Headline
CVE-2021-45258: Stack Overflow in gf_bifs_dec_proto_list() · Issue #1970 · gpac/gpac
A stack overflow vulnerability exists in gpac 1.1.0 via the gf_bifs_dec_proto_list function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A stack overflow was discovered in gf_bifs_dec_proto_list(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_8.zip
Result
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type stbk in parent minf
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample table !
[iso file] Track with no sample description box !
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 832544
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type stbk in parent minf
[iso file] extra box maxr found in hinf, deleting
[iso file] Track with no sample table !
[iso file] Track with no sample description box !
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 832544
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
*** stack smashing detected ***: terminated
[1] 3737450 abort ./MP4Box -lsr ./poc/poc_8
gdb
*** stack smashing detected ***: terminated
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
*RBX 0x7ffff72bf040 ◂— 0x7ffff72bf040
*RCX 0x7ffff758218b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108]
RDX 0x0
*RDI 0x2
*RSI 0x7fffffff68a0 ◂— 0x0
*R8 0x0
*R9 0x7fffffff68a0 ◂— 0x0
*R10 0x8
*R11 0x246
*R12 0x7fffffff6b20 ◂— 0x0
*R13 0x20
*R14 0x7ffff7ffb000 ◂— 0x202a2a2a00001000
*R15 0x1
*RBP 0x7fffffff6c20 —▸ 0x7ffff76f607c ◂— '*** %s ***: terminated\n'
*RSP 0x7fffffff68a0 ◂— 0x0
*RIP 0x7ffff758218b (raise+203) ◂— mov rax, qword ptr [rsp + 0x108]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff758218b <raise+203> mov rax, qword ptr [rsp + 0x108]
0x7ffff7582193 <raise+211> xor rax, qword ptr fs:[0x28]
0x7ffff758219c <raise+220> jne raise+260 <raise+260>
↓
0x7ffff75821c4 <raise+260> call __stack_chk_fail <__stack_chk_fail>
0x7ffff75821c9 nop dword ptr [rax]
0x7ffff75821d0 <killpg> endbr64
0x7ffff75821d4 <killpg+4> test edi, edi
0x7ffff75821d6 <killpg+6> js killpg+16 <killpg+16>
0x7ffff75821d8 <killpg+8> neg edi
0x7ffff75821da <killpg+10> jmp kill <kill>
0x7ffff75821df <killpg+15> nop
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsi r9 rsp 0x7fffffff68a0 ◂— 0x0
01:0008│ 0x7fffffff68a8 —▸ 0x7ffff7546278 ◂— 0x10001200005bb2
02:0010│ 0x7fffffff68b0 —▸ 0x7fffffff6c40 —▸ 0x5555555df3b0 ◂— 0x6b6
03:0018│ 0x7fffffff68b8 —▸ 0x7ffff7fe7c2e ◂— mov r11, rax
04:0020│ 0x7fffffff68c0 ◂— 0xcd2709f17adf5bb6
05:0028│ 0x7fffffff68c8 ◂— 0x0
06:0030│ 0x7fffffff68d0 ◂— 0x7
07:0038│ 0x7fffffff68d8 ◂— 0x1
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff758218b raise+203
f 1 0x7ffff7561859 abort+299
f 2 0x7ffff75cc3ee __libc_message+670
f 3 0x7ffff766eb4a __fortify_fail+42
f 4 0x7ffff766eb16
f 5 0x7ffff79064bc gf_bifs_dec_proto_list+2012
f 6 0xb6b6b6b6b6b6b6b6
f 7 0xb6b6b6b6b6b6b6b6
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7561859 in __GI_abort () at abort.c:79
#2 0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f607c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff766eb4a in __GI___fortify_fail (msg=msg@entry=0x7ffff76f6064 "stack smashing detected") at fortify_fail.c:26
#4 0x00007ffff766eb16 in __stack_chk_fail () at stack_chk_fail.c:24
#5 0x00007ffff79064bc in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0xb6b6b6b6b6b6b6b6 in ?? ()
#7 0xb6b6b6b6b6b6b6b6 in ?? ()
#8 0xb6b6b6b6b6b6b6b6 in ?? ()
#9 0xb6b6b6b6b6b6b6b6 in ?? ()
#10 0xb6b6b6b6b6b6b6b6 in ?? ()
#11 0xb6b6b6b6b6b6b6b6 in ?? ()
#12 0xb6b6b6b6b6b6b6b6 in ?? ()
#13 0xb6b6b6b6b6b6b6b6 in ?? ()
#14 0xb6b6b6b6b6b6b6b6 in ?? ()
#15 0xb6b6b6b6b6b6b6b6 in ?? ()
#16 0xb6b6b6b6b6b6b6b6 in ?? ()
#17 0xb6b6b6b6b6b6b6b6 in ?? ()
#18 0xb6b6b6b6b6b6b6b6 in ?? ()
#19 0xb6b6b6b6b6b6b6b6 in ?? ()
#20 0xb6b6b6b6b6b6b6b6 in ?? ()
#21 0xb6b6b6b6b6b6b6b6 in ?? ()
#22 0xb6b6b6b6b6b6b6b6 in ?? ()
#23 0xb6b6b6b6b6b6b6b6 in ?? ()
#24 0xb6b6b6b6b6b6b6b6 in ?? ()
#25 0xb6b6b6b6b6b6b6b6 in ?? ()
#26 0xb6b6b6b6b6b6b6b6 in ?? ()
#27 0xb6b6b6b6b6b6b6b6 in ?? ()
#28 0xb6b6b6b6b6b6b6b6 in ?? ()
#29 0xb6b6b6b6b6b6b6b6 in ?? ()
#30 0xb6b6b6b6b6b6b6b6 in ?? ()
#31 0xb6b6b6b6b6b6b6b6 in ?? ()
#32 0xb6b6b6b6b6b6b6b6 in ?? ()
#33 0xb6b6b6b6b6b6b6b6 in ?? ()
#34 0xb6b6b6b6b6b6b6b6 in ?? ()
#35 0xb6b6b6b6b6b6b6b6 in ?? ()
#36 0xb6b6b6b6b6b6b6b6 in ?? ()
#37 0xb6b6b6b6b6b6b6b6 in ?? ()
#38 0xb6b6b6b6b6b6b6b6 in ?? ()
#39 0xb6b6b6b6b6b6b6b6 in ?? ()
#40 0xb6b6b6b6b6b6b6b6 in ?? ()
#41 0xb6b6b6b6b6b6b6b6 in ?? ()
#42 0xb6b6b6b6b6b6b6b6 in ?? ()
#43 0xb6b6b6b6b6b6b6b6 in ?? ()
#44 0xb6b6b6b6b6b6b6b6 in ?? ()
#45 0xb6b6b6b6b6b6b6b6 in ?? ()
#46 0xb6b6b6b6b6b6b6b6 in ?? ()
#47 0xb6b6b6b6b6b6b6b6 in ?? ()
#48 0xb6b6b6b6b6b6b6b6 in ?? ()
#49 0xb6b6b6b6b6b6b6b6 in ?? ()
#50 0xb6b6b6b6b6b6b6b6 in ?? ()
#51 0xb6b6b6b6b6b6b6b6 in ?? ()
#52 0xb6b6b6b6b6b6b6b6 in ?? ()
#53 0xb6b6b6b6b6b6b6b6 in ?? ()
#54 0xb6b6b6b6b6b6b6b6 in ?? ()
#55 0xb6b6b6b6b6b6b6b6 in ?? ()
#56 0xb6b6b6b6b6b6b6b6 in ?? ()
#57 0xb6b6b6b6b6b6b6b6 in ?? ()
#58 0xb6b6b6b6b6b6b6b6 in ?? ()
#59 0xb6b6b6b6b6b6b6b6 in ?? ()
#60 0xb6b6b6b6b6b6b6b6 in ?? ()
#61 0xb6b6b6b6b6b6b6b6 in ?? ()
#62 0xb6b6b6b6b6b6b6b6 in ?? ()
#63 0xb6b6b6b6b6b6b6b6 in ?? ()
#64 0xb6b6b6b6b6b6b6b6 in ?? ()
#65 0xb6b6b6b6b6b6b6b6 in ?? ()
#66 0xb6b6b6b6b6b6b6b6 in ?? ()
#67 0xb6b6b6b6b6b6b6b6 in ?? ()
#68 0xb6b6b6b6b6b6b6b6 in ?? ()
#69 0xb6b6b6b6b6b6b6b6 in ?? ()
#70 0xb6b6b6b6b6b6b6b6 in ?? ()
#71 0xb6b6b6b6b6b6b6b6 in ?? ()
#72 0xb6b6b6b6b6b6b6b6 in ?? ()
#73 0xb6b6b6b6b6b6b6b6 in ?? ()
#74 0xb6b6b6b6b6b6b6b6 in ?? ()
#75 0xb6b6b6b6b6b6b6b6 in ?? ()
#76 0xb6b6b6b6b6b6b6b6 in ?? ()
#77 0xb6b6b6b6b6b6b6b6 in ?? ()
#78 0xb6b6b6b6b6b6b6b6 in ?? ()
#79 0xb6b6b6b6b6b6b6b6 in ?? ()
#80 0xb6b6b6b6b6b6b6b6 in ?? ()
#81 0xb6b6b6b6b6b6b6b6 in ?? ()
#82 0xb6b6b6b6b6b6b6b6 in ?? ()
#83 0xb6b6b6b6b6b6b6b6 in ?? ()
#84 0xb6b6b6b6b6b6b6b6 in ?? ()
#85 0xb6b6b6b6b6b6b6b6 in ?? ()
#86 0xb6b6b6b6b6b6b6b6 in ?? ()
#87 0xb6b6b6b6b6b6b6b6 in ?? ()
#88 0xb6b6b6b6b6b6b6b6 in ?? ()
#89 0xb6b6b6b6b6b6b6b6 in ?? ()
#90 0xb6b6b6b6b6b6b6b6 in ?? ()
#91 0xb6b6b6b6b6b6b6b6 in ?? ()
#92 0xb6b6b6b6b6b6b6b6 in ?? ()
#93 0xb6b6b6b6b6b6b6b6 in ?? ()
#94 0xb6b6b6b6b6b6b6b6 in ?? ()
#95 0xb6b6b6b6b6b6b6b6 in ?? ()
#96 0xb6b6b6b6b6b6b6b6 in ?? ()
#97 0xb6b6b6b6b6b6b6b6 in ?? ()
#98 0x000080b6b6b6b6b6 in ?? ()
#99 0x0000000000000002 in ?? ()
#100 0x0000000000000044 in ?? ()
#101 0x0000000000000008 in ?? ()
#102 0x00005555555c7e60 in ?? ()
#103 0x00005555555cf500 in ?? ()
#104 0x0000000000000000 in ?? ()
break gf_bifs_dec_proto_list
Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────[ REGISTERS ]───────────────────────────────────
RAX 0x1
RBX 0x5555555d23b0 ◂— 0x0
RCX 0x710
RDX 0x5555555df2f0 ◂— 0x0
RDI 0x5555555de660 ◂— 0x0
RSI 0x5555555d23b0 ◂— 0x0
R8 0x0
R9 0x0
R10 0x7ffff775bc80 ◂— 'gf_sg_command_new'
R11 0x7ffff7727be0 (main_arena+96) —▸ 0x5555555df320 ◂— 0x0
R12 0x5555555df2f0 ◂— 0x0
R13 0x5555555df1d0 ◂— 0x0
R14 0x5555555d42a0 ◂— 0x0
R15 0x0
RBP 0x5555555de660 ◂— 0x0
RSP 0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov r12d, eax
RIP 0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
────────────────────────────────────[ DISASM ]────────────────────────────────────
► 0x7ffff7905ce0 <gf_bifs_dec_proto_list> endbr64
0x7ffff7905ce4 <gf_bifs_dec_proto_list+4> push r15
0x7ffff7905ce6 <gf_bifs_dec_proto_list+6> push r14
0x7ffff7905ce8 <gf_bifs_dec_proto_list+8> push r13
0x7ffff7905cea <gf_bifs_dec_proto_list+10> mov r13, rsi
0x7ffff7905ced <gf_bifs_dec_proto_list+13> mov esi, 1
0x7ffff7905cf2 <gf_bifs_dec_proto_list+18> push r12
0x7ffff7905cf4 <gf_bifs_dec_proto_list+20> push rbp
0x7ffff7905cf5 <gf_bifs_dec_proto_list+21> push rbx
0x7ffff7905cf6 <gf_bifs_dec_proto_list+22> sub rsp, 0x488
0x7ffff7905cfd <gf_bifs_dec_proto_list+29> mov rax, qword ptr [rdi + 0x50]
────────────────────────────────────[ STACK ]─────────────────────────────────────
00:0000│ rsp 0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov r12d, eax
01:0008│ 0x7fffffff7170 —▸ 0x5555555de660 ◂— 0x0
02:0010│ 0x7fffffff7178 —▸ 0x5555555df250 —▸ 0x5555555d4030 ◂— 0x0
03:0018│ 0x7fffffff7180 —▸ 0x5555555d23b0 ◂— 0x0
04:0020│ 0x7fffffff7188 —▸ 0x5555555df1d0 ◂— 0x0
05:0028│ 0x7fffffff7190 —▸ 0x5555555d42a0 ◂— 0x0
06:0030│ 0x7fffffff7198 —▸ 0x7ffff7914e5e (BM_SceneReplace+110) ◂— mov rsi,
rbp
07:0038│ 0x7fffffff71a0 —▸ 0x5555555dea00 —▸ 0x5555555df1f0 —▸ 0x5555555df1a0 ◂— 0x0
──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
► f 0 0x7ffff7905ce0 gf_bifs_dec_proto_list
f 1 0x7ffff7906559 BD_DecSceneReplace+73
f 2 0x7ffff7914e5e BM_SceneReplace+110
f 3 0x7ffff7915023 BM_ParseCommand+179
f 4 0x7ffff7915353 gf_bifs_decode_command_list+163
f 5 0x7ffff7aa1d91 gf_sm_load_run_isom+1217
f 6 0x5555555844a8 dump_isom_scene+760
f 7 0x55555557b42c mp4boxMain+9228
──────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.
Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────[ REGISTERS ]───────────────────────────────────
*RAX 0x0
*RBX 0x5555555df330 ◂— 0x6b6
*RCX 0x5555555dfdf0 ◂— 0x0
*RDX 0x0
RDI 0x5555555de660 ◂— 0xfffffffd
RSI 0x5555555d23b0 ◂— 0x0
*R8 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
*R9 0x7c
*R10 0x7ffff775bf0a ◂— 'gf_sg_proto_get_graph'
*R11 0x7ffff788b850 (gf_sg_proto_get_graph) ◂— endbr64
*R12 0x5555555de660 ◂— 0xfffffffd
*R13 0x5555555d23b0 ◂— 0x0
R14 0x5555555d42a0 ◂— 0x0
*R15 0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
*RBP 0x6b6
*RSP 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov dword ptr [rsp + 0x14], eax
RIP 0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
────────────────────────────────────[ DISASM ]────────────────────────────────────
► 0x7ffff7905ce0 <gf_bifs_dec_proto_list> endbr64
0x7ffff7905ce4 <gf_bifs_dec_proto_list+4> push r15
0x7ffff7905ce6 <gf_bifs_dec_proto_list+6> push r14
0x7ffff7905ce8 <gf_bifs_dec_proto_list+8> push r13
0x7ffff7905cea <gf_bifs_dec_proto_list+10> mov r13, rsi
0x7ffff7905ced <gf_bifs_dec_proto_list+13> mov esi, 1
0x7ffff7905cf2 <gf_bifs_dec_proto_list+18> push r12
0x7ffff7905cf4 <gf_bifs_dec_proto_list+20> push rbp
0x7ffff7905cf5 <gf_bifs_dec_proto_list+21> push rbx
0x7ffff7905cf6 <gf_bifs_dec_proto_list+22> sub rsp, 0x488
0x7ffff7905cfd <gf_bifs_dec_proto_list+29> mov rax, qword ptr [rdi + 0x50]
────────────────────────────────────[ STACK ]─────────────────────────────────────
00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
dword ptr [rsp + 0x14], eax
01:0008│ 0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
02:0010│ 0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
03:0018│ 0x7fffffff6cc0 ◂— 0xffff6d50
04:0020│ 0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
05:0028│ 0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
06:0030│ 0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
07:0038│ 0x7fffffff6ce0 ◂— 0x0
──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
► f 0 0x7ffff7905ce0 gf_bifs_dec_proto_list
f 1 0x7ffff79062d7 gf_bifs_dec_proto_list+1527
f 2 0xb6b6b6b6b6b6b6b6
f 3 0xb6b6b6b6b6b6b6b6
f 4 0xb6b6b6b6b6b6b6b6
f 5 0xb6b6b6b6b6b6b6b6
f 6 0xb6b6b6b6b6b6b6b6
f 7 0xb6b6b6b6b6b6b6b6
──────────────────────────────────────────────────────────────────────────────────
pwndbg> stack 200
00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
dword ptr [rsp + 0x14], eax
01:0008│ 0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
02:0010│ 0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
03:0018│ 0x7fffffff6cc0 ◂— 0xffff6d50
04:0020│ 0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
05:0028│ 0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
06:0030│ 0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
07:0038│ 0x7fffffff6ce0 ◂— 0x0
... ↓ 2 skipped
0a:0050│ 0x7fffffff6cf8 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
0b:0058│ 0x7fffffff6d00 —▸ 0x7fffffff6d90 ◂— 0xb6b6b6b6b6b6b6b6
0c:0060│ 0x7fffffff6d08 ◂— 0x0
0d:0068│ 0x7fffffff6d10 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
0e:0070│ 0x7fffffff6d18 —▸ 0x7ffff7fc7368 —▸ 0x7ffff7ffe450 —▸ 0x7ffff73131e0 —▸ 0x7ffff7ffe190 ◂— ...
0f:0078│ 0x7fffffff6d20 ◂— 0x0
10:0080│ 0x7fffffff6d28 ◂— 0x0
11:0088│ 0x7fffffff6d30 ◂— 0x1
12:0090│ 0x7fffffff6d38 ◂— 0x7fff00000001
13:0098│ r15 0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
... ↓ 180 skipped
pwndbg>