We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

NULL Pointer Dereference in function xml_sax_append_string in gpac/gpac

Valid

Reported on

May 26th 2023

Description

NULL Pointer Dereference In utils/xml_parser.c:963

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Version

MP4Box - GPAC version 2.3-DEV-rev293-g56eed04c2-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

Build

sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan" ./configure && sudo make

Proof of Concept

./MP4Box -bin ./gpac_null_ptr_poc

poc is here

ASAN

./MP4Box -bin ./gpac_null_ptr_poc                                             
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1568303==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8c0e58e6e5 bp 0x7ffcbc50b160 sp 0x7ffcbc50a8d8 T0)
==1568303==The signal is caused by a READ memory access.
==1568303==Hint: address points to the zero page.
    #0 0x7f8c0e58e6e4  (/lib/x86_64-linux-gnu/libc.so.6+0x1886e4)
    #1 0x55eab7ceabdb in __interceptor_strlen.part.0 (/home/hack/fuzz/asan_bin/bin/MP4Box+0x62bdb)
    #2 0x7f8c0e879735 in gf_xml_sax_parse_intern (../lib/libgpac.so.12+0xcc735)
    #3 0x7f8c0e879b94 in gf_xml_sax_parse (../lib/libgpac.so.12+0xccb94)
    #4 0x7f8c0e879c32 in xml_sax_read_file.part.0 (../lib/libgpac.so.12+0xccc32)
    #5 0x7f8c0e879f26 in gf_xml_sax_parse_file (../lib/libgpac.so.12+0xccf26)
    #6 0x7f8c0e87af62 in gf_xml_dom_parse (../lib/libgpac.so.12+0xcdf62)
    #7 0x55eab7dd34f4 in xml_bs_to_bin (/home/hack/fuzz/asan_bin/bin/MP4Box+0x14b4f4)
    #8 0x55eab7de37cc in mp4box_main (/home/hack/fuzz/asan_bin/bin/MP4Box+0x15b7cc)
    #9 0x7f8c0e42a082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55eab7ca5e1d in _start (/home/hack/fuzz/asan_bin/bin/MP4Box+0x1de1d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x1886e4) 
==1568303==ABORTING

Impact

This vulnerability is capable of making the MP4Box crash, An attacker who can successfully exploit this vulnerability could potentially execute arbitrary code in the context of the application, leading to a compromise of the system where the vulnerable software is installed. Additionally, the attacker could use this vulnerability to cause a denial of service (DoS) by crashing the application or making it unresponsive. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of systems running the affected software.

Occurrences

NULL Pointer

References

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

Maintainer

https://github.com/gpac/gpac/issues/2480

gpac/gpac maintainer validated this vulnerability 4 months ago
Sumisca has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.2.2 with commit 53387a 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 4 months ago
xml_parser.c#L971 has been validated
to join this conversation