Headline
CVE-2021-45764: Invalid memory address dereference in shift_chunk_offsets.isra() · Issue #1971 · gpac/gpac
GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function shift_chunk_offsets.isra().
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid memory address dereference was discovered in shift_chunk_offsets.isra(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_9.zip
Result
[iso file] Unknown box type stbU in parent minf
[iso file] Track with no sample table !
[iso file] Track with no sample description box !
[iso file] Box "trak" is larger than container box
[iso file] Box "moov" size 256 (start 20) invalid (read 2209)
[iso file] Unknown top-level box type 079Fmd
Saving ./poc/poc_9: In-place rewrite
[1] 2265002 segmentation fault ./MP4Box -hint ./poc/poc_9
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7981ba3 in shift_chunk_offsets.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]──────────────────────────────── RAX 0x5555555cc6e0 ◂— 0x6d696e66 /* 'fnim' */
RBX 0x5555555ccfe0 ◂— 0x7374626c /* 'lbts' */
RCX 0x0
RDX 0x5555555cf160 ◂— 0x6d646961 /* 'aidm' */
RDI 0x28
RSI 0x34
R8 0x14
R9 0x0
R10 0x7ffff775d6fa ◂— 'gf_isom_box_size'
R11 0x7ffff796bce0 (gf_isom_box_size) ◂— endbr64
R12 0x5555555c72a0 ◂— 0xffffffec
R13 0x14
R14 0x1
R15 0x7fffffff7e80 ◂— 0x0
RBP 0x0
RSP 0x7fffffff7e00 ◂— 0xf7747c68
RIP 0x7ffff7981ba3 (shift_chunk_offsets.isra+19) ◂— mov esi, dword ptr [rsi]
─────────────────────────────────[ DISASM ]───────────────────────────────── ► 0x7ffff7981ba3 <shift_chunk_offsets.isra+19> mov esi, dword ptr [rsi]
0x7ffff7981ba5 <shift_chunk_offsets.isra+21> mov qword ptr [rsp + 8], rdi
0x7ffff7981baa <shift_chunk_offsets.isra+26> mov qword ptr [rsp + 0x10], rdx
0x7ffff7981baf <shift_chunk_offsets.isra+31> mov dword ptr [rsp + 0x2c], r9d
0x7ffff7981bb4 <shift_chunk_offsets.isra+36> test esi, esi
0x7ffff7981bb6 <shift_chunk_offsets.isra+38> je shift_chunk_offsets.isra+175 <shift_chunk_offsets.isra+175>
↓
0x7ffff7981c3f <shift_chunk_offsets.isra+175> add rsp, 0x38
0x7ffff7981c43 <shift_chunk_offsets.isra+179> xor eax, eax
0x7ffff7981c45 <shift_chunk_offsets.isra+181> pop rbx
0x7ffff7981c46 <shift_chunk_offsets.isra+182> pop rbp
0x7ffff7981c47 <shift_chunk_offsets.isra+183> pop r12
─────────────────────────────────[ STACK ]──────────────────────────────────00:0000│ rsp 0x7fffffff7e00 ◂— 0xf7747c68
01:0008│ 0x7fffffff7e08 ◂— 0x0
02:0010│ 0x7fffffff7e10 ◂— 0x999
03:0018│ 0x7fffffff7e18 ◂— 0x34 /* '4' */
04:0020│ 0x7fffffff7e20 —▸ 0x7ffff7fc7368 —▸ 0x7ffff7ffe450 —▸ 0x7ffff73131e0 —▸ 0x7ffff7ffe190 ◂— ...
05:0028│ 0x7fffffff7e28 —▸ 0x7fffffff7f68 —▸ 0x7ffff7751b48 ◂— 0xe0012000053a2
06:0030│ 0x7fffffff7e30 —▸ 0x7ffff775d6fa ◂— 'gf_isom_box_size'
07:0038│ 0x7fffffff7e38 —▸ 0x5555555ccfe0 ◂— 0x7374626c /* 'lbts' */
───────────────────────────────[ BACKTRACE ]──────────────────────────────── ► f 0 0x7ffff7981ba3 shift_chunk_offsets.isra+19
f 1 0x7ffff7981fd0 inplace_shift_moov_meta_offsets+224
f 2 0x7ffff7982a5c inplace_shift_mdat+732
f 3 0x7ffff7986c29 WriteToFile+2713
f 4 0x7ffff7978042 gf_isom_write+370
f 5 0x7ffff79780c8 gf_isom_close+24
f 6 0x55555557ad12 mp4boxMain+7410
f 7 0x7ffff75630b3 __libc_start_main+243
────────────────────────────────────────────────────────────────────────────pwndbg> bt
#0 0x00007ffff7981ba3 in shift_chunk_offsets.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7981fd0 in inplace_shift_moov_meta_offsets () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7982a5c in inplace_shift_mdat () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7986c29 in WriteToFile () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7978042 in gf_isom_write () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff79780c8 in gf_isom_close () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x000055555557ad12 in mp4boxMain ()
#7 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#8 0x000055555556c45e in _start ()