Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-40566: Segmentation fault casued by heap use after free using mp4box in mpgviddmx_process, reframe_mpgvid.c:851 · Issue #1887 · gpac/gpac

A Segmentation fault casued by heap use after free vulnerability exists in Gpac through 1.0.1 via the mpgviddmx_process function in reframe_mpgvid.c when using mp4box, which causes a denial of service.

CVE
Open in Source
#vulnerability#ubuntu#linux#dos#js#git
  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx_process, reframe_mpgvid.c:851 in commit 592ba26.

Here is my environment, compiler info and gpac version:

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:    16.04
Codename:   xenial
gcc: 5.4.0

MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-bin --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D

To reproduce, run

POC:
poc.zip
(unzip first)

Here is the trace reported by gdb:

Stopped reason: SIGSEGV
gef➤  bt
#0  0x0000000000cf5a9b in memcpy ()
#1  0x00000000008a24a7 in mpgviddmx_process (filter=0x124cbd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:851
#2  0x00000000007480a0 in gf_filter_process_task (task=0x123a0e0) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
#3  0x000000000073798c in gf_fs_thread_proc (sess_thread=0x12382b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
#4  0x0000000000738305 in gf_fs_run (fsess=0x1238220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
#5  0x00000000006571ea in gf_media_import (importer=0x7fffffff5c20) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
#6  0x000000000042cdf9 in convert_file_info (inName=0x7fffffffe163 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
#7  0x00000000004168c3 in mp4boxMain (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
#8  0x0000000000418d6b in main (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:6455
#9  0x0000000000caaa06 in generic_start_main ()
#10 0x0000000000caaff5 in __libc_start_main ()
#11 0x0000000000403f39 in _start ()

The reason for this bug is that the program does not check the nullity of the pointer before copy memory to it.
image

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE