Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46049: Untrusted pointer dereference in gf_fileio_check() · Issue #2013 · gpac/gpac

A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_fileio_check function, which could cause a Denial of Service.

CVE
Open in Source
#vulnerability#linux#dos#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • [Yes ] I looked for a similar issue and couldn’t find any.
  • [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -par 1=4:3 POC13

POC13.zip

Result

bt

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x5555555db320 --> 0x5dfd555e1548 
RCX: 0x0 
RDX: 0x0 
RSI: 0x8a8000032c4 
RDI: 0x5dfd555e1548 
RBP: 0x5dfd555e1548 
RSP: 0x7fffffff7fa8 --> 0x7ffff777227c (<gf_fseek+28>:  test   eax,eax)
RIP: 0x7ffff77718e2 (<gf_fileio_check+50>:  mov    edx,DWORD PTR [rdi])
R8 : 0x5555555e0e80 --> 0x7ffff76a11e0 --> 0x7ffff76a11d0 --> 0x7ffff76a11c0 --> 0x7ffff76a11b0 --> 0x7ffff76a11a0 (--> ...)
R9 : 0x0 
R10: 0x7ffff76d4625 ("gf_bs_write_long_int")
R11: 0x7ffff77747d0 (<gf_bs_write_long_int>:    endbr64)
R12: 0x8a8000032c4 
R13: 0x0 
R14: 0x7fffffff84b0 --> 0x0 
R15: 0x7fffffff8010 --> 0x5555555c7060 --> 0x0
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff77718db <gf_fileio_check+43>: je     0x7ffff77718f8 <gf_fileio_check+72>
   0x7ffff77718dd <gf_fileio_check+45>: test   rdi,rdi
   0x7ffff77718e0 <gf_fileio_check+48>: je     0x7ffff77718f8 <gf_fileio_check+72>
=> 0x7ffff77718e2 <gf_fileio_check+50>: mov    edx,DWORD PTR [rdi]
   0x7ffff77718e4 <gf_fileio_check+52>: test   edx,edx
   0x7ffff77718e6 <gf_fileio_check+54>: jne    0x7ffff77718f8 <gf_fileio_check+72>
   0x7ffff77718e8 <gf_fileio_check+56>: xor    eax,eax
   0x7ffff77718ea <gf_fileio_check+58>: cmp    QWORD PTR [rdi+0x8],rdi
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7fa8 --> 0x7ffff777227c (<gf_fseek+28>: test   eax,eax)
0008| 0x7fffffff7fb0 --> 0x8a8000032c4 
0016| 0x7fffffff7fb8 --> 0x0 
0024| 0x7fffffff7fc0 --> 0x7fffffff84a0 --> 0x8a8 
0032| 0x7fffffff7fc8 --> 0x7ffff77767f4 (<gf_bs_seek+452>:  mov    QWORD PTR [rbx+0x18],rbp)
0040| 0x7fffffff7fd0 --> 0x5555555daa30 --> 0x0 
0048| 0x7fffffff7fd8 --> 0x5555555db320 --> 0x5dfd555e1548 
0056| 0x7fffffff7fe0 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff77718e2 in gf_fileio_check () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0  0x00007ffff77718e2 in gf_fileio_check () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff777227c in gf_fseek () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff77767f4 in gf_bs_seek () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff7910c98 in inplace_shift_mdat () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff791549c in WriteToFile () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#6  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#7  0x000055555557bd12 in mp4boxMain ()
#8  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x4, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe328) at ../csu/libc-start.c:308
#9  0x000055555556d45e in _start ()

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE