Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46236: Null Pointer Dereference in gf_sg_vrml_field_pointer_del () at scenegraph/vrml_tools.c:667 · Issue #2024 · gpac/gpac

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_vrml_field_pointer_del () at scenegraph/vrml_tools.c. This vulnerability can lead to a Denial of Service (DoS).

CVE
Open in Source
#vulnerability#linux#dos#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D

command:

./bin/gcc/MP4Box -svg POC2

POC2.zip

Result

bt

Program received signal SIGSEGV, Segmentation fault.
0x00000000004eb82b in gf_sg_vrml_field_pointer_del (field=0x0, FieldType=50) at scenegraph/vrml_tools.c:667
667         gf_sg_mfdouble_del( * ((MFDouble *) field));
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x400788 ◂— 0x0
 RCX  0x0
 RDX  0xe03e5c ◂— 0xff6e7b77ff6e7b77
 RDI  0x0
 RSI  0x32
 R8   0x7
 R9   0x0
 R10  0xffffffd8
 R11  0x246
 R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff8610 —▸ 0x7fffffff8660 —▸ 0x7fffffff86b0 —▸ 0x7fffffff8700 —▸ 0x7fffffff8740 ◂— ...
 RSP  0x7fffffff85f0 ◂— 0x3200000000
 RIP  0x4eb82b (gf_sg_vrml_field_pointer_del+254) ◂— mov    edx, dword ptr [rax]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x4eb82b <gf_sg_vrml_field_pointer_del+254>    mov    edx, dword ptr [rax]
   0x4eb82d <gf_sg_vrml_field_pointer_del+256>    mov    rax, qword ptr [rax + 8]
   0x4eb831 <gf_sg_vrml_field_pointer_del+260>    mov    edi, edx
   0x4eb833 <gf_sg_vrml_field_pointer_del+262>    mov    rsi, rax
   0x4eb836 <gf_sg_vrml_field_pointer_del+265>    call   gf_sg_mfdouble_del                      <gf_sg_mfdouble_del>
 
   0x4eb83b <gf_sg_vrml_field_pointer_del+270>    jmp    gf_sg_vrml_field_pointer_del+682                      <gf_sg_vrml_field_pointer_del+682>
 
   0x4eb840 <gf_sg_vrml_field_pointer_del+275>    mov    rax, qword ptr [rbp - 0x18]
   0x4eb844 <gf_sg_vrml_field_pointer_del+279>    mov    edx, dword ptr [rax]
   0x4eb846 <gf_sg_vrml_field_pointer_del+281>    mov    rax, qword ptr [rax + 8]
   0x4eb84a <gf_sg_vrml_field_pointer_del+285>    mov    edi, edx
   0x4eb84c <gf_sg_vrml_field_pointer_del+287>    mov    rsi, rax
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/vrml_tools.c
   662      break;
   663  case GF_SG_VRML_MFFLOAT:
   664      gf_sg_mffloat_del( * ((MFFloat *) field));
   665      break;
   666  case GF_SG_VRML_MFDOUBLE:
 ► 667      gf_sg_mfdouble_del( * ((MFDouble *) field));
   668      break;
   669  case GF_SG_VRML_MFTIME:
   670      gf_sg_mftime_del( * ((MFTime *)field));
   671      break;
   672  case GF_SG_VRML_MFINT32:
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff85f0 ◂— 0x3200000000
01:0008│     0x7fffffff85f8 ◂— 0x0
02:0010│     0x7fffffff8600 —▸ 0x10ecd40 ◂— 0x0
03:0018│     0x7fffffff8608 —▸ 0x10fa7d0 —▸ 0x10fae00 ◂— 0x0
04:0020│ rbp 0x7fffffff8610 —▸ 0x7fffffff8660 —▸ 0x7fffffff86b0 —▸ 0x7fffffff8700 —▸ 0x7fffffff8740 ◂— ...
05:0028│     0x7fffffff8618 —▸ 0x4e6a10 (gf_sg_proto_del_instance+120) ◂— jmp    0x4e6a8f
06:0030│     0x7fffffff8620 ◂— 0x0
07:0038│     0x7fffffff8628 —▸ 0x10fa720 —▸ 0x10fa770 ◂— 0x100000001
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x4eb82b gf_sg_vrml_field_pointer_del+254
   f 1         0x4e6a10 gf_sg_proto_del_instance+120
   f 2         0x47bfc6 gf_node_del+431
   f 3         0x4797a6 gf_node_unregister+897
   f 4         0x4e4916 gf_sg_proto_del+193
   f 5         0x47db5d gf_sg_command_del+675
   f 6         0x6a0b93 gf_sm_au_del+122
   f 7         0x6a0c24 gf_sm_reset_stream+73
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00000000004eb82b in gf_sg_vrml_field_pointer_del (field=0x0, FieldType=50) at scenegraph/vrml_tools.c:667
#1  0x00000000004e6a10 in gf_sg_proto_del_instance (inst=0x10fa720) at scenegraph/vrml_proto.c:846
#2  0x000000000047bfc6 in gf_node_del (node=0x10fa720) at scenegraph/base_scenegraph.c:1899
#3  0x00000000004797a6 in gf_node_unregister (pNode=0x10fa720, parentNode=0x0) at scenegraph/base_scenegraph.c:761
#4  0x00000000004e4916 in gf_sg_proto_del (proto=0x10f9d60) at scenegraph/vrml_proto.c:117
#5  0x000000000047db5d in gf_sg_command_del (com=0x10f9c80) at scenegraph/commands.c:113
#6  0x00000000006a0b93 in gf_sm_au_del (sc=0x10f7ac0, au=0x10f9bd0) at scene_manager/scene_manager.c:113
#7  0x00000000006a0c24 in gf_sm_reset_stream (sc=0x10f7ac0) at scene_manager/scene_manager.c:126
#8  0x00000000006a0c58 in gf_sm_delete_stream (sc=0x10f7ac0) at scene_manager/scene_manager.c:133
#9  0x00000000006a0d03 in gf_sm_del (ctx=0x10ed170) at scene_manager/scene_manager.c:147
#10 0x000000000041797b in dump_isom_scene (file=0x7fffffffe637 "gf_sg_vrml_field_pointer_del-gf_sg_proto_del_instance/POC2", inName=0x10da460 <outfile> "gf_sg_vrml_field_pointer_del-gf_sg_proto_del_instance/POC2", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:216
#11 0x000000000041521f in mp4boxMain (argc=3, argv=0x7fffffffe358) at main.c:6044
#12 0x000000000041719b in main (argc=3, argv=0x7fffffffe358) at main.c:6496
#13 0x0000000000d09a40 in __libc_start_main ()
#14 0x000000000040211e in _start ()
pwndbg>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE