Headline
CVE-2021-46311: Null Pointer Dereference in gf_sg_destroy_routes()at scenegraph/vrml_route.c:126 · Issue #2038 · gpac/gpac
A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_sg_destroy_routes () at scenegraph/vrml_route.c. This vulnerability can lead to a Denial of Service (DoS).
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1615-g9ce097b4a-master
command:
./bin/gcc/MP4Box -svg POC1
POC1.zip
Result
bt
Program received signal SIGSEGV, Segmentation fault.
0x00000000004e9a35 in gf_sg_destroy_routes (sg=0x10f0c30) at scenegraph/vrml_route.c:126
126 if (r->name) gf_free(r->name);
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x400788 ◂— 0x0
RCX 0x10febd8 —▸ 0x1102210 ◂— 0x100
RDX 0x0
RDI 0x10f0ec0 ◂— 0x0
RSI 0x0
R8 0xffffffffffffffe0
R9 0x0
R10 0x10febf8 ◂— 0x0
R11 0x10fea60 —▸ 0x10e2210 ◂— 0x6000500040007
R12 0xd0de10 (__libc_csu_fini) ◂— endbr64
R13 0x0
R14 0x10aa018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd84910 (__memmove_avx_unaligned_erms) ◂— endbr64
R15 0x0
RBP 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 —▸ 0x7fffffffe170 ◂— ...
RSP 0x7fffffff86f0 —▸ 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 ◂— ...
RIP 0x4e9a35 (gf_sg_destroy_routes+93) ◂— mov rax, qword ptr [rax + 8]
───────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
► 0x4e9a35 <gf_sg_destroy_routes+93> mov rax, qword ptr [rax + 8]
0x4e9a39 <gf_sg_destroy_routes+97> test rax, rax
0x4e9a3c <gf_sg_destroy_routes+100> je gf_sg_destroy_routes+118 <gf_sg_destroy_routes+118>
↓
0x4e9a4e <gf_sg_destroy_routes+118> mov rax, qword ptr [rbp - 8]
0x4e9a52 <gf_sg_destroy_routes+122> mov rdi, rax
0x4e9a55 <gf_sg_destroy_routes+125> call gf_free <gf_free>
0x4e9a5a <gf_sg_destroy_routes+130> mov rax, qword ptr [rbp - 0x18]
0x4e9a5e <gf_sg_destroy_routes+134> mov rax, qword ptr [rax + 0x110]
0x4e9a65 <gf_sg_destroy_routes+141> mov rdi, rax
0x4e9a68 <gf_sg_destroy_routes+144> call gf_list_count <gf_list_count>
0x4e9a6d <gf_sg_destroy_routes+149> test eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/vrml_route.c
121 {
122 while (gf_list_count(sg->routes_to_destroy) ) {
123 GF_Route *r = (GF_Route *)gf_list_get(sg->routes_to_destroy, 0);
124 gf_list_rem(sg->routes_to_destroy, 0);
125 gf_sg_route_unqueue(sg, r);
► 126 if (r->name) gf_free(r->name);
127 gf_free(r);
128 }
129 }
130
131
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff86f0 —▸ 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 ◂— ...
01:0008│ 0x7fffffff86f8 —▸ 0x10f0c30 ◂— 0x0
02:0010│ 0x7fffffff8700 ◂— 0x0
03:0018│ 0x7fffffff8708 ◂— 0x0
04:0020│ rbp 0x7fffffff8710 —▸ 0x7fffffff87b0 —▸ 0x7fffffff87d0 —▸ 0x7fffffff98d0 —▸ 0x7fffffffe170 ◂— ...
05:0028│ 0x7fffffff8718 —▸ 0x47a183 (gf_sg_reset+1350) ◂— mov rax, qword ptr [rbp - 0x88]
06:0030│ 0x7fffffff8720 ◂— 0x0
07:0038│ 0x7fffffff8728 —▸ 0x10f0c30 ◂— 0x0
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────────────
► f 0 0x4e9a35 gf_sg_destroy_routes+93
f 1 0x47a183 gf_sg_reset+1350
f 2 0x479aa5 gf_sg_del+94
f 3 0x41827d dump_isom_scene+1265
f 4 0x415b12 mp4boxMain+6395
f 5 0x417a8e main+36
f 6 0xd0d5a0 __libc_start_main+1168
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00000000004e9a35 in gf_sg_destroy_routes (sg=0x10f0c30) at scenegraph/vrml_route.c:126
#1 0x000000000047a183 in gf_sg_reset (sg=0x10f0c30) at scenegraph/base_scenegraph.c:502
#2 0x0000000000479aa5 in gf_sg_del (sg=0x10f0c30) at scenegraph/base_scenegraph.c:162
#3 0x000000000041827d in dump_isom_scene (file=0x7fffffffe5cc "gf_sg_destroy_routes-gf_sg_reset/id:000578,sig:11,src:008408+008855,op:splice,rep:8", inName=0x10de4a0 <outfile> "gf_sg_destroy_routes-gf_sg_reset/id:000578,sig:11,src:008408+008855,op:splice,rep:8", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_SVG, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:217
#4 0x0000000000415b12 in mp4boxMain (argc=3, argv=0x7fffffffe2c8) at main.c:6140
#5 0x0000000000417a8e in main (argc=3, argv=0x7fffffffe2c8) at main.c:6592
#6 0x0000000000d0d5a0 in __libc_start_main ()
#7 0x000000000040211e in _start ()