There are 6 NULL Pointer Dereference vulnerabilities in MP4Box in gpac/gpac
Valid
Reported on
Aug 18th 2023
NULL Pointer Dereference in function utils/xml_parser.c:1038
Description
NULL Pointer Dereference in function utils/xml_parser.c:1038
Environment
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Version
MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
Build
sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan" ./configure && sudo make
Proof of Concept
MP4Box -bin ./poc_null_ptr0x1
Poc is here!
ASAN
==2465170==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe7119f76f5 bp 0x7ffcfd8279d0 sp 0x7ffcfd827148 T0)
==2465170==The signal is caused by a READ memory access.
==2465170==Hint: address points to the zero page.
#0 0x7fe7119f76f4 (/lib/x86_64-linux-gnu/libc.so.6+0x1886f4)
#1 0x55ee5c88337b in __interceptor_strlen.part.0 (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0xb137b)
#2 0x7fe711e7e08e in gf_xml_sax_parse_intern (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b08e)
#3 0x7fe711e7e5a4 in gf_xml_sax_parse (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b5a4)
#4 0x7fe711e7e642 in xml_sax_read_file.part.0 (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b642)
#5 0x7fe711e7e936 in gf_xml_sax_parse_file (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b936)
#6 0x7fe711e7f972 in gf_xml_dom_parse (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25c972)
#7 0x55ee5c96bd54 in xml_bs_to_bin (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0x199d54)
#8 0x55ee5c97c04c in mp4box_main (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0x1aa04c)
#9 0x7fe711893082 in __libc_start_main ../csu/libc-start.c:308
#10 0x55ee5c83e5bd in _start (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0x6c5bd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x1886f4)
==2465170==ABORTING
NULL Pointer Dereference in function filters/dasher.c:8146
Description
NULL Pointer Dereference in function filters/dasher.c:8146
Environment
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Version
MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
Build
./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20
Proof of Concept
MP4Box -dash-live 1000 ./poc_null_ptr0x2.bt
Poc is here!
Sanitizer
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No template assigned, using $File$_dash$FS$$Number$
Failed to connect filter btplay PID poc_null_ptr0x2.bt to filter dasher: Feature Not Supported
Blacklisting dasher as output from btplay and retrying connections
BT: MPEG-4 Scene Parsing
[Dasher] No bitrate property assigned to PID vout, computing from bitstream
[Dasher] MPD Availability start time initialized to 1692432805329 ms
Slept for 0 ms before generation, dash cumulated time 38
[Dasher] Loop requested in subdur mode, but source cannot seek, defaulting to multi period for all streams
filters/dasher.c:8146:50: runtime error: member access within null pointer of type 'struct GF_MPD_Period'
NULL Pointer Dereference in function utils/alloc.c:170
Description
NULL Pointer Dereference in function utils/alloc.c:170
Environment
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Version
MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
Build
./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20
Proof of Concept
MP4Box -dash-live 1000 ./poc_null_ptr0x3
Poc is here!
Sanitizer
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] MPD Availability start time initialized to 1692432844285 ms
utils/alloc.c:170:2: runtime error: null pointer passed as argument 1, which is declared to never be null
NULL Pointer Dereference in function filters/dasher.c:6332
Description
NULL Pointer Dereference in function filters/dasher.c:6332
Environment
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Version
MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
Build
./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20
Proof of Concept
MP4Box -dash-live 1000 ./poc_null_ptr0x4
Poc is here!
Sanitizer
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] Input /home/hack/github_work/POCs/gpac/poc_null_ptr0x4: max audio duration 1007616/33598532 in the period is less than duration 2052000/90000, clamping will happen
[Dasher] MPD Availability start time initialized to 1692433068742 ms
[MPD] Generating MPD at time 2023-08-19T08:17:48.746Z
[Dasher] updated period DID1 duration 1 MPD time 1
[Dasher] updated period DID1 duration 29 MPD time 29
[Dasher] updated period DID1 duration 29 MPD time 29
[Dasher] updated period DID1 duration 29 MPD time 29
[MPD] Generating MPD at time 2023-08-19T08:17:48.776Z
[Dasher] Broken muxer, received segment size info event but no pending segments
Slept for 0 ms before generation, dash cumulated time 74
[Dasher] Input /home/hack/github_work/POCs/gpac/poc_null_ptr0x4: max audio duration 1007616/33598532 in the period is less than duration 2052000/90000, clamping will happen
[Dasher] updated period DID1 duration 29 MPD time 29
[MPD] Generating MPD at time 2023-08-19T08:17:48.783Z
[Dasher] End of Period DID1
filters/dasher.c:6332:6: runtime error: null pointer passed as argument 1, which is declared to never be null
NULL Pointer Dereference in function filters/dasher.c:7389
Description
NULL Pointer Dereference in function filters/dasher.c:7389
Environment
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Version
MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
Build
./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20
Proof of Concept
MP4Box -dash-live 1000 ./poc_null_ptr0x5
Poc is here!
Sanitizer
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[iso file] extra box maxr found in hinf, deleting
[iso file] Read Box type 00000000 (0x00000000) at position 5214 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 6273 extra bytes
[iso file] Unknown top-level box type 000001
[iso file] Unknown top-level box type 00011D00
[iso file] Unknown top-level box type 0904F08
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[IsoMedia] Track #1 fail to fetch sample 1 / 342: Bad Parameter
[Dasher] MPD Availability start time initialized to 1692433170122 ms
Slept for 0 ms before generation, dash cumulated time 42
filters/dasher.c:7389:43: runtime error: member access within null pointer of type 'struct GF_MPD_Period'
NULL Pointer Dereference in function filter_core/filter_pck.c:434
Description
NULL Pointer Dereference in function filter_core/filter_pck.c:434
Environment
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04 LTS
Release: 20.04
Codename: focal
Version
MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
Build
./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20
Proof of Concept
MP4Box -dash 1000 ./poc_null_ptr0x6.mp4
Poc is here!
Sanitizer
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[iso file] Found stts entry with sample_delta=0 - forbidden ! Fixing to 1
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[MP4Mux] muxing unknown codec ID Codec Not Supported, using generic sample entry with 4CC "000000FF"
filter_core/filter_pck.c:434:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
Impact
This vuln is capable of DoS.
We are processing your report and will contact the
gpac
team within 24 hours.
a month ago
7resp4ss modified the report
a month ago
We have contacted a member of the
gpac
team and are waiting to hear back
a month ago
Thank for reporting. Let us analyze the issues. If the 6 are confirmed, please do what's usual w.r.t. CVEs as we are no security experts.
https://github.com/gpac/gpac/issues/2563
Thank you for your response. I will patiently await the results of your analysis. If these 6 issues are confirmed as vulnerabilities, I agree to follow the standard CVE handling process. If you need any additional information or support, please feel free to reach out to me. Thank you for your time and attention!
The researcher's credibility has increased: +7
to join this conversation