Headline
CVE-2021-44926: Null Pointer Dereference in gf_node_get_tag() · Issue #1961 · gpac/gpac
A null pointer dereference vulnerability exists in the gpac in the gf_node_get_tag function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in gf_node_get_tag(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc3.zip
Result
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861218
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861218
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1] 3453407 segmentation fault ./MP4Box -lsr
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x0
RCX 0x0
RDX 0x5555555d2730 ◂— 0x0
RDI 0x0
RSI 0x5555555df860 ◂— 0x0
R8 0x0
R9 0x7
R10 0x7ffff775b844 ◂— 'gf_node_get_tag'
R11 0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
R12 0x5555555ded60 ◂— 0x0
R13 0x5555555df860 ◂— 0x0
R14 0x0
R15 0x7fffffff6d60 ◂— 0x31646c6569665f /* '_field1' */
RBP 0x5555555d2730 ◂— 0x0
RSP 0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp eax, 0x51
RIP 0x7ffff7849794 (gf_node_get_tag+4) ◂— mov rax, qword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
0x7ffff7849790 <gf_node_get_tag> endbr64
► 0x7ffff7849794 <gf_node_get_tag+4> mov rax, qword ptr [rdi]
0x7ffff7849797 <gf_node_get_tag+7> movzx eax, word ptr [rax]
0x7ffff784979a <gf_node_get_tag+10> ret
0x7ffff784979b nop dword ptr [rax + rax]
0x7ffff78497a0 <gf_node_get_id> endbr64
0x7ffff78497a4 <gf_node_get_id+4> mov rax, qword ptr [rdi]
0x7ffff78497a7 <gf_node_get_id+7> xor r8d, r8d
0x7ffff78497aa <gf_node_get_id+10> mov edx, dword ptr [rax + 4]
0x7ffff78497ad <gf_node_get_id+13> test edx, edx
0x7ffff78497af <gf_node_get_id+15> jns gf_node_get_id+66 <gf_node_get_id+66>
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp eax, 0x51
01:0008│ 0x7fffffff6bf0 ◂— 0x0
... ↓ 2 skipped
04:0020│ 0x7fffffff6c08 ◂— 0x770000007c /* '|' */
05:0028│ 0x7fffffff6c10 ◂— 0x5b0000006e /* 'n' */
06:0030│ 0x7fffffff6c18 ◂— 0x770000007c /* '|' */
07:0038│ 0x7fffffff6c20 ◂— 0x5b0000006e /* 'n' */
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff7849794 gf_node_get_tag+4
f 1 0x7ffff7919836 SFScript_Parse+54
f 2 0x7ffff790e9cb gf_bifs_dec_sf_field+1195
f 3 0x7ffff7905f44 gf_bifs_dec_proto_list+628
f 4 0x7ffff7906549 BD_DecSceneReplace+73
f 5 0x7ffff7914e2e BM_SceneReplace+110
f 6 0x7ffff7914ff3 BM_ParseCommand+179
f 7 0x7ffff7915323 gf_bifs_decode_command_list+163
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#1 0x00007ffff7919836 in SFScript_Parse () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#2 0x00007ffff790e9cb in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#3 0x00007ffff7905f44 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#4 0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#5 0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#6 0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#7 0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#8 0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#9 0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()