Headline
CVE-2021-45260: Null Pointer Dereference in lsr_read_id.part() · Issue #1979 · gpac/gpac
A null pointer dereference vulnerability exists in gpac 1.1.0 in the lsr_read_id.part function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in lsr_read_id.part(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
./MP4Box -bt poc_15
./MP4Box -bt poc_16
./MP4Box -bt poc_18
poc.zip
Result
poc_15
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 852201
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 852201
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samepolyXXX coded in bitstream but no polyXXX defined !
[LASeR] samerect coded in bitstream but no rect defined !
[LASeR] samerect coded in bitstream but no rect defined !
[1] 1501387 segmentation fault ./MP4Box -bt ./poc/poc_15
poc_16
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1] 2404995 segmentation fault ./MP4Box -bt ./poc/poc_16
poc_18
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 861267
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[1] 1048981 segmentation fault ./MP4Box -bt ./poc/poc_18
gdb
poc_15
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
RAX 0x770000007c
RBX 0x0
RCX 0x5555555e5760 ◂— 0x8b374bf60d8b0d94
RDX 0x0
RDI 0x5555555deda0 —▸ 0x5555555e4e20 —▸ 0x7fffffff69c0 ◂— 0x5b0000006e /* 'n' */
RSI 0x0
R8 0x5555555e5740 —▸ 0x5555555e4730 —▸ 0x5555555e5530 ◂— 0x0
R9 0x5555555e5a10 ◂— 0x2b0
R10 0x5555555c6010 ◂— 0x0
R11 0x7ffff7727be0 (main_arena+96) —▸ 0x5555555e5af0 ◂— 0x3529 /* ')5' */
R12 0x7fffffff69c0 ◂— 0x5b0000006e /* 'n' */
R13 0x3
R14 0xe
R15 0x0
RBP 0x5555555dcf10 —▸ 0x5555555d2750 ◂— 0x0
RSP 0x7fffffff68a0 —▸ 0x5555555e56e0 —▸ 0x5555555e5700 ◂— 0x800000030000042b
RIP 0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
► 0x7ffff7b508f8 <lsr_read_id.part+232> cmp byte ptr [rax], 0x23
0x7ffff7b508fb <lsr_read_id.part+235> sete dl
0x7ffff7b508fe <lsr_read_id.part+238> xor esi, esi
0x7ffff7b50900 <lsr_read_id.part+240> lea rdi, [rax + rdx + 1]
0x7ffff7b50905 <lsr_read_id.part+245> mov edx, 0xa
0x7ffff7b5090a <lsr_read_id.part+250> call strtol@plt <strtol@plt>
0x7ffff7b5090f <lsr_read_id.part+255> cmp r14d, eax
0x7ffff7b50912 <lsr_read_id.part+258> je lsr_read_id.part+608 <lsr_read_id.part+608>
0x7ffff7b50918 <lsr_read_id.part+264> add r15d, 1
0x7ffff7b5091c <lsr_read_id.part+268> cmp r15d, r13d
0x7ffff7b5091f <lsr_read_id.part+271> jb lsr_read_id.part+208 <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff68a0 —▸ 0x5555555e56e0 —▸ 0x5555555e5700 ◂— 0x800000030000042b
... ↓ 2 skipped
03:0018│ 0x7fffffff68b8 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov qword ptr [rbx], rax
04:0020│ 0x7fffffff68c0 ◂— 0x42b
... ↓ 2 skipped
07:0038│ 0x7fffffff68d8 ◂— 0xaaefd0fae3bbeb00
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
► f 0 0x7ffff7b508f8 lsr_read_id.part+232
f 1 0x7ffff7b5e4bb lsr_read_rect+139
f 2 0x7ffff7b5a965 lsr_read_scene_content_model+661
f 3 0x7ffff7b5b62c lsr_read_group_content.part+316
f 4 0x7ffff7b5f0fc lsr_read_data+108
f 5 0x7ffff7b5ab3d lsr_read_scene_content_model+1133
f 6 0x7ffff7b5b62c lsr_read_group_content.part+316
f 7 0x7ffff7b5e536 lsr_read_rect+262
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b5e4bb in lsr_read_rect () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b5a965 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7b5f0fc in lsr_read_data () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff7b5ab3d in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff7b5e536 in lsr_read_rect () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00007ffff7b5a965 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff7b5cea8 in lsr_read_audio.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff7b5ac18 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#13 0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#14 0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#15 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#16 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#17 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#18 0x00005555555844a8 in dump_isom_scene ()
#19 0x000055555557b42c in mp4boxMain ()
#20 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#21 0x000055555556c45e in _start ()
poc_16
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
RAX 0x0
RBX 0x0
RCX 0x0
RDX 0x0
RDI 0x5555555de970 —▸ 0x5555555dee00 —▸ 0x5555555dedb0 ◂— 0x0
RSI 0x1
R8 0x1999999999999999
R9 0x0
R10 0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
R11 0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
R12 0x5555555dee88 ◂— 0x0
R13 0x2
R14 0x2
R15 0x1
RBP 0x5555555dcc30 —▸ 0x5555555d26d0 ◂— 0x0
RSP 0x7fffffff6d40 —▸ 0x5555555df280 —▸ 0x5555555df2a0 ◂— 0x800000030000041a
RIP 0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
► 0x7ffff7b508f8 <lsr_read_id.part+232> cmp byte ptr [rax], 0x23
0x7ffff7b508fb <lsr_read_id.part+235> sete dl
0x7ffff7b508fe <lsr_read_id.part+238> xor esi, esi
0x7ffff7b50900 <lsr_read_id.part+240> lea rdi, [rax + rdx + 1]
0x7ffff7b50905 <lsr_read_id.part+245> mov edx, 0xa
0x7ffff7b5090a <lsr_read_id.part+250> call strtol@plt <strtol@plt>
0x7ffff7b5090f <lsr_read_id.part+255> cmp r14d, eax
0x7ffff7b50912 <lsr_read_id.part+258> je lsr_read_id.part+608 <lsr_read_id.part+608>
0x7ffff7b50918 <lsr_read_id.part+264> add r15d, 1
0x7ffff7b5091c <lsr_read_id.part+268> cmp r15d, r13d
0x7ffff7b5091f <lsr_read_id.part+271> jb lsr_read_id.part+208 <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6d40 —▸ 0x5555555df280 —▸ 0x5555555df2a0 ◂— 0x800000030000041a
... ↓ 2 skipped
03:0018│ 0x7fffffff6d58 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov qword ptr [rbx], rax
04:0020│ 0x7fffffff6d60 ◂— 0x41a
... ↓ 2 skipped
07:0038│ 0x7fffffff6d78 ◂— 0x5c21095cb581c200
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
► f 0 0x7ffff7b508f8 lsr_read_id.part+232
f 1 0x7ffff7b55c63 lsr_read_foreignObject+99
f 2 0x7ffff7b5abb0 lsr_read_scene_content_model+1248
f 3 0x7ffff7b5b62c lsr_read_group_content.part+316
f 4 0x7ffff7b60795 lsr_read_svg+885
f 5 0x7ffff7b575c7 lsr_read_command_list+759
f 6 0x7ffff7b59914 lsr_decode_laser_unit+708
f 7 0x7ffff7b6204d gf_laser_decode_command_list+333
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b55c63 in lsr_read_foreignObject () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b5abb0 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9 0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()
poc_18
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────[ REGISTERS ]────────────────────────────────
RAX 0x0
RBX 0x0
RCX 0x0
RDX 0x0
RDI 0x5555555de970 —▸ 0x5555555dee00 —▸ 0x5555555dedb0 ◂— 0x0
RSI 0x1
R8 0x1999999999999999
R9 0x0
R10 0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
R11 0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
R12 0x5555555dee88 ◂— 0x0
R13 0x2
R14 0x4
R15 0x1
RBP 0x5555555dcc30 —▸ 0x5555555d26d0 ◂— 0x0
RSP 0x7fffffff6d80 —▸ 0x5555555df1f0 —▸ 0x5555555df210 ◂— 0x8000000300000415
RIP 0x7ffff7b508f8 (lsr_read_id.part+232) ◂— cmp byte ptr [rax], 0x23
───────────────────────────────────────[ DISASM ]────────────────────────────────────────
► 0x7ffff7b508f8 <lsr_read_id.part+232> cmp byte ptr [rax], 0x23
0x7ffff7b508fb <lsr_read_id.part+235> sete dl
0x7ffff7b508fe <lsr_read_id.part+238> xor esi, esi
0x7ffff7b50900 <lsr_read_id.part+240> lea rdi, [rax + rdx + 1]
0x7ffff7b50905 <lsr_read_id.part+245> mov edx, 0xa
0x7ffff7b5090a <lsr_read_id.part+250> call strtol@plt <strtol@plt>
0x7ffff7b5090f <lsr_read_id.part+255> cmp r14d, eax
0x7ffff7b50912 <lsr_read_id.part+258> je lsr_read_id.part+608 <lsr_read_id.part+608>
0x7ffff7b50918 <lsr_read_id.part+264> add r15d, 1
0x7ffff7b5091c <lsr_read_id.part+268> cmp r15d, r13d
0x7ffff7b5091f <lsr_read_id.part+271> jb lsr_read_id.part+208 <lsr_read_id.part+208>
────────────────────────────────────────[ STACK ]────────────────────────────────────────
00:0000│ rsp 0x7fffffff6d80 —▸ 0x5555555df1f0 —▸ 0x5555555df210 ◂— 0x8000000300000415
... ↓ 2 skipped
03:0018│ 0x7fffffff6d98 —▸ 0x7ffff784961e (gf_node_setup+30) ◂— mov qword ptr [rbx], rax
04:0020│ 0x7fffffff6da0 ◂— 0x415
... ↓ 2 skipped
07:0038│ 0x7fffffff6db8 ◂— 0x812c333cc038400
──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
► f 0 0x7ffff7b508f8 lsr_read_id.part+232
f 1 0x7ffff7b5d22e lsr_read_ellipse+78
f 2 0x7ffff7b5abc8 lsr_read_scene_content_model+1272
f 3 0x7ffff7b5b62c lsr_read_group_content.part+316
f 4 0x7ffff7b60795 lsr_read_svg+885
f 5 0x7ffff7b575c7 lsr_read_command_list+759
f 6 0x7ffff7b59914 lsr_decode_laser_unit+708
f 7 0x7ffff7b6204d gf_laser_decode_command_list+333
─────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7b508f8 in lsr_read_id.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7b5d22e in lsr_read_ellipse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7b5abc8 in lsr_read_scene_content_model () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff7b5b62c in lsr_read_group_content.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7b60795 in lsr_read_svg () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff7b575c7 in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9 0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()