Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-24577: NULL Pointer Dereference in gpac

GPAC 1.0.1 is affected by a NULL pointer dereference in gf_utf8_wcslen. (gf_utf8_wcslen is a renamed Unicode utf8_wcslen function.)

CVE
#vulnerability#c++

Description

Null Pointer Dereference in gf_utf8_wcslen ()

Proof of Concept

POC is here.

bt

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x24 ('$')
RBX: 0x5555555e2870 --> 0x5555555e2840 --> 0x2000000020000000 ('')
RCX: 0x0 
RDX: 0x7ffff697e740 (0x00007ffff697e740)
RSI: 0x0 
RDI: 0x0 
RBP: 0x2 
RSP: 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>:    lea    ebx,[rax*4+0x0])
RIP: 0x7ffff77ac884 (<gf_utf8_wcslen+4>:    cmp    WORD PTR [rdi],0x0)
R8 : 0x0 
R9 : 0x24 ('$')
R10: 0x7ffff7e0cbc7 --> 0x22 ('"')
R11: 0x7fffffff7ec7 --> 0x58c47a4e82a90030 
R12: 0x5555555db220 --> 0x7ffffbad2c84 
R13: 0x5555555e2920 --> 0x58747261 ('artX')
R14: 0x5555555e28a0 --> 0x0 
R15: 0x7ffff7e71725 --> 0x2020200058323025 ('%02X')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff77ac874:  data16 nop WORD PTR cs:[rax+rax*1+0x0]
   0x7ffff77ac87f:  nop
   0x7ffff77ac880 <gf_utf8_wcslen>: endbr64 
=> 0x7ffff77ac884 <gf_utf8_wcslen+4>:   cmp    WORD PTR [rdi],0x0
   0x7ffff77ac888 <gf_utf8_wcslen+8>:   je     0x7ffff77ac8a8 <gf_utf8_wcslen+40>
   0x7ffff77ac88a <gf_utf8_wcslen+10>:  mov    rax,rdi
   0x7ffff77ac88d <gf_utf8_wcslen+13>:  nop    DWORD PTR [rax]
   0x7ffff77ac890 <gf_utf8_wcslen+16>:  add    rax,0x2
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff7ff8 --> 0x7ffff78f7d71 (<xtra_box_dump+129>:   lea    ebx,[rax*4+0x0])
0008| 0x7fffffff8000 --> 0x5555555db650 --> 0x73747473 ('stts')
0016| 0x7fffffff8008 --> 0x2 
0024| 0x7fffffff8010 --> 0x0 
0032| 0x7fffffff8018 --> 0x6458c47a4e82a900 
0040| 0x7fffffff8020 --> 0x5555555db220 --> 0x7ffffbad2c84 
0048| 0x7fffffff8028 --> 0x5555555da950 --> 0x0 
0056| 0x7fffffff8030 --> 0x5555555e2920 --> 0x58747261 ('artX')
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0  0x00007ffff77ac884 in gf_utf8_wcslen () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#1  0x00007ffff78f7d71 in xtra_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#2  0x00007ffff78fa5f2 in gf_isom_box_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff78e99f6 in gf_isom_dump () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x0000555555588c15 in dump_isom_xml ()
#5  0x000055555557c564 in mp4boxMain ()
#6  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x5, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe318)
    at ../csu/libc-start.c:308
#7  0x000055555556d45e in _start ()

Impact

This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

Debian Security Advisory 5411-1

Debian Linux Security Advisory 5411-1 - Multiple issues were found in GPAC multimedia framework, which could result in denial of service or potentially the execution of arbitrary code.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907