Headline
CVE-2021-46239: Invalid free in MP4Box · Issue #2026 · gpac/gpac
The binary MP4Box in GPAC v1.1.0 was discovered to contain an invalid free vulnerability via the function gf_free () at utils/alloc.c. This vulnerability can lead to a Denial of Service (DoS).
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
MINI build (encoders, decoders, audio and video output disabled)
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_DISABLE_3D
command:
./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC1
POC1.zip
Result
bt
Program received signal SIGSEGV, Segmentation fault.
0x0000000000d43f7d in free ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x400788 ◂— 0x0
RCX 0x110ac60 ◂— 0x0
RDX 0xe0bfa8 ◂— 0xff71f347ff71f31e
RDI 0x21
RSI 0x110ac60 ◂— 0x0
R8 0x7
R9 0x0
R10 0xffffffd8
R11 0x246
R12 0xd0a2b0 (__libc_csu_fini) ◂— endbr64
R13 0x0
R14 0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64
R15 0x0
RBP 0x7fffffff7600 —▸ 0x7fffffff7660 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 ◂— ...
RSP 0x7fffffff75d0 —▸ 0x7fffffff7610 —▸ 0x7fffffff7630 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 ◂— ...
RIP 0xd43f7d (free+29) ◂— mov rax, qword ptr [rdi - 8]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
► 0xd43f7d <free+29> mov rax, qword ptr [rdi - 8]
0xd43f81 <free+33> lea rsi, [rdi - 0x10]
0xd43f85 <free+37> test al, 2
0xd43f87 <free+39> jne free+96 <free+96>
↓
0xd43fc0 <free+96> mov edx, dword ptr [rip + 0x387f0e] <0x10cbed4>
0xd43fc6 <free+102> test edx, edx
0xd43fc8 <free+104> jne free+123 <free+123>
↓
0xd43fdb <free+123> mov rdi, rsi
0xd43fde <free+126> add rsp, 0x18
0xd43fe2 <free+130> jmp munmap_chunk <munmap_chunk>
↓
0xd3ee70 <munmap_chunk> sub rsp, 8
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff75d0 —▸ 0x7fffffff7610 —▸ 0x7fffffff7630 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 ◂— ...
01:0008│ 0x7fffffff75d8 —▸ 0xd0a2b0 (__libc_csu_fini) ◂— endbr64
02:0010│ 0x7fffffff75e0 ◂— 0x0
03:0018│ 0x7fffffff75e8 —▸ 0x450b75 (gf_free+28) ◂— nop
04:0020│ 0x7fffffff75f0 ◂— 0x0
05:0028│ 0x7fffffff75f8 ◂— 0x21 /* '!' */
06:0030│ rbp 0x7fffffff7600 —▸ 0x7fffffff7660 —▸ 0x7fffffff7690 —▸ 0x7fffffff76f0 —▸ 0x7fffffff7720 ◂— ...
07:0038│ 0x7fffffff7608 —▸ 0x52b08f (gf_svg_delete_attribute_value+324) ◂— mov rax, qword ptr [rbp - 0x40]
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
► f 0 0xd43f7d free+29
f 1 0x450b75 gf_free+28
f 2 0x52b08f gf_svg_delete_attribute_value+324
f 3 0x52aea9 svg_delete_one_anim_value+54
f 4 0x52b1ae gf_svg_delete_attribute_value+611
f 5 0x551ed6 gf_node_delete_attributes+70
f 6 0x52aaa7 gf_svg_node_del+642
f 7 0x47c020 gf_node_del+521
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x0000000000d43f7d in free ()
#1 0x0000000000450b75 in gf_free (ptr=0x21) at utils/alloc.c:165
#2 0x000000000052b08f in gf_svg_delete_attribute_value (type=71, value=0x110ac60, sg=0x10ebe70) at scenegraph/svg_types.c:425
#3 0x000000000052aea9 in svg_delete_one_anim_value (anim_datatype=71 'G', anim_value=0x110ac60, sg=0x10ebe70) at scenegraph/svg_types.c:363
#4 0x000000000052b1ae in gf_svg_delete_attribute_value (type=52, value=0x110ac40, sg=0x10ebe70) at scenegraph/svg_types.c:462
#5 0x0000000000551ed6 in gf_node_delete_attributes (node=0x10fdea0) at scenegraph/xml_ns.c:722
#6 0x000000000052aaa7 in gf_svg_node_del (node=0x10fdea0) at scenegraph/svg_types.c:124
#7 0x000000000047c020 in gf_node_del (node=0x10fdea0) at scenegraph/base_scenegraph.c:1909
#8 0x00000000004797a6 in gf_node_unregister (pNode=0x10fdea0, parentNode=0x10fbce0) at scenegraph/base_scenegraph.c:761
#9 0x000000000047ad0f in gf_node_unregister_children (container=0x10fbce0, child=0x10fe340) at scenegraph/base_scenegraph.c:1369
#10 0x000000000047b27f in gf_sg_parent_reset (node=0x10fbce0) at scenegraph/base_scenegraph.c:1582
#11 0x000000000052aab3 in gf_svg_node_del (node=0x10fbce0) at scenegraph/svg_types.c:125
#12 0x000000000047c020 in gf_node_del (node=0x10fbce0) at scenegraph/base_scenegraph.c:1909
#13 0x00000000004797a6 in gf_node_unregister (pNode=0x10fbce0, parentNode=0x10fb7c0) at scenegraph/base_scenegraph.c:761
#14 0x000000000047ad0f in gf_node_unregister_children (container=0x10fb7c0, child=0x10fe300) at scenegraph/base_scenegraph.c:1369
#15 0x000000000047b27f in gf_sg_parent_reset (node=0x10fb7c0) at scenegraph/base_scenegraph.c:1582
#16 0x000000000052aab3 in gf_svg_node_del (node=0x10fb7c0) at scenegraph/svg_types.c:125
#17 0x000000000047c020 in gf_node_del (node=0x10fb7c0) at scenegraph/base_scenegraph.c:1909
#18 0x00000000004797a6 in gf_node_unregister (pNode=0x10fb7c0, parentNode=0x10fb2a0) at scenegraph/base_scenegraph.c:761
#19 0x000000000047ad0f in gf_node_unregister_children (container=0x10fb2a0, child=0x10fe2c0) at scenegraph/base_scenegraph.c:1369
#20 0x000000000047b27f in gf_sg_parent_reset (node=0x10fb2a0) at scenegraph/base_scenegraph.c:1582
#21 0x000000000052aab3 in gf_svg_node_del (node=0x10fb2a0) at scenegraph/svg_types.c:125
#22 0x000000000047c020 in gf_node_del (node=0x10fb2a0) at scenegraph/base_scenegraph.c:1909
#23 0x00000000004797a6 in gf_node_unregister (pNode=0x10fb2a0, parentNode=0x10fad80) at scenegraph/base_scenegraph.c:761
#24 0x000000000047ad0f in gf_node_unregister_children (container=0x10fad80, child=0x10fe200) at scenegraph/base_scenegraph.c:1369
#25 0x000000000047b27f in gf_sg_parent_reset (node=0x10fad80) at scenegraph/base_scenegraph.c:1582
#26 0x000000000052aab3 in gf_svg_node_del (node=0x10fad80) at scenegraph/svg_types.c:125
#27 0x000000000047c020 in gf_node_del (node=0x10fad80) at scenegraph/base_scenegraph.c:1909
#28 0x00000000004797a6 in gf_node_unregister (pNode=0x10fad80, parentNode=0x10fa860) at scenegraph/base_scenegraph.c:761
#29 0x000000000047ad0f in gf_node_unregister_children (container=0x10fa860, child=0x110aa40) at scenegraph/base_scenegraph.c:1369
#30 0x000000000047b27f in gf_sg_parent_reset (node=0x10fa860) at scenegraph/base_scenegraph.c:1582
#31 0x000000000052aab3 in gf_svg_node_del (node=0x10fa860) at scenegraph/svg_types.c:125
#32 0x000000000047c020 in gf_node_del (node=0x10fa860) at scenegraph/base_scenegraph.c:1909
#33 0x00000000004797a6 in gf_node_unregister (pNode=0x10fa860, parentNode=0x10fa340) at scenegraph/base_scenegraph.c:761
#34 0x000000000047ad0f in gf_node_unregister_children (container=0x10fa340, child=0x110aa80) at scenegraph/base_scenegraph.c:1369
#35 0x000000000047b27f in gf_sg_parent_reset (node=0x10fa340) at scenegraph/base_scenegraph.c:1582
#36 0x000000000052aab3 in gf_svg_node_del (node=0x10fa340) at scenegraph/svg_types.c:125
#37 0x000000000047c020 in gf_node_del (node=0x10fa340) at scenegraph/base_scenegraph.c:1909
#38 0x00000000004797a6 in gf_node_unregister (pNode=0x10fa340, parentNode=0x10f9e20) at scenegraph/base_scenegraph.c:761
#39 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9e20, child=0x110aac0) at scenegraph/base_scenegraph.c:1369
#40 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9e20) at scenegraph/base_scenegraph.c:1582
#41 0x000000000052aab3 in gf_svg_node_del (node=0x10f9e20) at scenegraph/svg_types.c:125
#42 0x000000000047c020 in gf_node_del (node=0x10f9e20) at scenegraph/base_scenegraph.c:1909
#43 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9e20, parentNode=0x10f9900) at scenegraph/base_scenegraph.c:761
#44 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9900, child=0x110aa00) at scenegraph/base_scenegraph.c:1369
#45 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9900) at scenegraph/base_scenegraph.c:1582
#46 0x000000000052aab3 in gf_svg_node_del (node=0x10f9900) at scenegraph/svg_types.c:125
#47 0x000000000047c020 in gf_node_del (node=0x10f9900) at scenegraph/base_scenegraph.c:1909
#48 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9900, parentNode=0x10f9320) at scenegraph/base_scenegraph.c:761
#49 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9320, child=0x110a940) at scenegraph/base_scenegraph.c:1369
#50 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9320) at scenegraph/base_scenegraph.c:1582
#51 0x000000000052aab3 in gf_svg_node_del (node=0x10f9320) at scenegraph/svg_types.c:125
#52 0x000000000047c020 in gf_node_del (node=0x10f9320) at scenegraph/base_scenegraph.c:1909
#53 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9320, parentNode=0x10f9220) at scenegraph/base_scenegraph.c:761
#54 0x000000000047ad0f in gf_node_unregister_children (container=0x10f9220, child=0x110a980) at scenegraph/base_scenegraph.c:1369
#55 0x000000000047b27f in gf_sg_parent_reset (node=0x10f9220) at scenegraph/base_scenegraph.c:1582
#56 0x000000000052aab3 in gf_svg_node_del (node=0x10f9220) at scenegraph/svg_types.c:125
#57 0x000000000047c020 in gf_node_del (node=0x10f9220) at scenegraph/base_scenegraph.c:1909
#58 0x00000000004797a6 in gf_node_unregister (pNode=0x10f9220, parentNode=0x0) at scenegraph/base_scenegraph.c:761
#59 0x0000000000479423 in gf_node_try_destroy (sg=0x10ebe70, pNode=0x10f9220, parentNode=0x0) at scenegraph/base_scenegraph.c:667
#60 0x000000000047dac7 in gf_sg_command_del (com=0x10f8fd0) at scenegraph/commands.c:97
#61 0x00000000006a0b93 in gf_sm_au_del (sc=0x10f6470, au=0x10f85a0) at scene_manager/scene_manager.c:113
#62 0x00000000006a0c24 in gf_sm_reset_stream (sc=0x10f6470) at scene_manager/scene_manager.c:126
#63 0x00000000006a0c58 in gf_sm_delete_stream (sc=0x10f6470) at scene_manager/scene_manager.c:133
#64 0x00000000006a0d03 in gf_sm_del (ctx=0x10ec2a0) at scene_manager/scene_manager.c:147
#65 0x000000000041797b in dump_isom_scene (file=0x7fffffffe654 "free-gf_free/POC1", inName=0x7fffffffe64a "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:216
#66 0x000000000041521f in mp4boxMain (argc=11, argv=0x7fffffffe2e8) at main.c:6044
#67 0x000000000041719b in main (argc=11, argv=0x7fffffffe2e8) at main.c:6496
#68 0x0000000000d09a40 in __libc_start_main ()
#69 0x000000000040211e in _start ()
pwndbg>