Headline
CVE-2023-37765: SEGV on unknown address 0x000000000003(0x000000000009) · Issue #2515 · gpac/gpac
GPAC v2.3-DEV-rev381-g817a848f6-master was discovered to contain a segmentation violation in the gf_dump_vrml_sffield function at /lib/libgpac.so.
Hello,I use the fuzzer(AFL) to fuzz binary gpac and got some crashes.
The following is the details.
Title: SEGV on unknown address 0x000000000003(0x000000000009)
1. Description
A SEGV on unknown address 0x000000000003(0x000000000009) has occurred in function dump_isom_scene /root/gpac/applications/mp4box/filedump.c:223:7
when running program MP4Box, this can reproduce on the lattest commit.
2. Software version info
fuzz@ubuntu:~/gpac2.1/gpac/bin/gcc$ MP4Box -version
MP4Box - GPAC version 2.3-DEV-rev381-g817a848f6-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
3. System version info
./uname -a
Linux ouc7 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
4. Command
5. Result
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808401079
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808401079
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (invalid descriptor)
[MP4 Loading] Unable to fetch sample 14 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==3913141==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000003 (pc 0x7f3c65d28adb bp 0x00000000002d sp 0x7fffa6574310 T3913141)
==3913141==The signal is caused by a READ memory access.
==3913141==Hint: address points to the zero page.
#0 0x7f3c65d28adb in gf_dump_vrml_sffield (/usr/local/lib/libgpac.so.12+0x4dfadb)
#1 0x7f3c65d284e1 in gf_dump_vrml_simple_field (/usr/local/lib/libgpac.so.12+0x4df4e1)
#2 0x7f3c65d1f694 in gf_sm_dump_command_list (/usr/local/lib/libgpac.so.12+0x4d6694)
#3 0x7f3c65d27670 in gf_sm_dump (/usr/local/lib/libgpac.so.12+0x4de670)
#4 0x450606 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:223:7
#5 0x4478b0 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6461:7
#6 0x7f3c654dc082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#7 0x41304d in _start (/usr/local/bin/MP4Box+0x41304d)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/usr/local/lib/libgpac.so.12+0x4dfadb) in gf_dump_vrml_sffield
==3913141==ABORTING
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808423476
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent moov
[iso file] Unknown box type 0000 in parent minf
[iso file] Missing DataInformationBox
[iso file] Unknown box type 0000 in parent moov
[iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 806 extra bytes
[iso file] Unknown top-level box type 0000
[iso file] Incomplete box 0000 - start 12356 size 808423476
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[ODF] Reading bifs config: shift in sizes (not supported)
[MP4 Loading] Unable to fetch sample 2 from track ID 8 - aborting track import
Scene loaded - dumping 1 systems streams
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==430714==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x000000000009 (pc 0x7f38a4794adb bp 0x00000000002d sp 0x7ffed4adff90 T430714)
==430714==The signal is caused by a READ memory access.
==430714==Hint: address points to the zero page.
#0 0x7f38a4794adb in gf_dump_vrml_sffield (/usr/local/lib/libgpac.so.12+0x4dfadb)
#1 0x7f38a47944e1 in gf_dump_vrml_simple_field (/usr/local/lib/libgpac.so.12+0x4df4e1)
#2 0x7f38a478b96d in gf_sm_dump_command_list (/usr/local/lib/libgpac.so.12+0x4d696d)
#3 0x7f38a4793670 in gf_sm_dump (/usr/local/lib/libgpac.so.12+0x4de670)
#4 0x450606 in dump_isom_scene /root/gpac/applications/mp4box/filedump.c:223:7
#5 0x4478b0 in mp4box_main /root/gpac/applications/mp4box/mp4box.c:6461:7
#6 0x7f38a3f48082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#7 0x41304d in _start (/usr/local/bin/MP4Box+0x41304d)
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (/usr/local/lib/libgpac.so.12+0x4dfadb) in gf_dump_vrml_sffield
==430714==ABORTING
6. Impact
This vulnerability is capable of crashing software, Bypass Protection Mechanism, Modify Memory, and possible remote execution.
7. POC
POC file list
poc_list.zip
Report of the Information Security Laboratory of Ocean University of China @OUC_ISLOUC @OUC_Blue_Whale