Headline
CVE-2021-46039: Untrusted pointer dereference in shift_chunk_offsets.part () · Issue #1999 · gpac/gpac
A Pointer Dereference Vulnerabilty exists in GPAC 1.0.1 via the shift_chunk_offsets.part function, which causes a Denial of Service (context-dependent).
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
command:
./bin/gcc/MP4Box -hint POC
POC.zip
Result
bt
Program received signal SIGSEGV, Segmentation fault.
0x0000000000544b81 in shift_chunk_offsets.part ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
RAX 0x6054
RBX 0x6054
RCX 0x0
RDX 0xf23eb0 ◂— 0xcc3900003712
RDI 0xffffffff
RSI 0xf3c000
R8 0x0
R9 0x7fffffff7f00 —▸ 0xf22fd0 ◂— 0x6d646961 /* 'aidm' */
R10 0xdda2e0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
R11 0x246
R12 0x14
R13 0xffff7f00
R14 0xf9000016
R15 0xf1e710 ◂— 0x7374636f /* 'octs' */
RBP 0x0
RSP 0x7fffffff7f00 —▸ 0xf22fd0 ◂— 0x6d646961 /* 'aidm' */
RIP 0x544b81 (shift_chunk_offsets.part+257) ◂— mov eax, dword ptr [rsi]
► 0x544b81 <shift_chunk_offsets.part+257> mov eax, dword ptr [rsi]
0x544b83 <shift_chunk_offsets.part+259> mov rdx, rax
0x544b86 <shift_chunk_offsets.part+262> add rax, r12
0x544b89 <shift_chunk_offsets.part+265> cmp rax, rdi
0x544b8c <shift_chunk_offsets.part+268> jbe shift_chunk_offsets.part+488 <shift_chunk_offsets.part+488>
↓
0x544c68 <shift_chunk_offsets.part+488> add edx, r12d
0x544c6b <shift_chunk_offsets.part+491> xor ebp, ebp
0x544c6d <shift_chunk_offsets.part+493> mov dword ptr [rsi], edx
0x544c6f <shift_chunk_offsets.part+495> jmp shift_chunk_offsets.part+402 <shift_chunk_offsets.part+402>
↓
0x544c12 <shift_chunk_offsets.part+402> add ebx, 1
0x544c15 <shift_chunk_offsets.part+405> cmp r14d, ebx
00:0000│ r9 rsp 0x7fffffff7f00 —▸ 0xf22fd0 ◂— 0x6d646961 /* 'aidm' */
01:0008│ 0x7fffffff7f08 —▸ 0xf23e50 ◂— 0x73747363 /* 'csts' */
02:0010│ 0x7fffffff7f10 ◂— 0x0
03:0018│ 0x7fffffff7f18 —▸ 0x7fffffff7f60 ◂— 0x0
04:0020│ 0x7fffffff7f20 ◂— 0x2
05:0028│ 0x7fffffff7f28 —▸ 0xf233b0 ◂— 0x7374626c /* 'lbts' */
06:0030│ 0x7fffffff7f30 ◂— 0x0
07:0038│ 0x7fffffff7f38 —▸ 0xf1d6e0 ◂— 0x0
► f 0 0x544b81 shift_chunk_offsets.part+257
f 1 0x544ea7 inplace_shift_moov_meta_offsets+231
f 2 0x54593c inplace_shift_mdat+732
f 3 0x549b09 WriteToFile+2713
f 4 0x53af32 gf_isom_write+370
f 5 0x53afb8 gf_isom_close+24
f 6 0x4115b2 mp4boxMain+7410
f 7 0xb57340 __libc_start_main+1168
pwndbg> bt
#0 0x0000000000544b81 in shift_chunk_offsets.part ()
#1 0x0000000000544ea7 in inplace_shift_moov_meta_offsets ()
#2 0x000000000054593c in inplace_shift_mdat ()
#3 0x0000000000549b09 in WriteToFile ()
#4 0x000000000053af32 in gf_isom_write ()
#5 0x000000000053afb8 in gf_isom_close ()
#6 0x00000000004115b2 in mp4boxMain ()
#7 0x0000000000b57340 in __libc_start_main ()
#8 0x0000000000402cbe in _start ()