Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36186: A NULL pointer dereference in gf_filter_pid_set_property_full · Issue #2223 · gpac/gpac

A Null Pointer dereference vulnerability exists in GPAC 2.1-DEV-revUNKNOWN-master via the function gf_filter_pid_set_property_full () at filter_core/filter_pid.c:5250,which causes a Denial of Service (DoS). This vulnerability was fixed in commit b43f9d1.

CVE
#vulnerability#linux#dos#js#git#php#c++#perl#ssl

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Description:
`A crash happened on MP4Box(GPAC version 2.1-DEV-revUNKNOWN-master) due to a null pointer dereference vulnerability in gf_filter_pid_set_property_full function (filter_core/filter_pid.c:5250) .

`
MP4Box version

./MP4Box -version
MP4Box - GPAC version 2.1-DEV-revUNKNOWN-master
(c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 

poc
poc.zip

command
./MP4Box -info poc

crash output

[AVC|H264] Warning: Error parsing NAL unit
filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'

gdb output

pwndbg> r
Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[AVC|H264] Warning: Error parsing NAL unit
filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
[Inferior 1 (process 2239153) exited with code 01]
pwndbg> b filter_pid.c:5250
Breakpoint 1 at 0x7ffff4b829f6: filter_pid.c:5250. (6 locations)
pwndbg> r
Starting program: /home/fuzz/gpac2.1/gpac/bin/gcc/MP4Box -info ../../../test/segv2/poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
5301        return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0x7ffffffe8f50 ◂— 0x41b58ab3
 RCX  0xfffffffd22a ◂— 0x0
 RDX  0x7ffffffe9150 ◂— 0x2
 RDI  0x613000000040 ◂— 0x613000000040 /* '@' */
 RSI  0x504d5354
 R8   0x0
 R9   0x7ffff58cb4f0 (global_log_tools+496) ◂— 0x2
 R10  0x7ffff24ab3f1 ◂— 'gf_filter_pid_set_property'
 R11  0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
 R12  0x613000000040 ◂— 0x613000000040 /* '@' */
 R13  0x7ffffffe9150 ◂— 0x2
 R14  0x504d5354
 R15  0xfffffffd1ea ◂— 0x0
 RBP  0x7ffffffe9060 —▸ 0x7ffffffe9380 —▸ 0x7ffffffea0d0 —▸ 0x7ffffffea170 —▸ 0x7ffffffea280 ◂— ...
 RSP  0x7ffffffe8f30 ◂— 0x0
 RIP  0x7ffff4b841c6 (gf_filter_pid_set_property+182) ◂— test   r12, r12
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x7ffff4b841c6 <gf_filter_pid_set_property+182>    test   r12, r12
   0x7ffff4b841c9 <gf_filter_pid_set_property+185>    je     gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
 
   0x7ffff4b841cf <gf_filter_pid_set_property+191>    test   r12b, 7
   0x7ffff4b841d3 <gf_filter_pid_set_property+195>    jne    gf_filter_pid_set_property+1477                <gf_filter_pid_set_property+1477>
 
   0x7ffff4b841d9 <gf_filter_pid_set_property+201>    mov    rax, r12
   0x7ffff4b841dc <gf_filter_pid_set_property+204>    shr    rax, 3
   0x7ffff4b841e0 <gf_filter_pid_set_property+208>    cmp    byte ptr [rax + 0x7fff8000], 0
   0x7ffff4b841e7 <gf_filter_pid_set_property+215>    jne    gf_filter_pid_set_property+1447                <gf_filter_pid_set_property+1447>
 
   0x7ffff4b841ed <gf_filter_pid_set_property+221>    cmp    r12, qword ptr [r12]
   0x7ffff4b841f1 <gf_filter_pid_set_property+225>    jne    gf_filter_pid_set_property+1016                <gf_filter_pid_set_property+1016>
 
   0x7ffff4b841f7 <gf_filter_pid_set_property+231>    mov    esi, r14d
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/fuzz/gpac2.1/gpac/src/filter_core/filter_pid.c
   5296 
   5297 GF_EXPORT
   5298 GF_Err gf_filter_pid_set_property(GF_FilterPid *pid, u32 prop_4cc, const GF_PropertyValue *value)
   5299 {
   5300     if (!prop_4cc) return GF_BAD_PARAM;
 ► 5301     return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
   5302 }
   5303 
   5304 GF_EXPORT
   5305 GF_Err gf_filter_pid_set_property_str(GF_FilterPid *pid, const char *name, const GF_PropertyValue *value)
   5306 {
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7ffffffe8f30 ◂— 0x0
01:0008│     0x7ffffffe8f38 ◂— 0x0
02:0010│     0x7ffffffe8f40 —▸ 0x7ffffffe9030 —▸ 0x7ffff54af2c0 ◂— 0x6372636170672e /* '.gpacrc' */
03:0018│     0x7ffffffe8f48 —▸ 0x7ffffffe8f50 ◂— 0x41b58ab3
04:0020│ rbx 0x7ffffffe8f50 ◂— 0x41b58ab3
05:0028│     0x7ffffffe8f58 —▸ 0x7ffff5640eff ◂— '1 48 100 11 szName:5290'
06:0030│     0x7ffffffe8f60 —▸ 0x7ffff4b84110 (gf_filter_pid_set_property) ◂— endbr64 
07:0038│     0x7ffffffe8f68 —▸ 0x618000000c80 —▸ 0x7ffff6de03e0 (FileInRegister) —▸ 0x7ffff56a6580 ◂— 0x6e6966 /* 'fin' */
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0   0x7ffff4b841c6 gf_filter_pid_set_property+182
   f 1   0x7ffff4b841c6 gf_filter_pid_set_property+182
   f 2   0x7ffff4c06993 gf_filter_pid_raw_new+595
   f 3   0x7ffff4dc30b1 filein_process+2721
   f 4   0x7ffff4c0eb6d gf_filter_process_task+3581
   f 5   0x7ffff4bd4953 gf_fs_thread_proc+2275
   f 6   0x7ffff4be0c67 gf_fs_run+455
   f 7   0x7ffff462a677 gf_media_import+10263
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9150, dyn_name=0x0, prop_name=0x0, prop_4cc=1347244884, pid=0x613000000040) at filter_core/filter_pid.c:5301
#1  gf_filter_pid_set_property (pid=pid@entry=0x613000000040, prop_4cc=prop_4cc@entry=1347244884, value=0x7ffffffe9150) at filter_core/filter_pid.c:5301
#2  0x00007ffff4c06993 in gf_filter_pid_raw_new (filter=filter@entry=0x618000000c80, url=0x603000000f40 "../../../test/segv2/poc", local_file=<optimized out>, mime_type=<optimized out>, fext=<optimized out>, probe_data=<optimized out>, probe_size=<optimized out>, trust_mime=<optimized out>, out_pid=<optimized out>) at filter_core/filter.c:3891
#3  0x00007ffff4dc30b1 in filein_process (filter=<optimized out>) at filters/in_file.c:481
#4  0x00007ffff4c0eb6d in gf_filter_process_task (task=0x607000000b10) at filter_core/filter.c:2639
#5  0x00007ffff4bd4953 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x616000000110) at filter_core/filter_session.c:1857
#6  0x00007ffff4be0c67 in gf_fs_run (fsess=fsess@entry=0x616000000080) at filter_core/filter_session.c:2118
#7  0x00007ffff462a677 in gf_media_import (importer=importer@entry=0x7ffffffeaa50) at media_tools/media_import.c:1226
#8  0x0000555555651a12 in convert_file_info (inName=<optimized out>, track_id=0x555555764fb0 <info_track_id>) at fileimport.c:130
#9  0x000055555562279f in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6265
#10 0x00007ffff1949083 in __libc_start_main (main=0x5555555f6a00 <main>, argc=3, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe478) at ../csu/libc-start.c:308
#11 0x00005555555f6afe in _start () at mp4box.c:6811
pwndbg> p pid
$2 = (GF_FilterPid *) 0x613000000040
pwndbg> c
Continuing.
[AVC|H264] Warning: Error parsing NAL unit

Breakpoint 1, gf_filter_pid_set_property_full (is_info=GF_FALSE, value=0x7ffffffe9810, dyn_name=0x0, prop_name=0x0, prop_4cc=1146050121, pid=0x0) at filter_core/filter_pid.c:5301
5301        return gf_filter_pid_set_property_full(pid, prop_4cc, NULL, NULL, value, GF_FALSE);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
............
until.......

pwndbg> p pid
$3 = (GF_FilterPid *) 0x0
pwndbg> i b
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   <MULTIPLE>         
    breakpoint already hit 9 times
1.1                         y   0x00007ffff4b829f6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
1.2                         y   0x00007ffff4b8314e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
1.3                         y   0x00007ffff4b834d1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
1.4                         y   0x00007ffff4b8393e in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
1.5                         y   0x00007ffff4b83cc1 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
1.6                         y   0x00007ffff4b841c6 in gf_filter_pid_set_property_full at filter_core/filter_pid.c:5250
pwndbg> n
filter_core/filter_pid.c:5250:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'
[Inferior 1 (process 2239158) exited with code 01]

source code

5246 static GF_Err gf_filter_pid_set_property_full(GF_FilterPid *pid, u32 prop_4cc, const char *prop_name, char *dyn_name, const GF_PropertyValue *value, Bool is_info)
5247 {
5248    GF_PropertyMap *map;
5249    const GF_PropertyValue *oldp;
5250    if (PID_IS_INPUT(pid)) {    //**here**//
5251        GF_LOG(GF_LOG_ERROR, GF_LOG_FILTER, ("Attempt to write property on input PID in filter %s - ignoring\n", pid->filter->name));
5252        return GF_BAD_PARAM;
5253    }

Related news

Gentoo Linux Security Advisory 202408-21

Gentoo Linux Security Advisory 202408-21 - Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 2.2.0 are affected.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907