Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-21015: SEGV in AVC_DuplicateConfig() at avc_ext.c:847 · Issue #1179 · gpac/gpac

AVC_DuplicateConfig() at isomedia/avc_ext.c in GPAC 0.7.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted file. There is “cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;” but cfg could be NULL.

CVE
Open in Source
#ubuntu#dos#git#c++

Tested in Ubuntu 18.04, 64bit, gcc 7.3.0, gpac (master 94ad872)

Compile cmd
$ ./configure --extra-cflags=-g"
$ make

Triggered by
$ MP4Box -diso $POC

POC file:
https://github.com/Marsman1996/pocs/blob/master/gpac/poc12-SEGV

gdb info:

Program received signal SIGSEGV, Segmentation fault.
AVC_DuplicateConfig (cfg=0x0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
847     cfg_new->AVCLevelIndication = cfg->AVCLevelIndication;
(gdb) bt
#0  AVC_DuplicateConfig (cfg=0x0) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:847
#1  0x00007ffff7856a5f in merge_avc_config (dst_cfg=dst_cfg@entry=0x5555557a8e00, src_cfg=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:897
#2  0x00007ffff7859ae9 in AVC_RewriteESDescriptorEx (avc=avc@entry=0x5555557a8850, mdia=mdia@entry=0x0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1039
#3  0x00007ffff785a037 in AVC_RewriteESDescriptor (avc=avc@entry=0x5555557a8850)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/avc_ext.c:1067
#4  0x00007ffff786bd1c in video_sample_entry_Read (s=0x5555557a8850, bs=0x5555557a7f70)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:4291
#5  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8850)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
#6  gf_isom_box_parse_ex (outBox=0x7fffffff8af8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
#7  0x00007ffff789254d in gf_isom_box_array_read_ex (parent=0x5555557a8800, bs=0x5555557a7f70, add_box=0x7ffff7865140 <stsd_AddBox>, 
    parent_type=1937011556) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
#8  0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8800)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
#9  gf_isom_box_parse_ex (outBox=0x7fffffff8bf8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
#10 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8730, bs=0x5555557a7f70, 
    add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>, parent_type=parent_type@entry=0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
#11 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8730, bs=<optimized out>, 
    add_box=add_box@entry=0x7ffff7863750 <stbl_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
#12 0x00007ffff786d255 in stbl_Read (s=0x5555557a8730, bs=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:5183
#13 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8730)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
#14 gf_isom_box_parse_ex (outBox=0x7fffffff8d18, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
#15 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8470, bs=0x5555557a7f70, 
    add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>, parent_type=parent_type@entry=0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
#16 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8470, bs=<optimized out>, 
    add_box=add_box@entry=0x7ffff7863450 <minf_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
#17 0x00007ffff786acfb in minf_Read (s=0x5555557a8470, bs=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3513
#18 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8470)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
#19 gf_isom_box_parse_ex (outBox=0x7fffffff8e58, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
#20 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a82c0, bs=0x5555557a7f70, 
    add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>, parent_type=parent_type@entry=0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
#21 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a82c0, bs=<optimized out>, 
    add_box=add_box@entry=0x7ffff7863330 <mdia_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
#22 0x00007ffff786a090 in mdia_Read (s=0x5555557a82c0, bs=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:3034
#23 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a82c0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
#24 gf_isom_box_parse_ex (outBox=0x7fffffff8f68, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
---Type <return> to continue, or q <return> to quit---
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
#25 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a8100, bs=0x5555557a7f70, 
    add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>, parent_type=parent_type@entry=0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
#26 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a8100, bs=<optimized out>, 
    add_box=add_box@entry=0x7ffff7863ec0 <trak_AddBox>) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
#27 0x00007ffff786fd1d in trak_Read (s=0x5555557a8100, bs=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:6905
#28 0x00007ffff7891fa7 in gf_isom_box_read (bs=0x5555557a7f70, a=0x5555557a8100)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
#29 gf_isom_box_parse_ex (outBox=0x7fffffff90c8, bs=0x5555557a7f70, parent_type=<optimized out>, is_root_box=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
#30 0x00007ffff789254d in gf_isom_box_array_read_ex (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, 
    add_box=0x7ffff7891be0 <gf_isom_box_add_default>, parent_type=parent_type@entry=0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1277
#31 0x00007ffff7892837 in gf_isom_box_array_read (parent=parent@entry=0x5555557a7bf0, bs=bs@entry=0x5555557a7f70, add_box=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:262
#32 0x00007ffff7866a8a in unkn_Read (s=0x5555557a7bf0, bs=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_code_base.c:762
#33 0x00007ffff7892bc9 in gf_isom_box_read (bs=0x5555557a6a60, a=0x5555557a7bf0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:1385
#34 gf_isom_box_parse_ex (outBox=outBox@entry=0x7fffffff9280, bs=bs@entry=0x5555557a6a60, is_root_box=is_root_box@entry=GF_TRUE, parent_type=0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:199
#35 0x00007ffff7892fc5 in gf_isom_parse_root_box (outBox=outBox@entry=0x7fffffff9280, bs=0x5555557a6a60, 
    bytesExpected=bytesExpected@entry=0x7fffffff92d0, progressive_mode=progressive_mode@entry=GF_FALSE)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/box_funcs.c:42
#36 0x00007ffff789a20b in gf_isom_parse_movie_boxes (mov=mov@entry=0x5555557a68a0, bytesMissing=bytesMissing@entry=0x7fffffff92d0, 
    progressive_mode=progressive_mode@entry=GF_FALSE) at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:206
#37 0x00007ffff789b048 in gf_isom_parse_movie_boxes (progressive_mode=GF_FALSE, bytesMissing=0x7fffffff92d0, mov=0x5555557a68a0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:194
#38 gf_isom_open_file (fileName=0x7fffffffe1a0 "../../poc12-SEGV", OpenMode=0, tmp_dir=0x0)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/src/isomedia/isom_intern.c:615
#39 0x000055555556f3bd in mp4boxMain (argc=<optimized out>, argv=<optimized out>)
    at /home/ubuntu/Desktop/crashana/gpac/gpac-94ad872/applications/mp4box/main.c:4539
#40 0x00007ffff7331b97 in __libc_start_main (main=0x555555561e30 <main>, argc=3, argv=0x7fffffffdd98, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffdd88) at ../csu/libc-start.c:310
#41 0x0000555555561e6a in _start ()

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE