Headline
CVE-2021-45831: Null Pointer Dereference in __strlen_avx2 () · Issue #1990 · gpac/gpac
A Null Pointer Dereference vulnerability exitgs in GPAC 1.0.1 in MP4Box via __strlen_avx2, which causes a Denial of Service.
I re-checked the software version and running information, it seems that the bug still exists
Version
MP4Box - GPAC version 1.1.0-DEV-rev1566-gaa906eefd-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
Result
[1] 1742533 segmentation fault ./MP4Box -bt ~/POC1
GDB information
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x7ffff7851530 (<gf_svg_dump_attribute+688>: lea rdi,[rip+0x5a40bf] # 0x7ffff7df55f6)
RBX: 0x7fffffff71e0 --> 0x450000004a ('J')
RCX: 0x0
RDX: 0x0
RSI: 0x7fffffff71e0 --> 0x450000004a ('J')
RDI: 0x0
RBP: 0x0
RSP: 0x7fffffff6908 --> 0x7ffff755a503 (<__GI___strdup+19>: lea r12,[rax+0x1])
RIP: 0x7ffff7643675 (<__strlen_avx2+21>: vpcmpeqb ymm1,ymm0,YMMWORD PTR [rdi])
R8 : 0x1
R9 : 0x15
R10: 0x7ffff7e307db --> 0x253a73252f3c0022 ('"')
R11: 0x5555555f25c0 --> 0x5555555f25e0 --> 0x0
R12: 0x5555555f4990 --> 0x1
R13: 0x5555555f4990 --> 0x1
R14: 0x5
R15: 0x5555555f47e0 --> 0x5555555f4800 --> 0x300010430
EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff764366d <__strlen_avx2+13>: and ecx,0x3f
0x7ffff7643670 <__strlen_avx2+16>: cmp ecx,0x20
0x7ffff7643673 <__strlen_avx2+19>: ja 0x7ffff76436a0 <__strlen_avx2+64>
=> 0x7ffff7643675 <__strlen_avx2+21>: vpcmpeqb ymm1,ymm0,YMMWORD PTR [rdi]
0x7ffff7643679 <__strlen_avx2+25>: vpmovmskb eax,ymm1
0x7ffff764367d <__strlen_avx2+29>: test eax,eax
0x7ffff764367f <__strlen_avx2+31>: jne 0x7ffff7643770 <__strlen_avx2+272>
0x7ffff7643685 <__strlen_avx2+37>: add rdi,0x20
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff6908 --> 0x7ffff755a503 (<__GI___strdup+19>: lea r12,[rax+0x1])
0008| 0x7fffffff6910 --> 0x0
0016| 0x7fffffff6918 --> 0x5555555f47e0 --> 0x5555555f4800 --> 0x300010430
0024| 0x7fffffff6920 --> 0x5555555f4990 --> 0x1
0032| 0x7fffffff6928 --> 0x7ffff7851545 (<gf_svg_dump_attribute+709>: mov r13,rax)
0040| 0x7fffffff6930 --> 0x0
0048| 0x7fffffff6938 --> 0x0
0056| 0x7fffffff6940 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
65 ../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory.
gdb-peda$ bt
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x00007ffff755a503 in __GI___strdup (s=0x0) at strdup.c:41
#2 0x00007ffff7851545 in gf_svg_dump_attribute () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#3 0x00007ffff7a497f2 in gf_dump_svg_element () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#4 0x00007ffff7a4a9c0 in gf_sm_dump_command_list () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#5 0x00007ffff7a5174d in gf_sm_dump () from /home/zxq/CVE_testing/sourceproject/gpac2/gpac/bin/gcc/libgpac.so.10
#6 0x0000555555585418 in dump_isom_scene ()
#7 0x000055555557c42c in mp4boxMain ()
#8 0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#9 0x000055555556d45e in _start ()