Headline

CVE-2021-45767: Invalid memory address dereference in lsr_read_id() · Issue #1982 · gpac/gpac

GPAC 1.1.0 was discovered to contain an invalid memory address dereference via the function lsr_read_id(). This vulnerability can lead to a Denial of Service (DoS).

2 years ago

CVE

Open in Source

#vulnerability #ubuntu #linux #dos #js #git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

I looked for a similar issue and couldn’t find any.
I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in lsr_read_id(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

POCs
lsr_read_id.zip

tree
.
├── lsr_read_id-lsr_read_a
│   └── id_000661,sig_11,src_005751,op_havoc,rep_4
├── lsr_read_id-lsr_read_animate
│   ├── id_000623,sig_11,src_005500+003857,op_splice,rep_2
│   ├── id_000669,sig_11,src_005818,op_havoc,rep_8
│   └── id_000707,sig_11,src_006355,op_havoc,rep_8
├── lsr_read_id-lsr_read_audio.isra
│   └── id_000539,sig_11,src_004864,op_havoc,rep_8
├── lsr_read_id-lsr_read_ellipse
│   ├── id_000540,sig_11,src_004864,op_havoc,rep_8
│   └── id_000681,sig_06,src_005943,op_havoc,rep_2
├── lsr_read_id-lsr_read_linearGradient
│   └── id_000407,sig_11,src_004547,op_havoc,rep_2
├── lsr_read_id-lsr_read_polygon
│   ├── id_000424,sig_11,src_004557,op_havoc,rep_4
│   └── id_000533,sig_06,src_004856+005154,op_splice,rep_4
├── lsr_read_id-lsr_read_rect
│   └── id_000653,sig_06,src_005718+005529,op_splice,rep_2
└── lsr_read_id-lsr_read_scene_content_model
    ├── id_000457,sig_11,src_004611,op_havoc,rep_2
    └── id_000687,sig_11,src_006098,op_havoc,rep_4

8 directories, 13 files

Result

The result is omitted here.

gdb

The gdb result is omitted here.