Null Pointer Dereference Caused Segmentation Fault in gpac/gpac

Valid

Reported on

Jul 23rd 2022

Description

Null pointer dereference caused segmentation fault. This can cause Denial-of -service attack.

version

smlijun@ubuntu:~/gpac_asan/bin/gcc$ ./MP4Box -version
MP4Box - GPAC version 2.1-DEV-rev243-gf87b12b32-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Proof of Concept

PoC is available herePoC

#Asan Log

smlijun@ubuntu:~/gpac_asan/bin/gcc$ ./MP4Box -bt ../../../gpac/bin/gcc/poc 
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808358436
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
[MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3541124==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa63fcdc018 bp 0x60b0000007d0 sp 0x7fff0a6821a0 T0)
==3541124==The signal is caused by a READ memory access.
==3541124==Hint: address points to the zero page.
    #0 0x7fa63fcdc017 in gf_dump_vrml_simple_field.isra.0 (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38f017)
    #1 0x7fa63fcdcc1b in DumpXReplace (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38fc1b)
    #2 0x7fa63fcd728a in gf_sm_dump_command_list (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38a28a)
    #3 0x7fa63fcde00c in gf_sm_dump (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x39100c)
    #4 0x559fd823f0b7 in dump_isom_scene (/home/smlijun/gpac_asan/bin/gcc/MP4Box+0x340b7)
    #5 0x559fd8234b50 in mp4box_main (/home/smlijun/gpac_asan/bin/gcc/MP4Box+0x29b50)
    #6 0x7fa63f77f082 in __libc_start_main ../csu/libc-start.c:308
    #7 0x559fd822458d in _start (/home/smlijun/gpac_asan/bin/gcc/MP4Box+0x1958d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/smlijun/gpac_asan/bin/gcc/libgpac.so.12+0x38f017) in gf_dump_vrml_simple_field.isra.0
==3541124==ABORTING

Impact

This vuln is capable of DoS.

We are processing your report and will contact the gpac team within 24 hours. 11 days ago
We have contacted a member of the gpac team and are waiting to hear back 10 days ago
gpac/gpac maintainer
10 days ago

Maintainer

https://github.com/gpac/gpac/issues/2232

gpac/gpac maintainer validated this vulnerability 10 days ago
abysslab has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer confirmed that a fix has been merged on 0102c5 10 days ago
The fix bounty has been dropped
abysslab
10 days ago

Researcher

@admin can we get a CVE for this?

Jamie Slome
9 days ago

Admin

@maintainer - are you happy for a CVE to be assigned and published for this?

gpac/gpac maintainer
9 days ago

Maintainer

Yes. You are asking us the same question for each report, would it be possible to store somewhere that we agree with submitting CVEs whenever appropriate?

Jamie Slome
7 days ago

Admin

I've assigned a CVE for this report.

Regarding future reports, I will just proceed to assign and publish CVEs 👍

gpac/gpac maintainer
7 days ago

Maintainer

Thanks

to join this conversation