Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46045: Abort failed in MP4Box · Issue #2007 · gpac/gpac

GPAC 1.0.1 is affected by: Abort failed. The impact is: cause a denial of service (context-dependent).

CVE
Open in Source
#linux#dos#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • [Yes ] I looked for a similar issue and couldn’t find any.
  • [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC10

POC10.zip

Result

bt

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7ffff697e740 (0x00007ffff697e740)
RCX: 0x7ffff74fb18b (<__GI_raise+203>:  mov    rax,QWORD PTR [rsp+0x108])
RDX: 0x0 
RSI: 0x7fffffff8060 --> 0x0 
RDI: 0x2 
RBP: 0x7fffffff83b0 --> 0x7ffff76a0b80 --> 0x0 
RSP: 0x7fffffff8060 --> 0x0 
RIP: 0x7ffff74fb18b (<__GI_raise+203>:  mov    rax,QWORD PTR [rsp+0x108])
R8 : 0x0 
R9 : 0x7fffffff8060 --> 0x0 
R10: 0x8 
R11: 0x246 
R12: 0x7fffffff82d0 --> 0x5555555eafa0 --> 0x7374626c ('lbts')
R13: 0x10 
R14: 0x7ffff7ffb000 --> 0x6565726600001000 
R15: 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff74fb17f <__GI_raise+191>: mov    edi,0x2
   0x7ffff74fb184 <__GI_raise+196>: mov    eax,0xe
   0x7ffff74fb189 <__GI_raise+201>: syscall 
=> 0x7ffff74fb18b <__GI_raise+203>: mov    rax,QWORD PTR [rsp+0x108]
   0x7ffff74fb193 <__GI_raise+211>: xor    rax,QWORD PTR fs:0x28
   0x7ffff74fb19c <__GI_raise+220>: jne    0x7ffff74fb1c4 <__GI_raise+260>
   0x7ffff74fb19e <__GI_raise+222>: mov    eax,r8d
   0x7ffff74fb1a1 <__GI_raise+225>: add    rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff8060 --> 0x0 
0008| 0x7fffffff8068 --> 0x0 
0016| 0x7fffffff8070 --> 0x5555555e7d50 --> 0x5555555eaa30 --> 0x100010000000006 
0024| 0x7fffffff8078 --> 0xf6015b1303ad4900 
0032| 0x7fffffff8080 --> 0x5 
0040| 0x7fffffff8088 --> 0x5555555e83e0 --> 0x5555555ebe10 --> 0x5555555ebbb0 --> 0x0 
0048| 0x7fffffff8090 --> 0x7fffffff81e0 --> 0x0 
0056| 0x7fffffff8098 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50  ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007ffff74da859 in __GI_abort () at abort.c:79
#2  0x00007ffff75453ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff766f285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3  0x00007ffff754d47c in malloc_printerr (str=str@entry=0x7ffff7671600 "free(): invalid next size (fast)") at malloc.c:5347
#4  0x00007ffff754ed2c in _int_free (av=0x7ffff76a0b80 <main_arena>, p=0x5555555e1640, have_lock=0x0) at malloc.c:4249
#5  0x00007ffff78cc82b in stco_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x00007ffff78f8b6c in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#7  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#8  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#9  0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#10 0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#11 0x00007ffff78f8b9f in gf_isom_box_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#12 0x00007ffff78f9bc7 in gf_isom_box_array_del () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#13 0x00007ffff79031b7 in gf_isom_delete_movie () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#14 0x00007ffff79064c3 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#15 0x000055555557bd12 in mp4boxMain ()
#16 0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#17 0x000055555556d45e in _start ()
gdb-peda$

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE