Headline
CVE-2021-44925: Null Pointer Dereference in gf_svg_get_attribute_name() · Issue #1967 · gpac/gpac
A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_svg_get_attribute_name function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in gf_svg_get_attribute_name(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_4.zip
Result
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 796312
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 796312
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
Scene loaded - dumping 1 systems streams
[1] 3570050 segmentation fault ./MP4Box -lsr ./poc/poc_4
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
RCX 0x0
RDX 0x7ffff7f7c428 (xml_elements+8) ◂— 0x300000422
RDI 0x0
RSI 0x0
R8 0x0
R9 0xa
R10 0x7ffff7e45bd4 ◂— 0x6e696f7020002022 /* '" ' */
R11 0x7fffffff6ee7 ◂— 0xbffcbef5d8160036 /* '6' */
R12 0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
R13 0x0
R14 0x7ffff7e10cf4 ◂— 'textContent'
R15 0x7ffff7df5e9b ◂— 0x663325002f2e2e00
RBP 0x7fffffff7080 ◂— 0x344e /* 'N4' */
RSP 0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
RIP 0x7ffff78e16ac (gf_svg_get_attribute_name+28) ◂— mov rax, qword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff78e16ac <gf_svg_get_attribute_name+28> mov rax, qword ptr [rdi]
0x7ffff78e16af <gf_svg_get_attribute_name+31> movzx ecx, word ptr [rax]
0x7ffff78e16b2 <gf_svg_get_attribute_name+34> xor eax, eax
0x7ffff78e16b4 <gf_svg_get_attribute_name+36> cmp cx, 0x408
0x7ffff78e16b9 <gf_svg_get_attribute_name+41> jne gf_svg_get_attribute_name+64
<gf_svg_get_attribute_name+64>
↓
0x7ffff78e16d0 <gf_svg_get_attribute_name+64> cmp dword ptr [rdx], ecx
0x7ffff78e16d2 <gf_svg_get_attribute_name+66> jne gf_svg_get_attribute_name+48
<gf_svg_get_attribute_name+48>
↓
0x7ffff78e16c0 <gf_svg_get_attribute_name+48> add eax, 1
0x7ffff78e16c3 <gf_svg_get_attribute_name+51> add rdx, 0x10
0x7ffff78e16c7 <gf_svg_get_attribute_name+55> cmp eax, 0x4e
0x7ffff78e16ca <gf_svg_get_attribute_name+58> je gf_svg_get_attribute_name+365
<gf_svg_get_attribute_name+365>
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
01:0008│ 0x7fffffff6fe8 —▸ 0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
02:0010│ 0x7fffffff6ff0 —▸ 0x7fffffff7080 ◂— 0x344e /* 'N4' */
03:0018│ 0x7fffffff6ff8 —▸ 0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
04:0020│ 0x7fffffff7000 —▸ 0x5555555df2e0 ◂— 0x0
05:0028│ 0x7fffffff7008 —▸ 0x7ffff7e10cf4 ◂— 'textContent'
06:0030│ 0x7fffffff7010 —▸ 0x7ffff7df5e9b ◂— 0x663325002f2e2e00
07:0038│ 0x7fffffff7018 —▸ 0x7ffff7abae7a (DumpLSRAddReplaceInsert+938) ◂— mov r14, rax
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff78e16ac gf_svg_get_attribute_name+28
f 1 0x7ffff7abae7a DumpLSRAddReplaceInsert+938
f 2 0x7ffff7abb12b gf_sm_dump_command_list+219
f 3 0x7ffff7ac254c gf_sm_dump+1116
f 4 0x555555584418 dump_isom_scene+616
f 5 0x55555557b42c mp4boxMain+9228
f 6 0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7abae7a in DumpLSRAddReplaceInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7abb12b in gf_sm_dump_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7ac254c in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x0000555555584418 in dump_isom_scene ()
#5 0x000055555557b42c in mp4boxMain ()
#6 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#7 0x000055555556c45e in _start ()