Null Pointer Dereference Caused Segmentation Fault in gpac/gpac
Valid
Reported on
Jul 23rd 2022
Description
Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack.
version
smlijun@ubuntu:~/gpac_asan/bin/gcc$ ./MP4Box -version
MP4Box - GPAC version 2.1-DEV-rev243-gf87b12b32-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Proof of Concept
PoC is available herePoC
#Asan Log
smlijun@ubuntu:~/gpac_asan/bin/gcc$ ./MP4Box -bt ../../../gpac/bin/gcc/poc
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
[MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3541124==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa63fcdc018 bp 0x60b0000007d0 sp 0x7fff0a6821a0 T0)
==3541124==The signal is caused by a READ memory access.
==3541124==Hint: address points to the zero page.
#0 0x7fa63fcdc017 in gf_dump_vrml_simple_field.isra.0 (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38f017)
#1 0x7fa63fcdcc1b in DumpXReplace (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38fc1b)
#2 0x7fa63fcd728a in gf_sm_dump_command_list (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38a28a)
#3 0x7fa63fcde00c in gf_sm_dump (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x39100c)
#4 0x559fd823f0b7 in dump_isom_scene (/home/smlijun/gpac_asan/bin/gcc/MP4Box+0x340b7)
#5 0x559fd8234b50 in mp4box_main (/home/smlijun/gpac_asan/bin/gcc/MP4Box+0x29b50)
#6 0x7fa63f77f082 in __libc_start_main ../csu/libc-start.c:308
#7 0x559fd822458d in _start (/home/smlijun/gpac_asan/bin/gcc/MP4Box+0x1958d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38f017) in gf_dump_vrml_simple_field.isra.0
==3541124==ABORTING
Impact
This vuln is capable of DoS.
We are processing your report and will contact the
gpac
team within 24 hours.
11 days ago
We have contacted a member of the
gpac
team and are waiting to hear back
10 days ago
The researcher's credibility has increased: +7
@maintainer - are you happy for a CVE to be assigned and published for this?
Yes. You are asking us the same question for each report, would it be possible to store somewhere that we agree with submitting CVEs whenever appropriate?
I've assigned a CVE for this report.
Regarding future reports, I will just proceed to assign and publish CVEs 👍
to join this conversation