Headline
CVE-2021-45762: Invalid memory address dereference in gf_sg_vrml_mf_reset() · Issue #1978 · gpac/gpac
GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_sg_vrml_mf_reset(). This vulnerability allows attackers to cause a Denial of Service (DoS).
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid memory address dereference was discovered in gf_sg_vrml_mf_reset(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_14.zip
Result
./MP4Box -lsr ./poc/poc_14
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 859244
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] Box "stss" (start 9939) has 32 extra bytes
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample description box !
[iso file] Incomplete box mdat - start 11495 size 859244
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1] 250723 segmentation fault ./MP4Box -lsr ./poc/poc_14
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
RAX 0x0
RBX 0x0
RCX 0x7fffffff6160 ◂— 0x3f00000004
RDX 0x8
RDI 0x0
RSI 0x3f
R8 0x0
R9 0x0
R10 0x7ffff775c1f5 ◂— 'gf_sg_script_field_get_info'
R11 0x7ffff788f770 (gf_sg_script_field_get_info) ◂— endbr64
R12 0x7fffffff6160 ◂— 0x3f00000004
R13 0x5555555deb80 ◂— 0x0
R14 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
R15 0x1d61
RBP 0x5555555d5d60 ◂— 0x0
RSP 0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov r15d, eax
RIP 0x7ffff78a0d66 (gf_sg_vrml_mf_reset+6) ◂— cmp qword ptr [rdi + 8], 0
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
► 0x7ffff78a0d66 <gf_sg_vrml_mf_reset+6> cmp qword ptr [rdi + 8], 0
0x7ffff78a0d6b <gf_sg_vrml_mf_reset+11> je gf_sg_vrml_mf_reset+144
<gf_sg_vrml_mf_reset+144>
↓
0x7ffff78a0df0 <gf_sg_vrml_mf_reset+144> ret
0x7ffff78a0df1 <gf_sg_vrml_mf_reset+145> nop dword ptr [rax]
0x7ffff78a0df8 <gf_sg_vrml_mf_reset+152> mov eax, dword ptr [rbp]
0x7ffff78a0dfb <gf_sg_vrml_mf_reset+155> mov r13, qword ptr [rbp + 8]
0x7ffff78a0dff <gf_sg_vrml_mf_reset+159> test eax, eax
0x7ffff78a0e01 <gf_sg_vrml_mf_reset+161> je gf_sg_vrml_mf_reset+198
<gf_sg_vrml_mf_reset+198>
↓
0x7ffff78a0e26 <gf_sg_vrml_mf_reset+198> mov rdi, r13
0x7ffff78a0e29 <gf_sg_vrml_mf_reset+201> call gf_free@plt <gf_free@plt>
0x7ffff78a0e2e <gf_sg_vrml_mf_reset+206> jmp gf_sg_vrml_mf_reset+100
<gf_sg_vrml_mf_reset+100>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov r15d, eax
01:0008│ 0x7fffffff6120 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
02:0010│ 0x7fffffff6128 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
03:0018│ 0x7fffffff6130 ◂— 0x0
04:0020│ 0x7fffffff6138 —▸ 0x5555555e0210 ◂— 0x3f00000000
05:0028│ 0x7fffffff6140 —▸ 0x7fffffff6160 ◂— 0x3f00000004
06:0030│ 0x7fffffff6148 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
07:0038│ 0x7fffffff6150 ◂— 0x1d61
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
► f 0 0x7ffff78a0d66 gf_sg_vrml_mf_reset+6
f 1 0x7ffff790fbe2 gf_bifs_dec_field+130
f 2 0x7ffff7916f02 ParseScriptField+274
f 3 0x7ffff7919c50 SFScript_Parse+1056
f 4 0x7ffff790eb3c gf_bifs_dec_sf_field+1548
f 5 0x7ffff790eff2 BD_DecMFFieldList+242
f 6 0x7ffff790fac5 gf_bifs_dec_node_mask+421
f 7 0x7ffff790e158 gf_bifs_dec_node+936
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff790fbe2 in gf_bifs_dec_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7916f02 in ParseScriptField () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7919c50 in SFScript_Parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff790eb3c in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff790eff2 in BD_DecMFFieldList () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff790fac5 in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00007ffff790f3b4 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9 0x00007ffff790f7f7 in gf_bifs_dec_node_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff790e066 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff7906580 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#13 0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#14 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#15 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#16 0x00005555555844a8 in dump_isom_scene ()
#17 0x000055555557b42c in mp4boxMain ()
#18 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
#19 0x000055555556c45e in _start ()