NULL Pointer Dereference in function gf_filter_pck_new_alloc_internal in gpac/gpac

Valid

Reported on

Oct 11th 2023


Description

NULL Pointer Dereference in function gf_filter_pck_new_alloc_internal at filter_core/filter_pck.c:108.

Version

git log
commit 5692dc729491805e0e5f55c21d50ba1e6b19e88e (HEAD -> master, origin/master, origin/HEAD)
Author: Aurelien David <aurelien.david@telecom-paristech.fr>
Date:   Wed Oct 11 13:24:46 2023 +0200

    ac3dmx: add remain size check (fixes #2627)

./MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev577-g5692dc729-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Proof of Concept

reported (no instrumented program)
./configure --enable-sanitizer
make


./bin/gcc/MP4Box -dash 1000 -out /dev/null   poc2_nul

[Dasher] No template assigned, using $File$_dash$FS$$Number$
[PCMReframe] Missing audio sample rate, cannot parse
filter_core/filter_pck.c:108:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
Reported with ASAN (instrumented program):

./bin/gcc/MP4Box -dash 1000 -out /dev/null   poc2_null
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[PCMReframe] Missing audio sample rate, cannot parse
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2015631==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6dd4798891 bp 0x7ffee005d790 sp 0x7ffee005d6a0 T0)
==2015631==The signal is caused by a READ memory access.
==2015631==Hint: address points to the zero page.
    #0 0x7f6dd4798891 in gf_filter_pck_new_alloc_internal (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x119b891)
    #1 0x7f6dd4d1ef00 in pcmreframe_process (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x1721f00)
    #2 0x7f6dd48571ce in gf_filter_process_task (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x125a1ce)
    #3 0x7f6dd4825216 in gf_fs_thread_proc (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x1228216)
    #4 0x7f6dd4823b0f in gf_fs_run (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x1226b0f)
    #5 0x7f6dd41c2047 in gf_dasher_process (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0xbc5047)
    #6 0x50205c in do_dash /home/fuzz/gpac/gpac/applications/mp4box/mp4box.c:4831:15
    #7 0x4f34ee in mp4box_main /home/fuzz/gpac/gpac/applications/mp4box/mp4box.c:6245:7
    #8 0x7f6dd327e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #9 0x42ad4d in _start (/home/fuzz/gpac/gpac/bin/gcc/MP4Box+0x42ad4d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/fuzz/gpac/gpac/bin/gcc/libgpac.so.12+0x119b891) in gf_filter_pck_new_alloc_internal
POC:  

https://github.com/Janette88/test_pocs/blob/main/poc2_null

Impact

This vulnerability is capable of making the MP4Box crash, An attacker who can successfully exploit this vulnerability could potentially execute arbitrary code in the context of the application, leading to a compromise of the system where the vulnerable software is installed. Additionally, the attacker could use this vulnerability to cause a denial of service (DoS) by crashing the application or making it unresponsive. This vulnerability poses a significant risk to the confidentiality, integrity, and availability of systems running the affected software.

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 4 months ago
janette88 modified the report
4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

Maintainer


https://github.com/gpac/gpac/issues/2632

gpac/gpac maintainer modified the Severity from Medium (5.3) to Medium (4.4) 4 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
gpac/gpac maintainer validated this vulnerability 4 months ago
janette88 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3.0-DEV with commit ca1b48 4 months ago
The fix bounty has been dropped
This vulnerability has now been published 4 months ago
to join this conversation