Null Pointer Dereference Caused Segmentation Fault in gpac/gpac

Valid

Reported on

Sep 7th 2022


Description

Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack.

Proof of Concept

MP4Box -bt POC2

POC2 is here

ASAN

[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
[MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3153324==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5d7e0021cc bp 0x7ffe564cd210 sp 0x7ffe564cd0a0 T0)
==3153324==The signal is caused by a READ memory access.
==3153324==Hint: address points to the zero page.
    #0 0x7f5d7e0021cc in gf_dump_vrml_sffield /root/gpac/src/scene_manager/scene_dump.c:540:34
    #1 0x7f5d7e000ead in gf_dump_vrml_simple_field /root/gpac/src/scene_manager/scene_dump.c:775:3
    #2 0x7f5d7dfd5ef8 in DumpXReplace /root/gpac/src/scene_manager/scene_dump.c:2291:3
    #3 0x7f5d7dfd5ef8 in gf_sm_dump_command_list /root/gpac/src/scene_manager/scene_dump.c:2901:8
    #4 0x7f5d7dffd39c in gf_sm_dump /root/gpac/src/scene_manager/scene_dump.c:3519:9
    #5 0x545897 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:217:7
    #6 0x51c3f2 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6344:7
    #7 0x7f5d7c74d082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #8 0x429b8d in _start (/root/gpac/bin/gcc/MP4Box+0x429b8d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/gpac/src/scene_manager/scene_dump.c:540:34 in gf_dump_vrml_sffield
==3153324==ABORTING

Impact

This vuln is capable of DoS.

We are processing your report and will contact the gpac team within 24 hours. 16 days ago
We have contacted a member of the gpac team and are waiting to hear back 15 days ago
We have sent a follow up to the gpac team. We will try again in 7 days. 12 days ago
gpac/gpac maintainer validated this vulnerability 11 days ago
wjhwjhn has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer confirmed that a fix has been merged on 4c7730 11 days ago
The fix bounty has been dropped
wjhwjhn
11 days ago

Researcher


Hi @admin, may i have CVE for this? Thanks!

Jamie Slome
11 days ago

Admin


We just need to get the go-ahead from the maintainer before we can assign and publish a CVE for this report :)

@maintainer - ?

wjhwjhn
8 days ago

Researcher


@admin @maintainer I git cloned the latest version. But I can still trigger the segmentation fault. I thought this commit might not solve the bug, please let me know if I am wrong, thanks.

to join this conversation