Headline
CVE-2021-45291: A segmentation fault in gf_dump_setup() at scene_manager/scene_dump.c:243 · Issue #1955 · gpac/gpac
The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
MINI build (encoders, decoders, audio and video output disabled)
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_DISABLE_3D
System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
command:
./bin/gcc/MP4Box -lsr POC
POC.zip
Result
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[ODF] Error reading descriptor (tag 4 size 0): Invalid MPEG-4 Descriptor
[iso file] Incomplete box mdat - start 11495 size 128
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[ODF] Error reading descriptor (tag 4 size 0): Invalid MPEG-4 Descriptor
[iso file] Incomplete box mdat - start 11495 size 128
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[MP4 Loading] Unable to fetch sample 1 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
[1] 1233733 segmentation fault
gdb information:
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x400788 --> 0x0
RCX: 0x0
RDX: 0x0
RSI: 0x0
RDI: 0x10f40f0 --> 0x10f4590 --> 0x10f4460 --> 0x70003
RBP: 0x7fffffff87b0 --> 0x7fffffff8850 --> 0x7fffffff9950 --> 0x7fffffffe1f0 --> 0x7fffffffe210 --> 0xd078f0 (<__libc_csu_init>: endbr64)
RSP: 0x7fffffff8750 --> 0x10f4090 --> 0x10002
RIP: 0x6d9986 (<gf_dump_setup+365>: movzx eax,BYTE PTR [rax+0x8])
R8 : 0xe3d1d3 (" Scene Dump -->\n")
R9 : 0x12
R10: 0xfffffffb
R11: 0xe3d1c2 --> 0x565300526553414c ('LASeR')
R12: 0xd07990 (<__libc_csu_fini>: endbr64)
R13: 0x0
R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>: endbr64)
R15: 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x6d997a <gf_dump_setup+353>: mov QWORD PTR [rbp-0x38],rax
0x6d997e <gf_dump_setup+357>: mov rax,QWORD PTR [rbp-0x38]
0x6d9982 <gf_dump_setup+361>: mov rax,QWORD PTR [rax+0x18]
=> 0x6d9986 <gf_dump_setup+365>: movzx eax,BYTE PTR [rax+0x8]
0x6d998a <gf_dump_setup+369>: cmp al,0x3
0x6d998c <gf_dump_setup+371>: jne 0x6d99ff <gf_dump_setup+486>
0x6d998e <gf_dump_setup+373>: mov rax,QWORD PTR [rbp-0x38]
0x6d9992 <gf_dump_setup+377>: mov rax,QWORD PTR [rax+0x18]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff8750 --> 0x10f4090 --> 0x10002
0008| 0x7fffffff8758 --> 0x10f47d0 --> 0x10e99f0 --> 0x0
0016| 0x7fffffff8760 --> 0x500400788
0024| 0x7fffffff8768 --> 0x200000000
0032| 0x7fffffff8770 --> 0x10f4090 --> 0x10002
0040| 0x7fffffff8778 --> 0x10f4460 --> 0x70003
0048| 0x7fffffff8780 --> 0x7fffffff87b0 --> 0x7fffffff8850 --> 0x7fffffff9950 --> 0x7fffffffe1f0 --> 0x7fffffffe210 (--> ...)
0056| 0x7fffffff8788 --> 0x444a92 (<gf_list_enum+61>: mov QWORD PTR [rbp-0x8],rax)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
gf_dump_setup (sdump=0x10f47d0, root_od=0x10f4090) at scene_manager/scene_dump.c:243
243 if (esd->decoderConfig->streamType != GF_STREAM_SCENE) continue;