Headline
CVE-2021-44919: Null Pointer Dereference in gf_sg_vrml_mf_alloc() · Issue #1963 · gpac/gpac
A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_alloc function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in gf_sg_vrml_mf_alloc(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc5.zip
Result
./MP4Box -lsr ./poc5
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861206
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861206
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1] 1371476 segmentation fault ./MP4Box -lsr ./poc5
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x9f03c
RCX 0x10
RDX 0x7ffff7e078a0 (CSWTCH.120) ◂— 0xc080c0804080404
RDI 0x32
RSI 0x32
R8 0x0
R9 0x0
R10 0x7ffff775bdeb ◂— 'gf_sg_vrml_mf_alloc'
R11 0x7ffff78a0f30 (gf_sg_vrml_mf_alloc) ◂— endbr64
R12 0x0
R13 0x8
R14 0x0
R15 0x7fffffff6d60 ◂— 0x30646c6569665f /* '_field0' */
RBP 0x32
RSP 0x7fffffff6bf0 ◂— 0x9f03c
RIP 0x7ffff78a0f7d (gf_sg_vrml_mf_alloc+77) ◂— cmp dword ptr [r12], ebx
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff78a0f7d <gf_sg_vrml_mf_alloc+77> cmp dword ptr [r12], ebx
0x7ffff78a0f81 <gf_sg_vrml_mf_alloc+81> je gf_sg_vrml_mf_alloc+125 <gf_sg_vrml_mf_alloc+125>
↓
0x7ffff78a0fad <gf_sg_vrml_mf_alloc+125> add rsp, 8
0x7ffff78a0fb1 <gf_sg_vrml_mf_alloc+129> pop rbx
0x7ffff78a0fb2 <gf_sg_vrml_mf_alloc+130> pop rbp
0x7ffff78a0fb3 <gf_sg_vrml_mf_alloc+131> pop r12
0x7ffff78a0fb5 <gf_sg_vrml_mf_alloc+133> pop r13
0x7ffff78a0fb7 <gf_sg_vrml_mf_alloc+135> ret
0x7ffff78a0fb8 <gf_sg_vrml_mf_alloc+136> nop dword ptr [rax + rax]
0x7ffff78a0fc0 <gf_sg_vrml_mf_alloc+144> mov edx, ebx
0x7ffff78a0fc2 <gf_sg_vrml_mf_alloc+146> imul r13, rdx
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6bf0 ◂— 0x9f03c
01:0008│ 0x7fffffff6bf8 —▸ 0x7fffffff6d30 ◂— 0x3200000000
02:0010│ 0x7fffffff6c00 —▸ 0x5555555ded70 ◂— 0x0
03:0018│ 0x7fffffff6c08 ◂— 0x555df8c0
04:0020│ 0x7fffffff6c10 —▸ 0x5555555d2730 ◂— 0x0
05:0028│ 0x7fffffff6c18 —▸ 0x7ffff790f44d (BD_DecMFFieldVec+589) ◂— mov r14d, eax
06:0030│ 0x7fffffff6c20 ◂— 0x0
07:0038│ 0x7fffffff6c28 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff78a0f7d gf_sg_vrml_mf_alloc+77
f 1 0x7ffff790f44d BD_DecMFFieldVec+589
f 2 0x7ffff7906205 gf_bifs_dec_proto_list+1333
f 3 0x7ffff7906549 BD_DecSceneReplace+73
f 4 0x7ffff7914e2e BM_SceneReplace+110
f 5 0x7ffff7914ff3 BM_ParseCommand+179
f 6 0x7ffff7915323 gf_bifs_decode_command_list+163
f 7 0x7ffff7aa1da2 gf_sm_load_run_isom+1218
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#1 0x00007ffff790f44d in BD_DecMFFieldVec () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#2 0x00007ffff7906205 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#3 0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#4 0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#5 0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#6 0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#7 0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#8 0x00005555555844a8 in dump_isom_scene ()
#9 0x000055555557b42c in mp4boxMain ()
#10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
#11 0x000055555556c45e in _start ()