Null Pointer Dereference Caused Segmentation Fault in gpac/gpac
Valid
Reported on
Sep 7th 2022
Description
Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack.
Proof of Concept
MP4Box -bt POC2
POC2 is here
ASAN
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
[MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3153324==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5d7e0021cc bp 0x7ffe564cd210 sp 0x7ffe564cd0a0 T0)
==3153324==The signal is caused by a READ memory access.
==3153324==Hint: address points to the zero page.
#0 0x7f5d7e0021cc in gf_dump_vrml_sffield /root/gpac/src/scene_manager/scene_dump.c:540:34
#1 0x7f5d7e000ead in gf_dump_vrml_simple_field /root/gpac/src/scene_manager/scene_dump.c:775:3
#2 0x7f5d7dfd5ef8 in DumpXReplace /root/gpac/src/scene_manager/scene_dump.c:2291:3
#3 0x7f5d7dfd5ef8 in gf_sm_dump_command_list /root/gpac/src/scene_manager/scene_dump.c:2901:8
#4 0x7f5d7dffd39c in gf_sm_dump /root/gpac/src/scene_manager/scene_dump.c:3519:9
#5 0x545897 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:217:7
#6 0x51c3f2 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6344:7
#7 0x7f5d7c74d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#8 0x429b8d in _start (/root/gpac/bin/gcc/MP4Box+0x429b8d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/gpac/src/scene_manager/scene_dump.c:540:34 in gf_dump_vrml_sffield
==3153324==ABORTING
Impact
This vuln is capable of DoS.
We are processing your report and will contact the
gpac
team within 24 hours.
a year ago
We have contacted a member of the
gpac
team and are waiting to hear back
a year ago
We have sent a
follow up to the
gpac
team.
We will try again in 7 days.
a year ago
The researcher's credibility has increased: +7
We just need to get the go-ahead from the maintainer before we can assign and publish a CVE for this report :)
@maintainer - ?
@admin @maintainer I git cloned the latest version. But I can still trigger the segmentation fault. I thought this commit might not solve the bug, please let me know if I am wrong, thanks.
Hi @admin, I would like to re-report this issue to the developers, this issue has not been fixed yet
➜ gcc git:(master) ✗ ./MP4Box -bt POC2
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
[MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
[1] 8711 segmentation fault (core dumped) ./MP4Box -bt POC2
to join this conversation