Headline

CVE-2021-46041: Segmentation fault in co64_box_new () · Issue #2004 · gpac/gpac

A Segmentation Fault Vulnerability exists in GPAC 1.0.1 via the co64_box_new function, which causes a Denial of Service.

2 years ago

CVE

Open in Source

#vulnerability #linux #dos #js #git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

[Yes ] I looked for a similar issue and couldn’t find any.
[ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
[ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: 
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB

command:

./bin/gcc/MP4Box -hint POC7

POC7.zip

Result

Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=av@entry=0x7ffff76a0b80 <main_arena>, bytes=bytes@entry=56) at malloc.c:3643
3643    malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
[ REGISTERS ]
 RAX  0x7ffff76a0c20 (main_arena+160) —▸ 0x5555555e0ba0 ◂— 0x1400000014
 RBX  0x7ffff76a0b80 (main_arena) ◂— 0x0
 RCX  0x7ffff76a0c10 (main_arena+144) —▸ 0x7ffff76a0c00 (main_arena+128) —▸ 0x5555555e0b00 ◂— 0x1400000014
 RDX  0x8013f76a0c24
 RDI  0x7ffff76a0b80 (main_arena) ◂— 0x0
 RSI  0x7ffff76a0b90 (main_arena+16) ◂— 0x0
 R8   0x5555555e0ba0 ◂— 0x1400000014
 R9   0x7fffffff7f00 ◂— 0x67 /* 'g' */
 R10  0x7ffff76d927a ◂— 'gf_isom_box_size'
 R11  0x7ffff78fa0d0 (gf_isom_box_size) ◂— endbr64 
 R12  0xffffffffffffffb0
 R13  0x40
 R14  0x4
 R15  0x5555555e2a00 ◂— 0x1473746383
 RBP  0x38
 RSP  0x7fffffff7e40 ◂— 0x0
 RIP  0x7ffff754fc5e (_int_malloc+110) ◂— cmp    qword ptr [rdx + 0x10], r8
[ DISASM ]
 ► 0x7ffff754fc5e <_int_malloc+110>     cmp    qword ptr [rdx + 0x10], r8
   0x7ffff754fc62 <_int_malloc+114>     jne    _int_malloc+2760                <_int_malloc+2760>
    ↓
   0x7ffff75506b8 <_int_malloc+2760>    lea    rdi, [rip + 0x121361]
   0x7ffff75506bf <_int_malloc+2767>    call   malloc_printerr                <malloc_printerr>
 
   0x7ffff75506c4 <_int_malloc+2772>    nop    dword ptr [rax]
   0x7ffff75506c8 <_int_malloc+2776>    mov    r9, qword ptr [rdx + 8]
   0x7ffff75506cc <_int_malloc+2780>    test   r9b, 4
   0x7ffff75506d0 <_int_malloc+2784>    jne    _int_malloc+3747                <_int_malloc+3747>
 
   0x7ffff75506d6 <_int_malloc+2790>    mov    rax, qword ptr [rsp + 0x78]
   0x7ffff75506db <_int_malloc+2795>    jmp    _int_malloc+2818                <_int_malloc+2818>
 
   0x7ffff75506dd <_int_malloc+2797>    nop    dword ptr [rax]
[ STACK ]
00:0000│ rsp 0x7fffffff7e40 ◂— 0x0
01:0008│     0x7fffffff7e48 —▸ 0x7ffff78fabec (gf_isom_box_array_read_ex+860) ◂— mov    r12d, eax
02:0010│     0x7fffffff7e50 ◂— 0x0
03:0018│     0x7fffffff7e58 —▸ 0x7ffff7e0cd89 ◂— 0x627473006c627473 /* 'stbl' */
04:0020│     0x7fffffff7e60 —▸ 0x5555555db530 ◂— 0x73747373 /* 'ssts' */
05:0028│     0x7fffffff7e68 ◂— 0x5101650c1f57a700
06:0030│     0x7fffffff7e70 ◂— 0x8
07:0038│     0x7fffffff7e78 —▸ 0x5555555e00d0 ◂— 0x7374626c /* 'lbts' */
[ BACKTRACE ]
 ► f 0   0x7ffff754fc5e _int_malloc+110
   f 1   0x7ffff75522d4 malloc+116
   f 2   0x7ffff78c17d2 co64_box_new+18
   f 3   0x7ffff78f8aa9 gf_isom_box_new+153
   f 4   0x7ffff791009c shift_chunk_offsets.part+284
   f 5   0x7ffff79103a7 inplace_shift_moov_meta_offsets+231
   f 6   0x7ffff7910e3c inplace_shift_mdat+732
   f 7   0x7ffff7915009 WriteToFile+2713

pwndbg> bt
#0  _int_malloc (av=av@entry=0x7ffff76a0b80 <main_arena>, bytes=bytes@entry=56) at malloc.c:3643
#1  0x00007ffff75522d4 in __GI___libc_malloc (bytes=56) at malloc.c:3058
#2  0x00007ffff78c17d2 in co64_box_new () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#3  0x00007ffff78f8aa9 in gf_isom_box_new () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#4  0x00007ffff791009c in shift_chunk_offsets.part () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#5  0x00007ffff79103a7 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#6  0x00007ffff7910e3c in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#7  0x00007ffff7915009 in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#8  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#9  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
#10 0x000055555557bd12 in mp4boxMain ()
#11 0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=3, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe338) at ../csu/libc-start.c:308
#12 0x000055555556d45e in _start ()
pwndbg>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

11 months ago

11 months ago

11 months ago

11 months ago

11 months ago