Headline
CVE-2021-45760: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1966 · gpac/gpac
GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_list_last(). This vulnerability allows attackers to cause a Denial of Service (DoS).
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid memory address dereference was discovered in dump_od_to_saf.isra(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_3.zip
Result
[ODF] Not enough bytes (38) to read descriptor (size=59)
[ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Incomplete box mdat - start 11495 size 861263
[iso file] Incomplete file while reading for dump - aborting parsing
[ODF] Not enough bytes (38) to read descriptor (size=59)
[ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Incomplete box mdat - start 11495 size 861263
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
Scene loaded - dumping 2 systems streams
[1] 1390552 segmentation fault ./MP4Box -lsr ./poc/poc_3
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x5555555df630 —▸ 0x5555555df601 ◂— 0x2100000000000000
RCX 0x0
RDX 0x7ffff72bf040 ◂— 0x7ffff72bf040
RDI 0x5555555e0400 ◂— 0xfbad2c84
RSI 0x5555555df440 ◂— 0x7
R8 0x0
R9 0x23
R10 0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
R11 0x7fffffff70c7 ◂— 0x4d0552ab398a0031 /* '1' */
R12 0x0
R13 0x5555555df4d0 ◂— 0x0
R14 0x5555555df070 —▸ 0x5555555e0400 ◂— 0xfbad2c84
R15 0x5555555dfcb0 ◂— 0x700010003
RBP 0x1
RSP 0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
RIP 0x7ffff7ab7e3b (dump_od_to_saf.isra+299) ◂— movzx edx, byte ptr [rax + 8]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff7ab7e3b <dump_od_to_saf.isra+299> movzx edx, byte ptr [rax + 8]
0x7ffff7ab7e3f <dump_od_to_saf.isra+303> mov ecx, dword ptr [rax + 4]
0x7ffff7ab7e42 <dump_od_to_saf.isra+306> xor eax, eax
0x7ffff7ab7e44 <dump_od_to_saf.isra+308> mov r8d, dword ptr [rsi + 0x18]
0x7ffff7ab7e48 <dump_od_to_saf.isra+312> lea rsi, [rip + 0x38eac1]
0x7ffff7ab7e4f <dump_od_to_saf.isra+319> call gf_fprintf@plt <gf_fprintf@plt>
0x7ffff7ab7e54 <dump_od_to_saf.isra+324> mov rdx, qword ptr [r13]
0x7ffff7ab7e58 <dump_od_to_saf.isra+328> mov r9, qword ptr [rsp]
0x7ffff7ab7e5c <dump_od_to_saf.isra+332> test rdx, rdx
0x7ffff7ab7e5f <dump_od_to_saf.isra+335> jne dump_od_to_saf.isra+464 <dump_od_to_saf.isra+464>
0x7ffff7ab7e61 <dump_od_to_saf.isra+337> mov rdi, qword ptr [r14]
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
01:0008│ 0x7fffffff7208 ◂— 0x100000002
02:0010│ 0x7fffffff7210 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
03:0018│ 0x7fffffff7218 ◂— 0x0
04:0020│ 0x7fffffff7220 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
05:0028│ 0x7fffffff7228 ◂— 0x0
06:0030│ 0x7fffffff7230 ◂— 0x0
07:0038│ 0x7fffffff7238 —▸ 0x5555555df4d0 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff7ab7e3b dump_od_to_saf.isra+299
f 1 0x7ffff7ac282d gf_sm_dump+1853
f 2 0x555555584418 dump_isom_scene+616
f 3 0x55555557b42c mp4boxMain+9228
f 4 0x7ffff75630b3 __libc_start_main+243
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff7ac282d in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x0000555555584418 in dump_isom_scene ()
#3 0x000055555557b42c in mp4boxMain ()
#4 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#5 0x000055555556c45e in _start ()