Headline
CVE-2021-44921: Null Pointer Dereference in gf_isom_parse_movie_boxes_internal() · Issue #1964 · gpac/gpac
A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in gf_isom_parse_movie_boxes_internal(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_1.zip
Result
[iso file] extra box maxr found in hinf, deleting
[iso file] Read Box type 00000000 (0x00000000) at position 4494 has size 0 but is not at root/file level, skipping
[iso file] Read Box "hinf" (start 4390) failed (End Of Stream / File) - skipping
[iso file] Read Box "udta" (start 4178) failed (End Of Stream / File) - skipping
[iso file] Read Box "trak" (start 2229) failed (End Of Stream / File) - skipping
[iso file] Read Box "moov" (start 20) failed (End Of Stream / File) - skipping
[1] 2155243 segmentation fault ./MP4Box -lsr ./poc/poc_1
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x1
RBX 0x5555555c72a0 ◂— 0x0
RCX 0x7ffff764d1e7 (write+23) ◂— cmp rax, -0x1000 /* 'H=' */
RDX 0x0
RDI 0x5555555c62a0 ◂— 0x0
RSI 0x0
R8 0x0
R9 0x0
R10 0x7ffff7e227df ◂— ') - skipping\n'
R11 0x246
R12 0x0
R13 0x0
R14 0x5555555c72a0 ◂— 0x0
R15 0x3
RBP 0x7fffffff83a0 ◂— 0x0
RSP 0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
RIP 0x7ffff7973829 (gf_isom_parse_movie_boxes_internal+249) ◂— mov eax, dword ptr [rsi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff7973829 <gf_isom_parse_movie_boxes_internal+249> mov eax, dword ptr [rsi]
0x7ffff797382b <gf_isom_parse_movie_boxes_internal+251> cmp eax, 0x6d6f6f76
0x7ffff7973830 <gf_isom_parse_movie_boxes_internal+256> je gf_isom_parse_movie_boxes_internal+1688 <gf_isom_parse_movie_boxes_internal+1688>
↓
0x7ffff7973dc8 <gf_isom_parse_movie_boxes_internal+1688> cmp qword ptr [r14 + 0x48], 0
0x7ffff7973dcd <gf_isom_parse_movie_boxes_internal+1693> jne gf_isom_parse_movie_boxes_internal+4630 <gf_isom_parse_movie_boxes_internal+4630>
↓
0x7ffff7974946 <gf_isom_parse_movie_boxes_internal+4630> mov esi, 1
0x7ffff797494b <gf_isom_parse_movie_boxes_internal+4635> mov edi, 2
0x7ffff7974950 <gf_isom_parse_movie_boxes_internal+4640> call gf_log_tool_level_on@plt <gf_log_tool_level_on@plt>
0x7ffff7974955 <gf_isom_parse_movie_boxes_internal+4645> test eax, eax
0x7ffff7974957 <gf_isom_parse_movie_boxes_internal+4647> je gf_isom_parse_movie_boxes_internal+4540 <gf_isom_parse_movie_boxes_internal+4540>
0x7ffff7974959 <gf_isom_parse_movie_boxes_internal+4649> mov esi, 2
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
01:0008│ 0x7fffffff8318 ◂— 0x0
... ↓ 2 skipped
04:0020│ 0x7fffffff8330 —▸ 0x5555555c7500 ◂— 0x6d703431 /* '14pm' */
05:0028│ 0x7fffffff8338 ◂— 0x0
06:0030│ 0x7fffffff8340 ◂— 0x0
07:0038│ 0x7fffffff8348 ◂— 0x4
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff7973829 gf_isom_parse_movie_boxes_internal+249
f 1 0x7ffff7974f97 gf_isom_open_file+311
f 2 0x55555557dc14 mp4boxMain+19444
f 3 0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7974f97 in gf_isom_open_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x000055555557dc14 in mp4boxMain ()
#3 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#4 0x000055555556c45e in _start ()