Headline
CVE-2021-45297: infinite loop in gf_get_bit_size() · Issue #1973 · gpac/gpac
An infinite loop vulnerability exists in Gpac 1.0.1 in gf_get_bit_size.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
MINI build (encoders, decoders, audio and video output disabled)
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_DISABLE_3D
System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
command:
./bin/gcc/MP4Box -hint POC
Result
**GDB information **
[----------------------------------registers-----------------------------------]
RAX: 0x20000
RBX: 0x80
RCX: 0xe9b05a71
RDX: 0x1
RSI: 0x6a6a6ab8
RDI: 0x6a6a6ab8
RBP: 0x5555555e1630 --> 0x1
RSP: 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>: mov ebx,DWORD PTR [rbp+0x90])
RIP: 0x7ffff7788927 (<gf_get_bit_size+23>: cmp eax,edi)
R8 : 0x0
R9 : 0x20 (' ')
R10: 0x7ffff76d955a ("gf_rtp_builder_init")
R11: 0x2
R12: 0x59e
R13: 0x60 ('`')
R14: 0x5555555e1750 --> 0x0
R15: 0x0
EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7788920 <gf_get_bit_size+16>: add ecx,0x1
0x7ffff7788923 <gf_get_bit_size+19>: mov eax,edx
0x7ffff7788925 <gf_get_bit_size+21>: shl eax,cl
=> 0x7ffff7788927 <gf_get_bit_size+23>: cmp eax,edi
0x7ffff7788929 <gf_get_bit_size+25>: jle 0x7ffff7788920 <gf_get_bit_size+16>
0x7ffff778892b <gf_get_bit_size+27>: mov eax,ecx
0x7ffff778892d <gf_get_bit_size+29>: ret
0x7ffff778892e: xchg ax,ax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>: mov ebx,DWORD PTR [rbp+0x90])
0008| 0x7fffffff8080 --> 0x24a
0016| 0x7fffffff8088 --> 0xfc7
0024| 0x7fffffff8090 --> 0x32ce10ac
0032| 0x7fffffff8098 --> 0x6a6a6ab800000020
0040| 0x7fffffff80a0 --> 0x2
0048| 0x7fffffff80a8 --> 0x62 ('b')
0056| 0x7fffffff80b0 --> 0x5555555dfb90 --> 0x5555555da930 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGINT
0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
gdb-peda$ bt
#0 0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#1 0x00007ffff7875506 in gf_rtp_builder_init () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#2 0x00007ffff7a0ec5c in gf_hinter_track_new () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
#3 0x000055555557958b in HintFile ()
#4 0x000055555557d257 in mp4boxMain ()
#5 0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8)
at ../csu/libc-start.c:308
#6 0x000055555556d45e in _start ()
gdb-peda$