NULL Pointer Dereference in media_tools/mpeg2_ps.c, media_tools/avilib.c and filters/dasher.c in gpac/gpac

Valid

Reported on

Aug 29th 2023


Description

NULL Pointer Dereference in MP4Box.

Version

$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

Reproduce

complie and run

./configure --enable-sanitizer
make

Proof of Concept

./bin/gcc/MP4Box -dash 1000 ./crashes/crash000004

./bin/gcc/MP4Box -dash 1000 ./crashes/crash000007

./bin/gcc/MP4Box -dash 1000 ./crashes/crash000014

./bin/gcc/MP4Box -dash 1000 ./crashes/crash000069

crash000004 is here

crash000007 is here

crash000014 is here

crash000069 is here

Crash000069 Info

information reported by sanitizer

$ ./bin/gcc/MP4Box -dash 1000 ./crash000069
AddressSanitizer:DEADLYSIGNAL
=================================================================
==540488==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f07d6f78e85 bp 0x7ffc9161b230 sp 0x7ffc9161a970 T0)
==540488==The signal is caused by a READ memory access.
==540488==Hint: address points to the zero page.
    #0 0x7f07d6f78e84 in __GI__IO_fread /build/glibc-SzIz7B/glibc-2.31/libio/iofread.c:35
    #1 0x7f07dce74435 in __interceptor_fread ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:988
    #2 0x7f07d9e40e80 in file_read_bytes media_tools/mpeg2_ps.c:163
    #3 0x7f07d9e40e80 in read_to_next_pes_header media_tools/mpeg2_ps.c:544
    #4 0x7f07d9e41ca8 in search_for_next_pes_header media_tools/mpeg2_ps.c:681
    #5 0x7f07d9e421d5 in mpeg2ps_stream_read_next_pes_buffer media_tools/mpeg2_ps.c:732
    #6 0x7f07d9e42d48 in mpeg2ps_stream_find_mpeg_video_frame media_tools/mpeg2_ps.c:823
    #7 0x7f07d9e48e17 in mpeg2ps_stream_read_frame media_tools/mpeg2_ps.c:953
    #8 0x7f07d9e48e17 in get_info_for_all_streams media_tools/mpeg2_ps.c:1211
    #9 0x7f07d9e48e17 in mpeg2ps_scan_file media_tools/mpeg2_ps.c:1368
    #10 0x7f07d9e48e17 in mpeg2ps_init media_tools/mpeg2_ps.c:1625
    #11 0x7f07da47c50c in m2psdmx_process filters/dmx_mpegps.c:327
    #12 0x7f07da30933e in gf_filter_process_task filter_core/filter.c:2971
    #13 0x7f07da2c866a in gf_fs_thread_proc filter_core/filter_session.c:1962
    #14 0x7f07da2d5fd6 in gf_fs_run filter_core/filter_session.c:2261
    #15 0x7f07d9c6ba9d in gf_dasher_process media_tools/dash_segmenter.c:1236
    #16 0x562cd9a11bb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
    #17 0x562cd9a11bb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
    #18 0x7f07d6f1a082 in __libc_start_main ../csu/libc-start.c:308
    #19 0x562cd99e9f5d in _start (/home/functionmain/desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/libio/iofread.c:35 in __GI__IO_fread
==540488==ABORTING

Crash000004 Info

information reported by sanitizer

./bin/gcc/MP4Box -dash 1000 ./crash000004
media_tools/avilib.c:559:2: runtime error: null pointer passed as argument 1, which is declared to never be null

Crash000007 Info

information reported by sanitizer

./bin/gcc/MP4Box -dash 1000 ./crash000007
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash000007, computing from bitstream
[Dasher] No bitrate property assigned to PID crash000007, computing from bitstream
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] No bitrate property assigned to PID crash000007, computing from bitstream
[Dasher] PID crash000007 config changed during active period, forcing period switch
filters/dasher.c:8390:27: runtime error: member access within null pointer of type 'struct GF_DashStream'

Crash000014 Info

information reported by sanitizer

./bin/gcc/MP4Box -dash 1000 ./crash000014
[Dasher] No template assigned, using $File$_dash$FS$$Number$
Unknown CICP mapping for channel config 4/0.0
[RFC6381] Cannot find MPEG-H Audio Config or audio PL, defaulting to profile 0x01
[MP4Mux] No timescale specified, guessing from media: 0
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 0/0
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 1024/0
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 2048/0
Unsupported cicp audio layout value 58
[Dasher] PID audio config changed during active period, forcing period switch
filters/dasher.c:8417:9: runtime error: member access within null pointer of type 'struct GF_DashStream'

Impact

This is capable of causing crashes.

References

crash000004 is here

crash000007 is here

crash000014 is here

crash000069 is here

Impact

This is capable of causing crashes.

We are processing your report and will contact the gpac team within 24 hours. 23 days ago
We have contacted a member of the gpac team and are waiting to hear back 22 days ago
functionmain modified the report
22 days ago
functionmain modified the report
22 days ago
functionmain modified the report
22 days ago
functionmain modified the report
22 days ago
gpac/gpac maintainer
22 days ago

Maintainer


https://github.com/gpac/gpac/issues/2575

gpac/gpac maintainer validated this vulnerability 21 days ago
functionmain has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
gpac/gpac maintainer marked this as fixed in 2.3-DEV with commit 4bac19 21 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
gpac/gpac maintainer published this vulnerability 21 days ago
to join this conversation