ◂— 0x0
     R14  0x5555555df070 —▸ 0x5555555e0400 ◂— 0xfbad2c84
     R15  0x5555555dfcb0 ◂— 0x700010003
     RBP  0x1
     RSP  0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
     RIP  0x7ffff7ab7e3b (dump_od_to_saf.isra+299) ◂— movzx  edx, byte ptr [rax + 8]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ab7e3b <dump_od_to_saf.isra+299>    movzx  edx, byte ptr [rax + 8]
       0x7ffff7ab7e3f <dump_od_to_saf.isra+303>    mov    ecx, dword ptr [rax + 4]
       0x7ffff7ab7e42 <dump_od_to_saf.isra+306>    xor    eax, eax
       0x7ffff7ab7e44 <dump_od_to_saf.isra+308>    mov    r8d, dword ptr [rsi + 0x18]
       0x7ffff7ab7e48 <dump_od_to_saf.isra+312>    lea    rsi, [rip + 0x38eac1]
       0x7ffff7ab7e4f <dump_od_to_saf.isra+319>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ab7e54 <dump_od_to_saf.isra+324>    mov    rdx, qword ptr [r13]
       0x7ffff7ab7e58 <dump_od_to_saf.isra+328>    mov    r9, qword ptr [rsp]
       0x7ffff7ab7e5c <dump_od_to_saf.isra+332>    test   rdx, rdx
       0x7ffff7ab7e5f <dump_od_to_saf.isra+335>    jne    dump_od_to_saf.isra+464                <dump_od_to_saf.isra+464>
    
       0x7ffff7ab7e61 <dump_od_to_saf.isra+337>    mov    rdi, qword ptr [r14]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
    01:0008│     0x7fffffff7208 ◂— 0x100000002
    02:0010│     0x7fffffff7210 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    03:0018│     0x7fffffff7218 ◂— 0x0
    04:0020│     0x7fffffff7220 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    05:0028│     0x7fffffff7228 ◂— 0x0
    06:0030│     0x7fffffff7230 ◂— 0x0
    07:0038│     0x7fffffff7238 —▸ 0x5555555df4d0 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ab7e3b dump_od_to_saf.isra+299
       f 1   0x7ffff7ac282d gf_sm_dump+1853
       f 2   0x555555584418 dump_isom_scene+616
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac282d in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x0000555555584418 in dump_isom_scene ()
    #3  0x000055555557b42c in mp4boxMain ()
    #4  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #5  0x000055555556c45e in _start ()

CVE-2021-45760: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1966 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_text_get_utf8_line function in load_text.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a buffer overflow in gf\_text\_get\_utf8\_line, in commit 592ba26 that results in system abort (core dumped).

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

This is the output of the program:

    *** stack smashing detected ***: <unknown> terminated
    Aborted (core dumped)
    

Here is the trace reported by gdb (the stack is smashed):

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f70a92 in __fortify_fail ()
    #4  0x0000000001f70a3e in __stack_chk_fail ()
    #5  0x000000000127f3ad in gf_text_get_utf8_line (szLine=<optimized out>, lineSize=<optimized out>, txt_in=<optimized out>, unicode_type=0x0) at /mnt/data/playground/gpac/src/filters/load_text.c:337
    #6  0xc2657485c3a5c37e in ?? ()
    #7  0xbcc3739fc3314583 in ?? ()
    #8  0x0748654e86c3aac3 in ?? ()
    ....
    #14 0x609ec3a0c3a7c26e in ?? ()
    #15 0x11bdcd643758a5c3 in ?? ()
    #16 0x00000000009ac35e in gf_isom_load_extra_boxes (movie=0xc53f89c4114aacc2, moov_boxes=<optimized out>, moov_boxes_size=<optimized out>, udta_only=(unknown: 2747429506)) at /mnt/data/playground/gpac/src/isomedia/isom_write.c:615
    #17 0x0000000000000000 in ?? ()

CVE-2021-40574: System abort (Core dumped) caused by buffer overflow using MP4Box in gf_text_get_utf8_line · Issue #1897 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_finalize function in reframe_av1.c, which allows attackers to cause a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault in av1dmx\_finalize, reframe\_av1.c:1075 in commit 592ba26 caused by double free issue.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f2da76 in _int_free ()
    #4  0x0000000001f31af7 in free ()
    #5  0x000000000053de4d in gf_free (ptr=<optimized out>) at /mnt/data/playground/gpac/src/utils/alloc.c:165
    #6  0x00000000013e3d4d in av1dmx_finalize (filter=<optimized out>) at /mnt/data/playground/gpac/src/filters/reframe_av1.c:1075
    #7  0x0000000000f9949c in gf_fs_del (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:646
    #8  0x0000000000c1a86a in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1242
    #9  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #10 0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #11 0x0000000001f06bb6 in generic_start_main ()
    #12 0x0000000001f071a5 in __libc_start_main ()
    #13 0x000000000041c4e9 in _start ()

CVE-2021-40572: Segmentation fault caused by double free using mp4box in av1dmx_finalize, reframe_av1.c:1075 · Issue #1893 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the mpgviddmx_process function in reframe_mpgvid.c, which allows attackers to cause a denial of service. This vulnerability is possibly due to an incomplete fix for CVE-2021-40566.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx\_process, reframe\_mpgvid.c:643 in commit d003a57. It seems to be an incomplete fix of issue #1887 and causes another problem.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1191-g55d6dbc-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x000000000141a950 in memcpy (__len=0xffffffffffffffff, __src=0x24ada59, __dest=0x24a5770) at /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #1  mpgviddmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:643
    #2  0x0000000000fe3e78 in gf_filter_process_task (task=0x2492f30) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x0000000000f7ab69 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000f927b8 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x0000000000c17c8b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x0000000000497345 in convert_file_info (inName=0x7fffffffe15b "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000001f06976 in generic_start_main ()
    #9  0x0000000001f06f65 in __libc_start_main ()
    #10 0x000000000041c4e9 in _start ()
    

Here is the trace reported by ASAN:

    ==29762==ERROR: AddressSanitizer: negative-size-param: (size=-1)
         #0 0x7fdaf42ff813  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79813)
         #1 0x7fdaf2897f1c in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
         #2 0x7fdaf2897f1c in mpgviddmx_process /playground/gpac/src/filters/reframe_mpgvid.c:643
         #3 0x7fdaf254efa0 in gf_filter_process_task /playground/gpac/src/filter_core/filter.c:2441
         #4 0x7fdaf250f0e2 in gf_fs_thread_proc /playground/gpac/src/filter_core/filter_session.c:1640
         #5 0x7fdaf2519fb0 in gf_fs_run /playground/gpac/src/filter_core/filter_session.c:1877
         #6 0x7fdaf1ff21f5 in gf_media_import /playground/gpac/src/media_tools/media_import.c:1178
         #7 0x55ce40c3484f in convert_file_info /playground/gpac/applications/mp4box/fileimport.c:128
         #8 0x55ce40c07635 in mp4boxMain /playground/gpac/applications/mp4box/main.c:5925
         #9 0x7fdaef9a6bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
         #10 0x55ce40be83f9 in _start (/playground/gpac/build-a/bin/gcc/MP4Box+0x873f9)
     
     0x622000007489 is located 0 bytes to the right of 5001-byte region [0x622000006100,0x622000007489)
     allocated by thread T0 here:
         #0 0x7fdaf4364b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
         #1 0x7fdaf26a0289 in filein_initialize /playground/gpac/src/filters/in_file.c:193
         #2 0x7fdaf253b0f0 in gf_filter_new_finalize /playground/gpac/src/filter_core/filter.c:425
         #3 0x7fdaf253f294 in gf_filter_new /playground/gpac/src/filter_core/filter.c:382
         #4 0x7fdaf2519310 in gf_fs_load_source_dest_internal /playground/gpac/src/filter_core/filter_session.c:2833
         #5 0x7fdaf2524a82 in gf_fs_load_source /playground/gpac/src/filter_core/filter_session.c:2873
         #6 0x7fdaf1ff21a6 in gf_media_import /playground/gpac/src/media_tools/media_import.c:1165
         #7 0x55ce40c3484f in convert_file_info /playground/gpac/applications/mp4box/fileimport.c:128
         #8 0x55ce40c07635 in mp4boxMain /playground/gpac/applications/mp4box/main.c:5925
         #9 0x7fdaef9a6bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
     
     SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79813) 
     ==29762==ABORTING

CVE-2021-40575: Segmentation fault casued by null pointer dereference using mp4box in mpgviddmx_process, reframe_mpgvid.c:643 · Issue #1905 · gpac/gpac

A Segmentation fault casued by heap use after free vulnerability exists in Gpac through 1.0.1 via the mpgviddmx_process function in reframe_mpgvid.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx\_process, reframe\_mpgvid.c:851 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000cf5a9b in memcpy ()
    #1  0x00000000008a24a7 in mpgviddmx_process (filter=0x124cbd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:851
    #2  0x00000000007480a0 in gf_filter_process_task (task=0x123a0e0) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x000000000073798c in gf_fs_thread_proc (sess_thread=0x12382b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000738305 in gf_fs_run (fsess=0x1238220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x00000000006571ea in gf_media_import (importer=0x7fffffff5c20) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x000000000042cdf9 in convert_file_info (inName=0x7fffffffe163 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x00000000004168c3 in mp4boxMain (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000000418d6b in main (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:6455
    #9  0x0000000000caaa06 in generic_start_main ()
    #10 0x0000000000caaff5 in __libc_start_main ()
    #11 0x0000000000403f39 in _start ()
    
    

The reason for this bug is that the program does not check the nullity of the pointer before copy memory to it.  
![image](https://user-images.githubusercontent.com/7632714/130580112-09339006-e245-4ade-8697-da5e6fab037d.png)

CVE-2021-40566: Segmentation fault casued by heap use after free using mp4box in mpgviddmx_process, reframe_mpgvid.c:851 · Issue #1887 · gpac/gpac

A Segmentation fault caused by a null pointer dereference vulnerability exists in Gpac through 1.0.1 via the gf_avc_parse_nalu function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by nod in gf\_avc\_parse\_nalu, av\_parsers.c:6112 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Program output:

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    Segmentation fault (core dumped)
    

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bd0648 in gf_avc_parse_nalu (bs=<optimized out>, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6112
    #1  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x3b, data=0x2491e67 "$1", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #2  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #3  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #4  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #5  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #6  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #7  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #8  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #9  0x0000000001f06bb6 in generic_start_main ()
    #10 0x0000000001f071a5 in __libc_start_main ()
    #11 0x000000000041c4e9 in _start ()

CVE-2021-40565: Segmentation fault caused by null pointer dereference using mp4box in gf_avc_parse_nalu, av_parsers.c:6112 · Issue #1902 · gpac/gpac

A Segmentation fault caused by null pointer dereference vulnerability eists in Gpac through 1.0.2 via the avc_parse_slice function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in avc\_parse\_slice, av\_parsers.c:5678 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bcd59d in avc_parse_slice (svc_idr_flag=GF_FALSE, si=0x7fffffff5020, avc=0x24ae050, bs=0x248df40) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:5678
    #1  gf_avc_parse_nalu (bs=0x248df40, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6087
    #2  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x4f, data=0x2491e5b "$1\200", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #3  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #4  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #5  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #6  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #7  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #8  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #9  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #10 0x0000000001f06bb6 in generic_start_main ()
    #11 0x0000000001f071a5 in __libc_start_main ()
    #12 0x000000000041c4e9 in _start ()
    

The reason for this bug is that the program does not check the nullity of the pointer.  
![image](https://user-images.githubusercontent.com/7632714/130955606-eefd9dbd-049a-48b2-ab9f-fa46197e9d99.png)

CVE-2021-40564: Segmentation fault caused by null pointer dereference using mp4box in avc_parse_slice, av_parsers.c:5678 · Issue #1898 · gpac/gpac

A denial of service vulnerabiity exists in fig2dev through 3.28a due to a segfault in the open_stream function in readpics.c.

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
\[1\]    13064 segmentation fault  ~/AlphaFuzz-Experiment/projects/baseline0711/afl-fig2dev/fuzz\_bin/fig2dev -L

**AddressSanitizer output**

An open rectangle at line 14 - close it.
A rectangle with 5 corners at line 14 - convert to a polygon.
ASAN:SIGSEGV
\=================================================================
\==6829\==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000051a094 bp 0x7fff3739baa0 sp 0x7fff3739b8f0 T0)
    #0 0x51a093 in open\_stream /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215
    #1 0x4b2aa8 in genps\_line /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/genps.c:1672
    #2 0x412a7d in gendev\_objects /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:1008
    #3 0x411481 in main /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/fig2dev.c:485
    #4 0x7f25954e683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #5 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/qiuhongjun/AlphaFuzz-Experiment/programs/programs-asan/fig2dev/fig2dev/dev/readpics.c:215 open\_stream
\==6829\==ABORTING

CVE-2021-37530: Xfig / Tickets

A double-free vulnerability exists in fig2dev through 3.28a is affected by: via the free_stream function in readpics.c, which could cause a denial of service (context-dependent).

**System info**

Ubuntu 16.04 xenial, gcc (Ubuntu 5.5.0-12ubuntu1), fig2dev (latest master a4c6e1)

****Command line****

./fig2dev -L pdf -G .25:1cm -j -m 2 -N -P -x 3 -y 4 @@ /dev/null

**Output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\*\*\* Error in \`../../fig2dev': double free or corruption (!prev): 0x0000000000cfc030 \*\*\*
\======= Backtrace: \=========
/lib/x86\_64-linux-gnu/libc.so.6(+0x777f5)\[0x7f7fd7b6f7f5\]
/lib/x86\_64-linux-gnu/libc.so.6(+0x8038a)\[0x7f7fd7b7838a\]
/lib/x86\_64-linux-gnu/libc.so.6(cfree+0x4c)\[0x7f7fd7b7c58c\]
../../fig2dev\[0x4bbb2b\]
../../fig2dev\[0x47accd\]
../../fig2dev\[0x411b24\]
/lib/x86\_64-linux-gnu/libc.so.6(\_\_libc\_start\_main+0xf0)\[0x7f7fd7b18840\]
../../fig2dev\[0x402c09\]
\======= Memory map: \========
00400000\-004ec000 r-xp 00000000 08:11 27664590                           ../../fig2dev
006ec000-006ed000 r--p 000ec000 08:11 27664590                           ../../fig2dev
006ed000-00700000 rw-p 000ed000 08:11 27664590                           ../../fig2dev
00700000\-0071b000 rw-p 00000000 00:00 0
00cfb000-00d1c000 rw-p 00000000 00:00 0                                  \[heap\]
7f7fd0000000-7f7fd0021000 rw-p 00000000 00:00 0
7f7fd0021000-7f7fd4000000 ---p 00000000 00:00 0
7f7fd7579000-7f7fd7590000 r-xp 00000000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7590000-7f7fd778f000 ---p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd778f000-7f7fd7790000 r--p 00016000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7790000-7f7fd7791000 rw-p 00017000 08:02 12582916                   /lib/x86\_64-linux-gnu/libgcc\_s.so.1
7f7fd7791000-7f7fd7af8000 r--p 00000000 08:02 38010883                   /usr/lib/locale/locale-archive
7f7fd7af8000-7f7fd7cb8000 r-xp 00000000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7cb8000-7f7fd7eb8000 ---p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7eb8000-7f7fd7ebc000 r--p 001c0000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebc000-7f7fd7ebe000 rw-p 001c4000 08:02 12583571                   /lib/x86\_64-linux-gnu/libc-2.23.so
7f7fd7ebe000-7f7fd7ec2000 rw-p 00000000 00:00 0
7f7fd7ec2000-7f7fd7fca000 r-xp 00000000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd7fca000-7f7fd81c9000 ---p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81c9000-7f7fd81ca000 r--p 00107000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81ca000-7f7fd81cb000 rw-p 00108000 08:02 12583566                   /lib/x86\_64-linux-gnu/libm-2.23.so
7f7fd81cb000-7f7fd81e4000 r-xp 00000000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd81e4000-7f7fd83e3000 ---p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e3000-7f7fd83e4000 r--p 00018000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e4000-7f7fd83e5000 rw-p 00019000 08:02 12583082                   /lib/x86\_64-linux-gnu/libz.so.1.2.8
7f7fd83e5000-7f7fd8409000 r-xp 00000000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8409000-7f7fd8608000 ---p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8608000-7f7fd8609000 r--p 00023000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd8609000-7f7fd860a000 rw-p 00024000 08:02 12583492                   /lib/x86\_64-linux-gnu/libpng12.so.0.54.0
7f7fd860a000-7f7fd8630000 r-xp 00000000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd87fb000-7f7fd8800000 rw-p 00000000 00:00 0
7f7fd882e000-7f7fd882f000 rw-p 00000000 00:00 0
7f7fd882f000-7f7fd8830000 r--p 00025000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8830000-7f7fd8831000 rw-p 00026000 08:02 12583562                   /lib/x86\_64-linux-gnu/ld-2.23.so
7f7fd8831000-7f7fd8832000 rw-p 00000000 00:00 0
7ffc8c5c7000-7ffc8c5e8000 rw-p 00000000 00:00 0                          \[stack\]
7ffc8c5ec000-7ffc8c5ee000 r--p 00000000 00:00 0                          \[vvar\]
7ffc8c5ee000-7ffc8c5f0000 r-xp 00000000 00:00 0                          \[vdso\]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  \[vsyscall\]
\[1\]    32228 abort      ../../fig2dev -L

**AddressSanitizer output**

No such picture file: ../../fig2dev/ 0 0 675 0 675 375 0  0 0 5
\=================================================================
\==28522\==ERROR: AddressSanitizer: attempting double-free on 0x610000007d40 in thread T0:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x4b2b32 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1674
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #6 0x4032f8 in \_start (/home/qiuhongjun/AlphaFuzz-Experiment/results/crashes-binary/gcc-asan/fig2dev/fig2dev+0x4032f8)

0x610000007d40 is located 0 bytes inside of 180\-byte region \[0x610000007d40,0x610000007df4)
freed by thread T0 here:
    #0 0x7f58f241532a in \_\_interceptor\_free (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x9832a)
    #1 0x519594 in free\_stream ../../fig2dev/fig2dev/dev/readpics.c:62
    #2 0x51a022 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:211
    #3 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #4 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #5 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #6 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

previously allocated by thread T0 here:
    #0 0x7f58f2415662 in malloc (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x98662)
    #1 0x519f58 in open\_stream ../../fig2dev/fig2dev/dev/readpics.c:199
    #2 0x4b2aa8 in genps\_line ../../fig2dev/fig2dev/dev/genps.c:1672
    #3 0x412a7d in gendev\_objects ../../fig2dev/fig2dev/fig2dev.c:1008
    #4 0x411481 in main ../../fig2dev/fig2dev/fig2dev.c:485
    #5 0x7f58f188b83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: double-free ??:0 \_\_interceptor\_free
\==28522\==ABORTING

Tag

#ubuntu