Headline
CVE-2022-24577: NULL Pointer Dereference in gpac
GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen. (gf_utf8_wcslen is a renamed Unicode utf8_wcslen function.)
Description
Null Pointer Dereference in gf_utf8_wcslen ()
Proof of Concept
POC is here.
bt
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x24 ('$')
RBX: 0x5555555e2870 --> 0x5555555e2840 --> 0x2000000020000000 ('')
RCX: 0x0
RDX: 0x7ffff697e740 (0x00007ffff697e740)
RSI: 0x0
RDI: 0x0
RBP: 0x2
RSP: 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>: lea ebx,[rax*4+0x0])
RIP: 0x7ffff77ac884 (<gf_utf8_wcslen+4>: cmp WORD PTR [rdi],0x0)
R8 : 0x0
R9 : 0x24 ('$')
R10: 0x7ffff7e0cbc7 --> 0x22 ('"')
R11: 0x7fffffff7ec7 --> 0x58c47a4e82a90030
R12: 0x5555555db220 --> 0x7ffffbad2c84
R13: 0x5555555e2920 --> 0x58747261 ('artX')
R14: 0x5555555e28a0 --> 0x0
R15: 0x7ffff7e71725 --> 0x2020200058323025 ('%02X')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff77ac874: data16 nop WORD PTR cs:[rax+rax*1+0x0]
0x7ffff77ac87f: nop
0x7ffff77ac880 <gf_utf8_wcslen>: endbr64
=> 0x7ffff77ac884 <gf_utf8_wcslen+4>: cmp WORD PTR [rdi],0x0
0x7ffff77ac888 <gf_utf8_wcslen+8>: je 0x7ffff77ac8a8 <gf_utf8_wcslen+40>
0x7ffff77ac88a <gf_utf8_wcslen+10>: mov rax,rdi
0x7ffff77ac88d <gf_utf8_wcslen+13>: nop DWORD PTR [rax]
0x7ffff77ac890 <gf_utf8_wcslen+16>: add rax,0x2
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>: lea ebx,[rax*4+0x0])
0008| 0x7fffffff8000 --> 0x5555555db650 --> 0x73747473 ('stts')
0016| 0x7fffffff8008 --> 0x2
0024| 0x7fffffff8010 --> 0x0
0032| 0x7fffffff8018 --> 0x6458c47a4e82a900
0040| 0x7fffffff8020 --> 0x5555555db220 --> 0x7ffffbad2c84
0048| 0x7fffffff8028 --> 0x5555555da950 --> 0x0
0056| 0x7fffffff8030 --> 0x5555555e2920 --> 0x58747261 ('artX')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0 0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#1 0x00007ffff78f7d71 in xtra_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#2 0x00007ffff78fa5f2 in gf_isom_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3 0x00007ffff78e99f6 in gf_isom_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4 0x0000555555588c15 in dump_isom_xml ()
#5 0x000055555557c564 in mp4boxMain ()
#6 0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x5, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318)
at ../csu/libc-start.c:308
#7 0x000055555556d45e in _start ()
Impact
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.
Related news
Gentoo Linux Security Advisory 202408-21
Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.
Debian Security Advisory 5411-1
Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.