NULL Pointer Dereference in gpac/gpac

Valid

Reported on

May 18th 2023


Description

NULL Pointer Dereference In gf_isom_fragment_add_sample_ex isomedia/movie_fragments.c:2883

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Build

sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan" ./configure && sudo make

Proof of Concept

bin/gcc/MP4Box -dash 1000 ./poc7

poc

ASAN

[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[IsoMedia] Track 1 is disabled but single track in file, considering it enabled
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3802899==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc009a6a74c bp 0x000000000000 sp 0x7fff627f5d40 T0)
==3802899==The signal is caused by a READ memory access.
==3802899==Hint: address points to the zero page.
    #0 0x7fc009a6a74b in gf_isom_fragment_add_sample_ex isomedia/movie_fragments.c:2883
    #1 0x7fc00a713f83 in mp4_mux_process_sample filters/mux_isom.c:4742
    #2 0x7fc00a759cd6 in mp4_mux_process_fragmented filters/mux_isom.c:6391
    #3 0x7fc00a759cd6 in mp4_mux_process filters/mux_isom.c:6992
    #4 0x7fc00a375c48 in gf_filter_process_task filter_core/filter.c:2894
    #5 0x7fc00a31f731 in gf_fs_thread_proc filter_core/filter_session.c:1961
    #6 0x7fc00a3378fb in gf_fs_run filter_core/filter_session.c:2263
    #7 0x7fc009b96fdb in gf_dasher_process media_tools/dash_segmenter.c:1236
    #8 0x55ec636cfcad in do_dash /home/ubuntu/gpac/applications/mp4box/mp4box.c:4825
    #9 0x55ec636cfcad in mp4box_main /home/ubuntu/gpac/applications/mp4box/mp4box.c:6236
    #10 0x7fc008eff082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x55ec63561e9d in _start (/home/ubuntu/gpac/bin/gcc/MP4Box+0x1de9d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV isomedia/movie_fragments.c:2883 in gf_isom_fragment_add_sample_ex
==3802899==ABORTING

Impact

This vulnerability is capable of making the MP4Box crash, An attacker who can successfully exploit this vulnerability could potentially execute arbitrary code in the context of the application, leading to a compromise of the system where the vulnerable software is installed. Additionally, the attacker could use this vulnerability to cause a denial of service (DoS) by crashing the application or making it unresponsive. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of systems running the affected software.

We are processing your report and will contact the gpac team within 24 hours. 8 days ago
cnitlrt modified the report
8 days ago
cnitlrt modified the report
8 days ago
We have contacted a member of the gpac team and are waiting to hear back 7 days ago
gpac/gpac maintainer
6 days ago

Maintainer


https://github.com/gpac/gpac/issues/2474

We've always been open to CVE reports. However due to recent discussions with Linux distribution maintainers, we need to understand high CVSS. Could you elaborate how you computed your score?

cnitlrt modified the report
4 days ago
cnitlrt modified the report
4 days ago
cnitlrt modified the report
4 days ago
cnitlrt
4 days ago

Researcher


@maintainer I have taken the liberty to re-adjust the CVSS score of this report. Allow me to share the calculation method with you. Firstly, regarding the Attack Vector, I have set it as "local" with a low level of attack complexity. Privileges Required have been assessed as "low", User Interaction as "low", and Scope as "unchanged". Additionally, Confidentiality has been rated as "low", Integrity as "low", and Availability as "low". As a result, the final calculated score amounts to 5.3 points.

gpac/gpac maintainer
3 days ago

Maintainer


Thank you, it looks better to us!

gpac/gpac maintainer validated this vulnerability 3 days ago
cnitlrt has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.2.2 with commit ba5920 3 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 3 days ago
to join this conversation