An invalid memory address dereference vulnerability exists in gpac 1.1.0 in the dump_od_to_saf.isra function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in dump\_od\_to\_saf.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc.zip  
**Result**

    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "lpod" (start 11062) has 1 extra bytes
    [iso file] Box "REFT" is larger than container box
    [iso file] Box "tref" size 28 (start 11054) invalid (read 261)
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "lpod" (start 11062) has 1 extra bytes
    [iso file] Box "REFT" is larger than container box
    [iso file] Box "tref" size 28 (start 11054) invalid (read 261)
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 2 systems streams
    [1]    3146070 segmentation fault  ./MP4Box -lsr ./submit/poc1
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ab7dcc in dump_od_to_saf.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x61
     RBX  0x5555555df200 ◂— 0x1
     RCX  0x5555555df330 ◂— 0x8001000f
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x5555555dfe10 ◂— 0xfbad2c84
     RSI  0x7ffff7e46910 ◂— ' streamType="%d" objectTypeIndication="%d" timeStampResolution="%d"'
     R8   0x3e8
     R9   0x27
     R10  0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
     R11  0x7fffffff70e3 ◂— 0xcba6003936373233 /* '32769' */
     R12  0x5555555decc0 —▸ 0x5555555dfe10 ◂— 0xfbad2c84
     R13  0x0
     R14  0x5555555df150 ◂— 0x0
     R15  0x0
     RBP  0x0
     RSP  0x7fffffff7220 —▸ 0x5555555df330 ◂— 0x8001000f
     RIP  0x7ffff7ab7dcc (dump_od_to_saf.isra+204) ◂— movzx  edx, byte ptr [rax + 8]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ab7dcc <dump_od_to_saf.isra+204>    movzx  edx, byte ptr [rax + 8]
       0x7ffff7ab7dd0 <dump_od_to_saf.isra+208>    mov    ecx, dword ptr [rax + 4]
       0x7ffff7ab7dd3 <dump_od_to_saf.isra+211>    xor    eax, eax
       0x7ffff7ab7dd5 <dump_od_to_saf.isra+213>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ab7dda <dump_od_to_saf.isra+218>    mov    rdx, qword ptr [r14]
       0x7ffff7ab7ddd <dump_od_to_saf.isra+221>    test   rdx, rdx
       0x7ffff7ab7de0 <dump_od_to_saf.isra+224>    jne    dump_od_to_saf.isra+392                <dump_od_to_saf.isra+392>
    
       0x7ffff7ab7de6 <dump_od_to_saf.isra+230>    mov    rdi, qword ptr [r12]
       0x7ffff7ab7dea <dump_od_to_saf.isra+234>    test   r15, r15
       0x7ffff7ab7ded <dump_od_to_saf.isra+237>    je     dump_od_to_saf.isra+266                <dump_od_to_saf.isra+266>
    
       0x7ffff7ab7def <dump_od_to_saf.isra+239>    mov    rdx, qword ptr [r15 + 8]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7220 —▸ 0x5555555df330 ◂— 0x8001000f
    01:0008│     0x7fffffff7228 ◂— 0x100000002
    02:0010│     0x7fffffff7230 —▸ 0x5555555df030 —▸ 0x5555555df580 ◂— 0x0
    03:0018│     0x7fffffff7238 ◂— 0x0
    04:0020│     0x7fffffff7240 —▸ 0x5555555df030 —▸ 0x5555555df580 ◂— 0x0
    05:0028│     0x7fffffff7248 ◂— 0x0
    06:0030│     0x7fffffff7250 ◂— 0x0
    07:0038│     0x7fffffff7258 —▸ 0x5555555df150 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ab7dcc dump_od_to_saf.isra+204
       f 1   0x7ffff7ac27dd gf_sm_dump+1853
       f 2   0x555555584418 dump_isom_scene+616
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ab7dcc in dump_od_to_saf.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac27dd in gf_sm_dump () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x0000555555584418 in dump_isom_scene ()
    #3  0x000055555557b42c in mp4boxMain ()
    #4  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #5  0x000055555556c45e in _start ()

CVE-2021-44920: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1957 · gpac/gpac

A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_alloc function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_sg\_vrml\_mf\_alloc(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc5.zip

**Result**

    ./MP4Box -lsr ./poc5
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861206
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861206
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1371476 segmentation fault  ./MP4Box -lsr ./poc5
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x9f03c
     RCX  0x10
     RDX  0x7ffff7e078a0 (CSWTCH.120) ◂— 0xc080c0804080404
     RDI  0x32
     RSI  0x32
     R8   0x0
     R9   0x0
     R10  0x7ffff775bdeb ◂— 'gf_sg_vrml_mf_alloc'
     R11  0x7ffff78a0f30 (gf_sg_vrml_mf_alloc) ◂— endbr64
     R12  0x0
     R13  0x8
     R14  0x0
     R15  0x7fffffff6d60 ◂— 0x30646c6569665f /* '_field0' */
     RBP  0x32
     RSP  0x7fffffff6bf0 ◂— 0x9f03c
     RIP  0x7ffff78a0f7d (gf_sg_vrml_mf_alloc+77) ◂— cmp    dword ptr [r12], ebx
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff78a0f7d <gf_sg_vrml_mf_alloc+77>     cmp    dword ptr [r12], ebx
       0x7ffff78a0f81 <gf_sg_vrml_mf_alloc+81>     je     gf_sg_vrml_mf_alloc+125                <gf_sg_vrml_mf_alloc+125>
        ↓
       0x7ffff78a0fad <gf_sg_vrml_mf_alloc+125>    add    rsp, 8
       0x7ffff78a0fb1 <gf_sg_vrml_mf_alloc+129>    pop    rbx
       0x7ffff78a0fb2 <gf_sg_vrml_mf_alloc+130>    pop    rbp
       0x7ffff78a0fb3 <gf_sg_vrml_mf_alloc+131>    pop    r12
       0x7ffff78a0fb5 <gf_sg_vrml_mf_alloc+133>    pop    r13
       0x7ffff78a0fb7 <gf_sg_vrml_mf_alloc+135>    ret
    
       0x7ffff78a0fb8 <gf_sg_vrml_mf_alloc+136>    nop    dword ptr [rax + rax]
       0x7ffff78a0fc0 <gf_sg_vrml_mf_alloc+144>    mov    edx, ebx
       0x7ffff78a0fc2 <gf_sg_vrml_mf_alloc+146>    imul   r13, rdx
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6bf0 ◂— 0x9f03c
    01:0008│     0x7fffffff6bf8 —▸ 0x7fffffff6d30 ◂— 0x3200000000
    02:0010│     0x7fffffff6c00 —▸ 0x5555555ded70 ◂— 0x0
    03:0018│     0x7fffffff6c08 ◂— 0x555df8c0
    04:0020│     0x7fffffff6c10 —▸ 0x5555555d2730 ◂— 0x0
    05:0028│     0x7fffffff6c18 —▸ 0x7ffff790f44d (BD_DecMFFieldVec+589) ◂— mov    r14d, eax
    06:0030│     0x7fffffff6c20 ◂— 0x0
    07:0038│     0x7fffffff6c28 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78a0f7d gf_sg_vrml_mf_alloc+77
       f 1   0x7ffff790f44d BD_DecMFFieldVec+589
       f 2   0x7ffff7906205 gf_bifs_dec_proto_list+1333
       f 3   0x7ffff7906549 BD_DecSceneReplace+73
       f 4   0x7ffff7914e2e BM_SceneReplace+110
       f 5   0x7ffff7914ff3 BM_ParseCommand+179
       f 6   0x7ffff7915323 gf_bifs_decode_command_list+163
       f 7   0x7ffff7aa1da2 gf_sm_load_run_isom+1218
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff790f44d in BD_DecMFFieldVec () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7906205 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-44919: Null Pointer Dereference in gf_sg_vrml_mf_alloc() · Issue #1963 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_sg_vrml_mf_append function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_sg\_vrml\_mf\_append().

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc2.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type e`ds in parent mp4s
    [iso file] Incomplete box mdat - start 11495 size 861283
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type e`ds in parent mp4s
    [iso file] Incomplete box mdat - start 11495 size 861283
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    2696339 segmentation fault  ./MP4Box -bt ./submit/poc2
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x7fffffff6c10 ◂— 0x3800000000
     RCX  0x7fffffff6ce0 ◂— 0x2c00000000
     RDX  0x7fffffff6c18 ◂— 0x0
     RDI  0x0
     RSI  0x2c
     R8   0x5555555df8d0 —▸ 0x5555555df840 ◂— 0x2c00
     R9   0x7
     R10  0x7ffff775be46 ◂— 'gf_sg_vrml_mf_append'
     R11  0x7ffff78a1070 (gf_sg_vrml_mf_append) ◂— endbr64
     R12  0x7fffffff6ce0 ◂— 0x2c00000000
     R13  0x5555555d5f80 ◂— 0x0
     R14  0x0
     R15  0x0
     RBP  0x5555555ded90 ◂— 0x0
     RSP  0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test   eax, eax
     RIP  0x7ffff78a1074 (gf_sg_vrml_mf_append+4) ◂— mov    eax, dword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff78a1070 <gf_sg_vrml_mf_append>          endbr64
     ► 0x7ffff78a1074 <gf_sg_vrml_mf_append+4>        mov    eax, dword ptr [rdi]
       0x7ffff78a1076 <gf_sg_vrml_mf_append+6>        lea    ecx, [rax + 2]
       0x7ffff78a1079 <gf_sg_vrml_mf_append+9>        jmp    gf_sg_vrml_mf_insert@plt                <gf_sg_vrml_mf_insert@plt>
        ↓
       0x7ffff77e66a0 <gf_sg_vrml_mf_insert@plt>      endbr64
       0x7ffff77e66a4 <gf_sg_vrml_mf_insert@plt+4>    bnd jmp qword ptr [rip + 0x7ba34d]   <0x7ffff77dd3f0>
        ↓
       0x7ffff77dd3f0                                 endbr64
       0x7ffff77dd3f4                                 push   0x73c
       0x7ffff77dd3f9                                 bnd jmp 0x7ffff77d6020               <0x7ffff77d6020>
        ↓
       0x7ffff77d6020                                 push   qword ptr [rip + 0x7c6fe2]    <0x7ffff7f9d008>
       0x7ffff77d6026                                 bnd jmp qword ptr [rip + 0x7c6fe3]   <0x7ffff7fe7bb0>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test   eax, eax
    01:0008│     0x7fffffff6bd0 ◂— 0x0
    02:0010│     0x7fffffff6bd8 ◂— 0x0
    03:0018│     0x7fffffff6be0 ◂— 0x50 /* 'P' */
    04:0020│     0x7fffffff6be8 ◂— 0x0
    05:0028│     0x7fffffff6bf0 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
    06:0030│     0x7fffffff6bf8 —▸ 0x7fffffff6c08 ◂— 0x0
    07:0038│     0x7fffffff6c00 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78a1074 gf_sg_vrml_mf_append+4
       f 1   0x7ffff790efa4 BD_DecMFFieldList+212
       f 2   0x7ffff7906006 gf_bifs_dec_proto_list+822
       f 3   0x7ffff7906549 BD_DecSceneReplace+73
       f 4   0x7ffff7914e2e BM_SceneReplace+110
       f 5   0x7ffff7914ff3 BM_ParseCommand+179
       f 6   0x7ffff7915323 gf_bifs_decode_command_list+163
       f 7   0x7ffff7aa1da2 gf_sm_load_run_isom+1218
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff790efa4 in BD_DecMFFieldList () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7906006 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe158, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe148) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-44927: Null Pointer Dereference in gf_sg_vrml_mf_append() · Issue #1960 · gpac/gpac

A null pointer dereference vulnerability exists in the gpac in the gf_node_get_tag function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_node\_get\_tag(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc3.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861218
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861218
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    3453407 segmentation fault  ./MP4Box -lsr
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x0
     RDX  0x5555555d2730 ◂— 0x0
     RDI  0x0
     RSI  0x5555555df860 ◂— 0x0
     R8   0x0
     R9   0x7
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x5555555ded60 ◂— 0x0
     R13  0x5555555df860 ◂— 0x0
     R14  0x0
     R15  0x7fffffff6d60 ◂— 0x31646c6569665f /* '_field1' */
     RBP  0x5555555d2730 ◂— 0x0
     RSP  0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp    eax, 0x51
     RIP  0x7ffff7849794 (gf_node_get_tag+4) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff7849790 <gf_node_get_tag>       endbr64
     ► 0x7ffff7849794 <gf_node_get_tag+4>     mov    rax, qword ptr [rdi]
       0x7ffff7849797 <gf_node_get_tag+7>     movzx  eax, word ptr [rax]
       0x7ffff784979a <gf_node_get_tag+10>    ret
    
       0x7ffff784979b                         nop    dword ptr [rax + rax]
       0x7ffff78497a0 <gf_node_get_id>        endbr64
       0x7ffff78497a4 <gf_node_get_id+4>      mov    rax, qword ptr [rdi]
       0x7ffff78497a7 <gf_node_get_id+7>      xor    r8d, r8d
       0x7ffff78497aa <gf_node_get_id+10>     mov    edx, dword ptr [rax + 4]
       0x7ffff78497ad <gf_node_get_id+13>     test   edx, edx
       0x7ffff78497af <gf_node_get_id+15>     jns    gf_node_get_id+66                <gf_node_get_id+66>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp    eax, 0x51
    01:0008│     0x7fffffff6bf0 ◂— 0x0
    ... ↓        2 skipped
    04:0020│     0x7fffffff6c08 ◂— 0x770000007c /* '|' */
    05:0028│     0x7fffffff6c10 ◂— 0x5b0000006e /* 'n' */
    06:0030│     0x7fffffff6c18 ◂— 0x770000007c /* '|' */
    07:0038│     0x7fffffff6c20 ◂— 0x5b0000006e /* 'n' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7849794 gf_node_get_tag+4
       f 1   0x7ffff7919836 SFScript_Parse+54
       f 2   0x7ffff790e9cb gf_bifs_dec_sf_field+1195
       f 3   0x7ffff7905f44 gf_bifs_dec_proto_list+628
       f 4   0x7ffff7906549 BD_DecSceneReplace+73
       f 5   0x7ffff7914e2e BM_SceneReplace+110
       f 6   0x7ffff7914ff3 BM_ParseCommand+179
       f 7   0x7ffff7915323 gf_bifs_decode_command_list+163
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7919836 in SFScript_Parse () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff790e9cb in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7905f44 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #9  0x00005555555844a8 in dump_isom_scene ()
    #10 0x000055555557b42c in mp4boxMain ()
    #11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #12 0x000055555556c45e in _start ()

CVE-2021-44926: Null Pointer Dereference in gf_node_get_tag() · Issue #1961 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_isom\_parse\_movie\_boxes\_internal(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_1.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] Read Box type 00000000 (0x00000000) at position 4494 has size 0 but is not at root/file level, skipping
    [iso file] Read Box "hinf" (start 4390) failed (End Of Stream / File) - skipping
    [iso file] Read Box "udta" (start 4178) failed (End Of Stream / File) - skipping
    [iso file] Read Box "trak" (start 2229) failed (End Of Stream / File) - skipping
    [iso file] Read Box "moov" (start 20) failed (End Of Stream / File) - skipping
    [1]    2155243 segmentation fault  ./MP4Box -lsr ./poc/poc_1
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x5555555c72a0 ◂— 0x0
     RCX  0x7ffff764d1e7 (write+23) ◂— cmp    rax, -0x1000 /* 'H=' */
     RDX  0x0
     RDI  0x5555555c62a0 ◂— 0x0
     RSI  0x0
     R8   0x0
     R9   0x0
     R10  0x7ffff7e227df ◂— ') - skipping\n'
     R11  0x246
     R12  0x0
     R13  0x0
     R14  0x5555555c72a0 ◂— 0x0
     R15  0x3
     RBP  0x7fffffff83a0 ◂— 0x0
     RSP  0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
     RIP  0x7ffff7973829 (gf_isom_parse_movie_boxes_internal+249) ◂— mov    eax, dword ptr [rsi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7973829 <gf_isom_parse_movie_boxes_internal+249>     mov    eax, dword ptr [rsi]
       0x7ffff797382b <gf_isom_parse_movie_boxes_internal+251>     cmp    eax, 0x6d6f6f76
       0x7ffff7973830 <gf_isom_parse_movie_boxes_internal+256>     je     gf_isom_parse_movie_boxes_internal+1688                <gf_isom_parse_movie_boxes_internal+1688>
        ↓
       0x7ffff7973dc8 <gf_isom_parse_movie_boxes_internal+1688>    cmp    qword ptr [r14 + 0x48], 0
       0x7ffff7973dcd <gf_isom_parse_movie_boxes_internal+1693>    jne    gf_isom_parse_movie_boxes_internal+4630                <gf_isom_parse_movie_boxes_internal+4630>
        ↓
       0x7ffff7974946 <gf_isom_parse_movie_boxes_internal+4630>    mov    esi, 1
       0x7ffff797494b <gf_isom_parse_movie_boxes_internal+4635>    mov    edi, 2
       0x7ffff7974950 <gf_isom_parse_movie_boxes_internal+4640>    call   gf_log_tool_level_on@plt                <gf_log_tool_level_on@plt>
    
       0x7ffff7974955 <gf_isom_parse_movie_boxes_internal+4645>    test   eax, eax
       0x7ffff7974957 <gf_isom_parse_movie_boxes_internal+4647>    je     gf_isom_parse_movie_boxes_internal+4540                <gf_isom_parse_movie_boxes_internal+4540>
    
       0x7ffff7974959 <gf_isom_parse_movie_boxes_internal+4649>    mov    esi, 2
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
    01:0008│     0x7fffffff8318 ◂— 0x0
    ... ↓        2 skipped
    04:0020│     0x7fffffff8330 —▸ 0x5555555c7500 ◂— 0x6d703431 /* '14pm' */
    05:0028│     0x7fffffff8338 ◂— 0x0
    06:0030│     0x7fffffff8340 ◂— 0x0
    07:0038│     0x7fffffff8348 ◂— 0x4
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7973829 gf_isom_parse_movie_boxes_internal+249
       f 1   0x7ffff7974f97 gf_isom_open_file+311
       f 2   0x55555557dc14 mp4boxMain+19444
       f 3   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7974f97 in gf_isom_open_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x000055555557dc14 in mp4boxMain ()
    #3  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #4  0x000055555556c45e in _start ()

CVE-2021-44921: Null Pointer Dereference in gf_isom_parse_movie_boxes_internal() · Issue #1964 · gpac/gpac

An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log function, which causes a Denial of Service.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An infinite loop was discovered in gf\_log().

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG G
    [poc_hang.zip](https://github.com/gpac/gpac/files/7691188/poc_hang.zip)
    PAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -info ./poc_hang
    

poc\_hang.zip

**Result**

    ...
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    ...
    

**gdb**

    bt
    #0  0x00007ffff764d1e7 in __GI___libc_write (fd=2, buf=0x7ffffffebeb0, nbytes=62) at ../sysdeps/unix/sysv/linux/write.c:26
    #1  0x00007ffff75ce00d in _IO_new_file_write (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=0x7ffffffebeb0, n=62) at fileops.c:1176
    #2  0x00007ffff75ce928 in new_do_write (to_do=<optimized out>, data=0x7ffffffebeb0 "[Core] exp-golomb read failed, not enough bits in bitstream !\nn [0;31])\n", fp=0x7ffff77285c0 <_IO_2_1_stderr_>) at libioP.h:948
    #3  _IO_new_file_xsputn (n=62, data=<optimized out>, f=<optimized out>) at fileops.c:1255
    #4  _IO_new_file_xsputn (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=<optimized out>, n=62) at fileops.c:1197
    #5  0x00007ffff75b90d3 in buffered_vfprintf (s=s@entry=0x7ffff77285c0 <_IO_2_1_stderr_>, format=format@entry=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", args=args@entry=0x7ffffffee4a0, mode_flags=mode_flags@entry=2) at ../libio/libioP.h:948
    #6  0x00007ffff75b5ea4 in __vfprintf_internal (s=0x7ffff77285c0 <_IO_2_1_stderr_>, format=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", ap=0x7ffffffee4a0, mode_flags=2) at vfprintf-internal.c:1346
    #7  0x00007ffff77f8a21 in default_log_callback_color () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00007ffff77f8cc9 in gf_log () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #9  0x00007ffff79f4c95 in avc_parse_hrd_parameters () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #10 0x00007ffff79f7c09 in gf_avc_read_sps_bs_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #11 0x00007ffff7a0b149 in gf_avc_read_sps () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #12 0x00007ffff792b724 in avcc_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #13 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #14 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #15 0x00007ffff793c2a3 in video_sample_entry_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #16 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #17 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #18 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #19 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #20 0x00007ffff793e083 in stbl_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #21 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #22 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #23 0x00007ffff793a3d0 in minf_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #24 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #25 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #26 0x00007ffff79394e9 in mdia_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #27 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #28 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #29 0x00007ffff794189a in trak_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #30 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #31 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #32 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #33 0x00007ffff796b410 in gf_isom_parse_root_box () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #34 0x00007ffff79737ec in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #35 0x00007ffff7974f67 in gf_isom_open_file () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #36 0x000055555557dc14 in mp4boxMain ()
    #37 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at ../csu/libc-start.c:308
    #38 0x000055555556c45e in _start ()

CVE-2021-44924: Infinite loop in gf_log() · Issue #1959 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_svg_get_attribute_name function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_svg\_get\_attribute\_name(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_4.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796312
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796312
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    Scene loaded - dumping 1 systems streams
    [1]    3570050 segmentation fault  ./MP4Box -lsr ./poc/poc_4
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
     RCX  0x0
     RDX  0x7ffff7f7c428 (xml_elements+8) ◂— 0x300000422
     RDI  0x0
     RSI  0x0
     R8   0x0
     R9   0xa
     R10  0x7ffff7e45bd4 ◂— 0x6e696f7020002022 /* '" ' */
     R11  0x7fffffff6ee7 ◂— 0xbffcbef5d8160036 /* '6' */
     R12  0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
     R13  0x0
     R14  0x7ffff7e10cf4 ◂— 'textContent'
     R15  0x7ffff7df5e9b ◂— 0x663325002f2e2e00
     RBP  0x7fffffff7080 ◂— 0x344e /* 'N4' */
     RSP  0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
     RIP  0x7ffff78e16ac (gf_svg_get_attribute_name+28) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff78e16ac <gf_svg_get_attribute_name+28>    mov    rax, qword ptr [rdi]
       0x7ffff78e16af <gf_svg_get_attribute_name+31>    movzx  ecx, word ptr [rax]
       0x7ffff78e16b2 <gf_svg_get_attribute_name+34>    xor    eax, eax
       0x7ffff78e16b4 <gf_svg_get_attribute_name+36>    cmp    cx, 0x408
       0x7ffff78e16b9 <gf_svg_get_attribute_name+41>    jne    gf_svg_get_attribute_name+64
     <gf_svg_get_attribute_name+64>
        ↓
       0x7ffff78e16d0 <gf_svg_get_attribute_name+64>    cmp    dword ptr [rdx], ecx
       0x7ffff78e16d2 <gf_svg_get_attribute_name+66>    jne    gf_svg_get_attribute_name+48
     <gf_svg_get_attribute_name+48>
        ↓
       0x7ffff78e16c0 <gf_svg_get_attribute_name+48>    add    eax, 1
       0x7ffff78e16c3 <gf_svg_get_attribute_name+51>    add    rdx, 0x10
       0x7ffff78e16c7 <gf_svg_get_attribute_name+55>    cmp    eax, 0x4e
       0x7ffff78e16ca <gf_svg_get_attribute_name+58>    je     gf_svg_get_attribute_name+365
      <gf_svg_get_attribute_name+365>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
    01:0008│     0x7fffffff6fe8 —▸ 0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
    02:0010│     0x7fffffff6ff0 —▸ 0x7fffffff7080 ◂— 0x344e /* 'N4' */
    03:0018│     0x7fffffff6ff8 —▸ 0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
    04:0020│     0x7fffffff7000 —▸ 0x5555555df2e0 ◂— 0x0
    05:0028│     0x7fffffff7008 —▸ 0x7ffff7e10cf4 ◂— 'textContent'
    06:0030│     0x7fffffff7010 —▸ 0x7ffff7df5e9b ◂— 0x663325002f2e2e00
    07:0038│     0x7fffffff7018 —▸ 0x7ffff7abae7a (DumpLSRAddReplaceInsert+938) ◂— mov    r14, rax
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78e16ac gf_svg_get_attribute_name+28
       f 1   0x7ffff7abae7a DumpLSRAddReplaceInsert+938
       f 2   0x7ffff7abb12b gf_sm_dump_command_list+219
       f 3   0x7ffff7ac254c gf_sm_dump+1116
       f 4   0x555555584418 dump_isom_scene+616
       f 5   0x55555557b42c mp4boxMain+9228
       f 6   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7abae7a in DumpLSRAddReplaceInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7abb12b in gf_sm_dump_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7ac254c in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x0000555555584418 in dump_isom_scene ()
    #5  0x000055555557b42c in mp4boxMain ()
    #6  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #7  0x000055555556c45e in _start ()

CVE-2021-44925: Null Pointer Dereference in gf_svg_get_attribute_name() · Issue #1967 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_dump_vrml_dyn_field.isra function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_dump\_vrml\_dyn\_field.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc4.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860238
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860238
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 1 systems streams
    [1]    414421 segmentation fault  ./MP4Box -lsr ./poc4
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ac0797 in gf_dump_vrml_dyn_field.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0xa
     RBX  0x0
     RCX  0x0
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x7fffffff6af0 —▸ 0x7ffff75a21e0 (funlockfile) ◂— endbr64
     RSI  0x0
     R8   0xffffffff
     R9   0xa
     R10  0x7ffff7e37a2a ◂— 0x3e73252f3c00223d /* '="' */
     R11  0x7ffff7df0c38 ◂— 0x6e776f6e6b6e75 /* 'unknown' */
     R12  0x0
     R13  0x0
     R14  0x5555555ded60 —▸ 0x5555555d43b0 ◂— 0x0
     R15  0x1
     RBP  0x3c
     RSP  0x7fffffff7060 ◂— 0x3000000010
     RIP  0x7ffff7ac0797 (gf_dump_vrml_dyn_field.isra+631) ◂— mov    eax, dword ptr [r12]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ac0797 <gf_dump_vrml_dyn_field.isra+631>    mov    eax, dword ptr [r12]
       0x7ffff7ac079b <gf_dump_vrml_dyn_field.isra+635>    test   eax, eax
       0x7ffff7ac079d <gf_dump_vrml_dyn_field.isra+637>    je     gf_dump_vrml_dyn_field.isra+720
           <gf_dump_vrml_dyn_field.isra+720>
        ↓
       0x7ffff7ac07f0 <gf_dump_vrml_dyn_field.isra+720>    mov    eax, dword ptr [rsp + 0x70]
       0x7ffff7ac07f4 <gf_dump_vrml_dyn_field.isra+724>    mov    rdi, qword ptr [r14 + 0x10]
       0x7ffff7ac07f8 <gf_dump_vrml_dyn_field.isra+728>    test   eax, eax
       0x7ffff7ac07fa <gf_dump_vrml_dyn_field.isra+730>    jne    gf_dump_vrml_dyn_field.isra+292
           <gf_dump_vrml_dyn_field.isra+292>
        ↓
       0x7ffff7ac0644 <gf_dump_vrml_dyn_field.isra+292>    lea    rsi, [rip + 0x35ac0b]
       0x7ffff7ac064b <gf_dump_vrml_dyn_field.isra+299>    xor    eax, eax
       0x7ffff7ac064d <gf_dump_vrml_dyn_field.isra+301>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ac0652 <gf_dump_vrml_dyn_field.isra+306>    jmp    gf_dump_vrml_dyn_field.isra+391
           <gf_dump_vrml_dyn_field.isra+391>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7060 ◂— 0x3000000010
    01:0008│     0x7fffffff7068 —▸ 0x5555555df880 ◂— 0x31646c6569665f /* '_field1' */
    02:0010│     0x7fffffff7070 ◂— 0x0
    03:0018│     0x7fffffff7078 ◂— 0x38b85a8f00
    04:0020│     0x7fffffff7080 ◂— 0x0
    05:0028│     0x7fffffff7088 ◂— 0x7aa5d2dbb85a8f00
    06:0030│     0x7fffffff7090 ◂— 0x1
    07:0038│     0x7fffffff7098 —▸ 0x7ffff7e27f46 ◂— 0x65646f6d73006325 /* '%c' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ac0797 gf_dump_vrml_dyn_field.isra+631
       f 1   0x7ffff7ac15d1 DumpProtos+305
       f 2   0x7ffff7abb389 gf_sm_dump_command_list+857
       f 3   0x7ffff7ac24fc gf_sm_dump+1116
       f 4   0x555555584418 dump_isom_scene+616
       f 5   0x55555557b42c mp4boxMain+9228
       f 6   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ac0797 in gf_dump_vrml_dyn_field.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac15d1 in DumpProtos () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7abb389 in gf_sm_dump_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7ac24fc in gf_sm_dump () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x0000555555584418 in dump_isom_scene ()
    #5  0x000055555557b42c in mp4boxMain ()
    #6  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #7  0x000055555556c45e in _start ()

CVE-2021-44923: Null Pointer Dereference in gf_dump_vrml_dyn_field.isra() · Issue #1962 · gpac/gpac

A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in the gf_node_get_field function, which can cause a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_node\_get\_field(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -lsr poc_5
    ./MP4Box -lsr poc_6
    

poc.zip

**Result**

poc\_5

    [iso file] Unknown box type dreFF in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type FFFFFF80 in parent hinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860062
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type dreFF in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type FFFFFF80 in parent hinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860062
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [1]    878696 segmentation fault  ./MP4Box -lsr ./poc/poc_5
    

poc\_6

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type pm00x in parent hinf
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861258
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type pm00x in parent hinf
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861258
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    ...
    Program received signal SIGSEGV, Segmentation fault.
    

**gdb**

poc\_5

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x4
     RBX  0x5555555df130 —▸ 0x5555555d4330 ◂— 0x0
     RCX  0x5555555df310 ◂— 0x0
     RDX  0x7fffffff7050 ◂— 0x4
     RDI  0x0
     RSI  0x7fffffff7050 ◂— 0x4
     R8   0x4
     R9   0x0
     R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
     R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
     R12  0xfffffffe
     R13  0x5555555df290 ◂— 0x4
     R14  0x7fffffff7050 ◂— 0x4
     R15  0x5555555dcdc0 —▸ 0x5555555d26b0 ◂— 0x0
     RBP  0x80
     RSP  0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
     RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
       0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
       0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
       0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
        ↓
       0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
       0x7ffff784ad65 <gf_node_get_field+149>    ret
    
       0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
       0x7ffff784ad70 <dirty_children>           push   r14
       0x7ffff784ad72 <dirty_children+2>         push   r13
       0x7ffff784ad74 <dirty_children+4>         push   r12
       0x7ffff784ad76 <dirty_children+6>         push   rbp
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
    01:0008│     0x7fffffff6fb0 ◂— 0x0
    02:0010│     0x7fffffff6fb8 ◂— 0x300000000
    03:0018│     0x7fffffff6fc0 ◂— 0x0
    04:0020│     0x7fffffff6fc8 —▸ 0x5555555df0b0 —▸ 0x5555555df1d0 —▸ 0x5555555df130 —▸ 0x5555555d4330 ◂— ...
    05:0028│     0x7fffffff6fd0 ◂— 0x0
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784acf0 gf_node_get_field+32
       f 1   0x7ffff7b5784a lsr_read_command_list+1402
       f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
       f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
       f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
       f 5   0x5555555844a8 dump_isom_scene+760
       f 6   0x55555557b42c mp4boxMain+9228
       f 7   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00005555555844a8 in dump_isom_scene ()
    #6  0x000055555557b42c in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()
    

poc\_6

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0xbb
     RBX  0x5555555df0f0 —▸ 0x5555555d4300 ◂— 0x0
     RCX  0x5555555df2d0 ◂— 0x0
     RDX  0x7fffffff7000 ◂— 0xbb
     RDI  0x0
     RSI  0x7fffffff7000 ◂— 0xbb
     R8   0xbb
     R9   0x0
     R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
     R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
     R12  0xfffffffe
     R13  0x5555555df250 ◂— 0xbb
     R14  0x7fffffff7000 ◂— 0xbb
     R15  0x5555555dcd80 —▸ 0x5555555d2680 ◂— 0x0
     RBP  0x40
     RSP  0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
     RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
       0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
       0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
       0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
        ↓
       0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
       0x7ffff784ad65 <gf_node_get_field+149>    ret
    
       0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
       0x7ffff784ad70 <dirty_children>           push   r14
       0x7ffff784ad72 <dirty_children+2>         push   r13
       0x7ffff784ad74 <dirty_children+4>         push   r12
       0x7ffff784ad76 <dirty_children+6>         push   rbp
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
    01:0008│     0x7fffffff6f60 ◂— 0x6469005453414c00
    02:0010│     0x7fffffff6f68 ◂— 0x900000000
    03:0018│     0x7fffffff6f70 ◂— 0x0
    04:0020│     0x7fffffff6f78 —▸ 0x5555555df070 —▸ 0x5555555df190 —▸ 0x5555555df0f0 —▸ 0x5555555d4300 ◂— ...
    05:0028│     0x7fffffff6f80 ◂— 0x0
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784acf0 gf_node_get_field+32
       f 1   0x7ffff7b5784a lsr_read_command_list+1402
       f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
       f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
       f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
       f 5   0x5555555844a8 dump_isom_scene+760
       f 6   0x55555557b42c mp4boxMain+9228
       f 7   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00005555555844a8 in dump_isom_scene ()
    #6  0x000055555557b42c in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe138, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()

CVE-2021-44918: Null Pointer Dereference in gf_node_get_field() · Issue #1968 · gpac/gpac

An infinite loop vulnerability exists in Gpac 1.0.1 in gf_get_bit_size.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
     MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -hint POC
    

**Result**

\*\*GDB information \*\*

    [----------------------------------registers-----------------------------------]
    RAX: 0x20000 
    RBX: 0x80 
    RCX: 0xe9b05a71 
    RDX: 0x1 
    RSI: 0x6a6a6ab8 
    RDI: 0x6a6a6ab8 
    RBP: 0x5555555e1630 --> 0x1 
    RSP: 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
    RIP: 0x7ffff7788927 (<gf_get_bit_size+23>:	cmp    eax,edi)
    R8 : 0x0 
    R9 : 0x20 (' ')
    R10: 0x7ffff76d955a ("gf_rtp_builder_init")
    R11: 0x2 
    R12: 0x59e 
    R13: 0x60 ('`')
    R14: 0x5555555e1750 --> 0x0 
    R15: 0x0
    EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff7788920 <gf_get_bit_size+16>:	add    ecx,0x1
       0x7ffff7788923 <gf_get_bit_size+19>:	mov    eax,edx
       0x7ffff7788925 <gf_get_bit_size+21>:	shl    eax,cl
    => 0x7ffff7788927 <gf_get_bit_size+23>:	cmp    eax,edi
       0x7ffff7788929 <gf_get_bit_size+25>:	jle    0x7ffff7788920 <gf_get_bit_size+16>
       0x7ffff778892b <gf_get_bit_size+27>:	mov    eax,ecx
       0x7ffff778892d <gf_get_bit_size+29>:	ret    
       0x7ffff778892e:	xchg   ax,ax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
    0008| 0x7fffffff8080 --> 0x24a 
    0016| 0x7fffffff8088 --> 0xfc7 
    0024| 0x7fffffff8090 --> 0x32ce10ac 
    0032| 0x7fffffff8098 --> 0x6a6a6ab800000020 
    0040| 0x7fffffff80a0 --> 0x2 
    0048| 0x7fffffff80a8 --> 0x62 ('b')
    0056| 0x7fffffff80b0 --> 0x5555555dfb90 --> 0x5555555da930 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGINT
    0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff7875506 in gf_rtp_builder_init () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff7a0ec5c in gf_hinter_track_new () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #3  0x000055555557958b in HintFile ()
    #4  0x000055555557d257 in mp4boxMain ()
    #5  0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8)
        at ../csu/libc-start.c:308
    #6  0x000055555556d45e in _start ()
    gdb-peda$

Tag

#ubuntu