NULL Pointer Dereference in gpac/gpac

Valid

Reported on

Feb 21st 2022


Description

NULL Pointer Dereference in MP4BOX

Command

MP4Box -info POC6 

POC6 is here.

ASAN result

[iso file] Unknown box type url@ in parent dref
[iso file] Unknown box type traj in parent moov
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 901165
[iso file] Incomplete file while reading for dump - aborting parsing
# Movie Info - 4 tracks - TimeScale 90000
Duration 00:00:22.839 (recomputed 00:00:25.004)
Fragmented: no
Progressive (moov before mdat)
Major Brand isom - version 1 - compatible brands:
Created: GMT Wed Sep 14 06:08:31 2078
Modified: GMT Wed Sep 14 06:08:33 2078

File has root IOD (96 bytes)
Scene PL 0xff - Graphics PL 0xff - OD PL 0xff
Visual PL: Simple Profile @ Level 1 (0x01)
Audio PL: High Quality Audio Profile @ Level 2 (0x0f)
1 UDTA types: 
    hnti: 

# Track 1 Info - ID 1 - TimeScale 90000
Media Duration 00:00:22.800 
Track uses external data reference not supported by GPAC!
Track flags: Enabled
Media Info: Language "Undetermined (und)" - Type "vide:mp4v" - 342 samples
Media Data Location: (null)
Visual Sample Entry Info: width=176 height=144 (depth=24 bits)
Visual Track layout: x=0 y=0 width=176 height=144
MPEG-4 Config: Visual Stream - ObjectTypeIndication 0x20
MPEG-4 Visual Size 176 x 144 - Simple Profile @ Level 3
Pixel Aspect Ratio 1:1 - Indicated track size 176 x 144
Synchronized on stream 7
    RFC6381 Codec Parameters: mp4v.20.3
    Average GOP length: 31 samples
    Max sample duration: 6000 / 90000

# Track 2 Info - ID 2 - TimeScale 82064
Media Duration 00:00:25.004 
Track flags: Disabled
Media Info: Language "Undetermined (und)" - Type "hint:rtp " - 342 samples
2 UDTA types: 
    hnti: 
    hanf: isomedia/isom_read.c:2726:22: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior isomedia/isom_read.c:2726:22 in 

We are processing your report and will contact the gpac team within 24 hours. 3 months ago
zfeixq modified the report
3 months ago
We have contacted a member of the gpac team and are waiting to hear back 3 months ago
We have sent a follow up to the gpac team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the gpac team. We will try again in 10 days. 3 months ago
gpac/gpac maintainer
3 months ago

Maintainer


https://github.com/gpac/gpac/issues/2133

gpac/gpac maintainer validated this vulnerability 2 months ago
zfeixq has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on 6f37ae 2 months ago
The fix bounty has been dropped
to join this conversation