Headline
CVE-2021-45288: Double Free in filedump.c:199 · Issue #1956 · gpac/gpac
A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which could cause a Denail of Service via a crafted file in the MP4Box command.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
MINI build (encoders, decoders, audio and video output disabled)
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_DISABLE_3D
System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
command:
POC.zip
Result
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[ODF] Not enough bytes (10) to read descriptor (size=127)
[ODF] Error reading descriptor (tag 4 size 21): Invalid MPEG-4 Descriptor
[iso file] Incomplete box mdat - start 11495 size 75
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[ODF] Not enough bytes (10) to read descriptor (size=127)
[ODF] Error reading descriptor (tag 4 size 21): Invalid MPEG-4 Descriptor
[iso file] Incomplete box mdat - start 11495 size 75
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[MP4 Loading] Unable to fetch sample 1 from track ID 7 - aborting track import
free(): double free detected in tcache 2
[3] 3698317 abort ./bin/gcc/MP4Box -bt
gdb information:
Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x7ffff5654740 (0x00007ffff5654740)
RCX: 0x7ffff61d118b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
RDX: 0x0
RSI: 0x7fffffff6fd0 --> 0x0
RDI: 0x2
RBP: 0x7fffffff7320 --> 0x7ffff6376b80 --> 0x0
RSP: 0x7fffffff6fd0 --> 0x0
RIP: 0x7ffff61d118b (<__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108])
R8 : 0x0
R9 : 0x7fffffff6fd0 --> 0x0
R10: 0x8
R11: 0x246
R12: 0x7fffffff7240 --> 0x0
R13: 0x10
R14: 0x7ffff7ffb000 --> 0x6565726600001000
R15: 0x1
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff61d117f <__GI_raise+191>: mov edi,0x2
0x7ffff61d1184 <__GI_raise+196>: mov eax,0xe
0x7ffff61d1189 <__GI_raise+201>: syscall
=> 0x7ffff61d118b <__GI_raise+203>: mov rax,QWORD PTR [rsp+0x108]
0x7ffff61d1193 <__GI_raise+211>: xor rax,QWORD PTR fs:0x28
0x7ffff61d119c <__GI_raise+220>: jne 0x7ffff61d11c4 <__GI_raise+260>
0x7ffff61d119e <__GI_raise+222>: mov eax,r8d
0x7ffff61d11a1 <__GI_raise+225>: add rsp,0x118
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff6fd0 --> 0x0
0008| 0x7fffffff6fd8 --> 0x0
0016| 0x7fffffff6fe0 --> 0x7ffff6b0ffca (<Media_GetESD+842>: mov rax,QWORD PTR [rsp+0x10])
0024| 0x7fffffff6fe8 --> 0x0
0032| 0x7fffffff6ff0 --> 0x1
0040| 0x7fffffff6ff8 --> 0x0
0048| 0x7fffffff7000 --> 0x5555556709a0 --> 0x80003
0056| 0x7fffffff7008 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGABRT
__GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
gdb-peda$ bt
#0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff61b0859 in __GI_abort () at abort.c:79
#2 0x00007ffff621b3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff6345285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007ffff622347c in malloc_printerr (str=str@entry=0x7ffff63475d0 "free(): double free detected in tcache 2") at malloc.c:5347
#4 0x00007ffff62250ed in _int_free (av=0x7ffff6376b80 <main_arena>, p=0x555555671790, have_lock=0x0) at malloc.c:4201
#5 0x00007ffff6bf30f5 in gf_odf_del_default () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#6 0x00007ffff6f56654 in gf_sm_load_run_isom () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
#7 0x00005555555c3a18 in dump_isom_scene (file=<optimized out>, inName=0x555555644d20 <outfile> "../../result/gpac/afl-outbox-bt-d/crashes/id:000000,sig:06,src:000181,op:havoc,rep:64", is_final_name=GF_FALSE,
dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:199
#8 0x000055555559edd0 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:6044
#9 0x00007ffff61b20b3 in __libc_start_main (main=0x55555556d540 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
#10 0x000055555556d5be in _start () at main.c:6496
gdb-peda$
'''