Headline
CVE-2023-1450: GitHub - 10cksYiqiyinHangzhouTechnology/mp4v2_trackdump_poc
A vulnerability was found in MP4v2 2.1.2 and classified as problematic. This issue affects the function DumpTrack of the file mp4trackdump.cpp. The manipulation leads to denial of service. The attack needs to be approached locally. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-223295.
mp4v2_trackdump_poc****Project address
https://github.com/enzo1982/mp4v2
POC
Poc file
afl_trackdump
asan_trackdump
Problem
There has a FPE(Floating Point Exception) in mp4trackdump.cpp:54, function DumpTrack(). Attackers cause denial of service through carefully constructed malicious files.
54 msectime /= timescale;
I use gdb debug this bug:
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x427a9e <DumpTrack(void*, unsigned int)+190>: xor ecx,ecx 0x427aa0 <DumpTrack(void*, unsigned int)+192>: mov edx,ecx 0x427aa2 <DumpTrack(void*, unsigned int)+194>: mov rdi,QWORD PTR [rbp-0x68] => 0x427aa6 <DumpTrack(void*, unsigned int)+198>: div rdi 0x427aa9 <DumpTrack(void*, unsigned int)+201>: mov QWORD PTR [rbp-0x38],rax 0x427aad <DumpTrack(void*, unsigned int)+205>: cmp QWORD PTR [rbp-0x38],0x0 0x427ab2 <DumpTrack(void*, unsigned int)+210>: jne 0x427aed <DumpTrack(void*, unsigned int)+269> 0x427ab8 <DumpTrack(void*, unsigned int)+216>: movabs rax,0x442de8 [------------------------------------stack-------------------------------------] 0000| 0x7fffffffe030 --> 0x0 0008| 0x7fffffffe038 --> 0xf80d10 --> 0xf815a0 --> 0x7ffff7f9ec58 --> 0x7ffff7e2fe60 (<mp4v2::platform::io::File::~File()>: push rbp) 0016| 0x7fffffffe040 --> 0x0 0024| 0x7fffffffe048 --> 0x7ffff7ec221c (<MP4ReadProvider(char const*, MP4FileProvider const*)+204>: mov rax,QWORD PTR [rbp-0x20]) 0032| 0x7fffffffe050 --> 0xf80d10 --> 0xf815a0 --> 0x7ffff7f9ec58 --> 0x7ffff7e2fe60 (<mp4v2::platform::io::File::~File()>: push rbp) 0040| 0x7fffffffe058 --> 0x1f7fc9130 0048| 0x7fffffffe060 --> 0x7fffffffe100 --> 0x7fffffffe1f0 --> 0x0 0056| 0x7fffffffe068 --> 0x7ffff7ed2a4e (<MP4FindTrackId(MP4FileHandle, uint16_t, char const*, uint8_t)+158>: mov ecx,DWORD PTR [rbp-0x58]) [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGFPE 0x0000000000427aa6 in DumpTrack (mp4file=0xf80d10, tid=0x1) at /root/mp4v2/build/mp4v2/util/mp4trackdump.cpp:54 54 msectime /= timescale; gdb-peda$ p timescale $1 = 0x0 gdb-peda$
you can see ‘timescale’ is 0.It cause the SIGFPE.
ASAN report
(base) ➜ build git:(main) ✗ ./mp4trackdump ../../out1/default/crashes/id:000005,sig:08,src:000166+000357,time:3137250,execs:3545598,op:splice,rep:16
==2100718==ERROR: AddressSanitizer: FPE on unknown address 0x56363644d728 (pc 0x56363644d728 bp 0x7ffd22170500 sp 0x7ffd221704a0 T0)
#0 0x56363644d727 in DumpTrack(void*, unsigned int) (/root/mp4v2/build/mp4v2/build/mp4trackdump+0x2727)
#1 0x56363644e76a in main (/root/mp4v2/build/mp4v2/build/mp4trackdump+0x376a)
#2 0x7f647b7e6082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#3 0x56363644d54d in _start (/root/mp4v2/build/mp4v2/build/mp4trackdump+0x254d)