NULL Pointer Dereference in gpac/gpac

Valid

Reported on

Jan 18th 2022


Description

Null Pointer Dereference in gf_dump_vrml_field.isra ()

Proof of Concept

MP4Box -bt POC2

POC2 is here.

Bt

Program received signal SIGSEGV, Segmentation fault.
0x0000000000644ca4 in gf_dump_vrml_field.isra ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────
 RAX  0x1
 RBX  0x1
 RCX  0x0
 RDX  0x0
 RDI  0xf3a100 ◂— 0x0
 RSI  0xc6a6e6 ◂— 0x7365445f5345005b /* '[' */
 R8   0x1
 R9   0x1
 R10  0xfffffff9
 R11  0xf392a0 ◂— 0x30646c6569665f /* '_field0' */
 R12  0x0
 R13  0xf38710 —▸ 0xf2d950 ◂— 0x0
 R14  0x0
 R15  0x3b
 RBP  0xf39960 —▸ 0xf399b0 ◂— 0x100010001
 RSP  0x7fffffff70c0 —▸ 0xf392a0 ◂— 0x30646c6569665f /* '_field0' */
 RIP  0x644ca4 (gf_dump_vrml_field.isra+1332) ◂— mov    edi, dword ptr [r12]
─────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────
 ► 0x644ca4 <gf_dump_vrml_field.isra+1332>    mov    edi, dword ptr [r12]
   0x644ca8 <gf_dump_vrml_field.isra+1336>    lea    rbx, [rsp + 0x20]
   0x644cad <gf_dump_vrml_field.isra+1341>    test   edi, edi
   0x644caf <gf_dump_vrml_field.isra+1343>    je     gf_dump_vrml_field.isra+1432                      <gf_dump_vrml_field.isra+1432>
    ↓
   0x644d08 <gf_dump_vrml_field.isra+1432>    mov    esi, dword ptr [r13 + 0x30]
   0x644d0c <gf_dump_vrml_field.isra+1436>    mov    rdi, qword ptr [r13 + 0x10]
   0x644d10 <gf_dump_vrml_field.isra+1440>    test   esi, esi
   0x644d12 <gf_dump_vrml_field.isra+1442>    je     gf_dump_vrml_field.isra+1840                      <gf_dump_vrml_field.isra+1840>
    ↓
   0x644ea0 <gf_dump_vrml_field.isra+1840>    xor    eax, eax
   0x644ea2 <gf_dump_vrml_field.isra+1842>    lea    rsi, [rip + 0x5f4fd3]
   0x644ea9 <gf_dump_vrml_field.isra+1849>    call   gf_fprintf                      <gf_fprintf>
──────────────────────────────────────────────────────────────────────────[ STACK ]──────────────────────────────────────────────────────────────────────────
00:0000rsp 0x7fffffff70c0 —▸ 0xf392a0 ◂— 0x30646c6569665f /* '_field0' */
01:00080x7fffffff70c8 ◂— 0x40b8270500000038 /* '8' */
02:00100x7fffffff70d0 —▸ 0xf3b210 ◂— 0x0
03:00180x7fffffff70d8 —▸ 0xf3b210 ◂— 0x0
04:00200x7fffffff70e0 —▸ 0xf387d0 —▸ 0xf37f10 ◂— 0x0
05:00280x7fffffff70e8 —▸ 0x7fffffff7114 ◂— 0xf38ab000000001
06:00300x7fffffff70f0 ◂— 0x0
07:00380x7fffffff70f8 ◂— 0x2
────────────────────────────────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────────────────────────────────
 ► f 0         0x644ca4 gf_dump_vrml_field.isra+1332
   f 1         0x6459ce gf_dump_vrml_node+1566
   f 2         0x642039 gf_sm_dump_command_list+873
   f 3         0x64908d gf_sm_dump+797
   f 4         0x41b5d8 dump_isom_scene+616
   f 5         0x4125ec mp4boxMain+9228
   f 6         0xb59600 __libc_start_main+1168

We are processing your report and will contact the gpac team within 24 hours. 7 months ago
We have contacted a member of the gpac team and are waiting to hear back 7 months ago
zfeixq
7 months ago

Researcher


Hello, This bug seems to have been fixed on github, and the maintainer seems to have forgotten to click verify on huntr. Thank you.

We have sent a follow up to the gpac team. We will try again in 7 days. 7 months ago
gpac/gpac maintainer
7 months ago

Maintainer


That's correct, see https://github.com/gpac/gpac/issues/2055.

gpac/gpac maintainer validated this vulnerability 7 months ago
zfeixq has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on 9f8510 7 months ago
The fix bounty has been dropped
to join this conversation