Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46238: stack overflow in gf_node_get_name () at scenegraph/base_scenegraph.c:1293 · Issue #2027 · gpac/gpac

GPAC v1.1.0 was discovered to contain a stack overflow via the function gf_node_get_name () at scenegraph/base_scenegraph.c. This vulnerability can lead to a program crash, causing a Denial of Service (DoS).

CVE
Open in Source
#vulnerability#linux#dos#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D

command:

./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC2

POC2.zip

Result

bt

Program received signal SIGSEGV, Segmentation fault.
0x000000000047aa77 in gf_node_get_name (p=0x4747474747474747) at scenegraph/base_scenegraph.c:1293
1293        if (!p || !(p->sgprivate->flags & GF_NODE_IS_DEF)) return NULL;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x4747474747474747 ('GGGGGGGG')
 RBX  0x400788 ◂— 0x0
 RCX  0x474747 (gf_xml_parse_bit_sequence_bs+486) ◂— sti    
 RDX  0x7
 RDI  0x4747474747474747 ('GGGGGGGG')
 RSI  0x10fd740 ◂— 0x47474747474747 /* 'GGGGGGG' */
 R8   0x10fc550 —▸ 0x10fce00 —▸ 0x10eccb0 ◂— 0x0
 R9   0x2
 R10  0x0
 R11  0x0
 R12  0xd0a2b0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
 RSP  0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
 RIP  0x47aa77 (gf_node_get_name+23) ◂— mov    rax, qword ptr [rax]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x47aa77 <gf_node_get_name+23>    mov    rax, qword ptr [rax]
   0x47aa7a <gf_node_get_name+26>    mov    eax, dword ptr [rax + 4]
   0x47aa7d <gf_node_get_name+29>    test   eax, eax
   0x47aa7f <gf_node_get_name+31>    js     gf_node_get_name+40                      <gf_node_get_name+40>
    ↓
   0x47aa88 <gf_node_get_name+40>    mov    rax, qword ptr [rbp - 0x18]
   0x47aa8c <gf_node_get_name+44>    mov    rax, qword ptr [rax]
   0x47aa8f <gf_node_get_name+47>    mov    rax, qword ptr [rax + 8]
   0x47aa93 <gf_node_get_name+51>    mov    qword ptr [rbp - 0x10], rax
   0x47aa97 <gf_node_get_name+55>    mov    rax, qword ptr [rbp - 0x10]
   0x47aa9b <gf_node_get_name+59>    mov    rax, qword ptr [rax + 0xf0]
   0x47aaa2 <gf_node_get_name+66>    cmp    qword ptr [rbp - 0x18], rax
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]─────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/zxq/CVE_testing/source/gpac/src/scenegraph/base_scenegraph.c
   1288 GF_EXPORT
   1289 const char *gf_node_get_name(GF_Node*p)
   1290 {
   1291     GF_SceneGraph *sg;
   1292     NodeIDedItem *reg_node;
 ► 1293     if (!p || !(p->sgprivate->flags & GF_NODE_IS_DEF)) return NULL;
   1294 
   1295     sg = p->sgprivate->scenegraph;
   1296 #ifndef GPAC_DISABLE_VRML
   1297     /*if this is a proto, look in parent graph*/
   1298     if (p == (GF_Node*)sg->pOwningProto) sg = sg->parent_scene;
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rbp rsp 0x7fffffff8100 —▸ 0x7fffffff85d0 ◂— 0x4747474747474747 ('GGGGGGGG')
01:0008│         0x7fffffff8108 —▸ 0x6e1eee (gf_dump_vrml_route+415) ◂— mov    qword ptr [rbp - 0x488], rax
02:0010│         0x7fffffff8110 —▸ 0x10f9bc0 ◂— 0x333
03:0018│         0x7fffffff8118 ◂— 0x10
04:0020│         0x7fffffff8120 —▸ 0x7fffffff8610 ◂— 0x4747474747474747 ('GGGGGGGG')
05:0028│         0x7fffffff8128 —▸ 0x10f75f0 —▸ 0x10eccb0 ◂— 0x0
06:0030│         0x7fffffff8130 —▸ 0xdba6f0 (funlockfile) ◂— endbr64 
07:0038│         0x7fffffff8138 ◂— 0x1
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x47aa77 gf_node_get_name+23
   f 1         0x6e1eee gf_dump_vrml_route+415
   f 2 0x4747474747474747
   f 3 0x4747474747474747
   f 4 0x4747474747474747
   f 5 0x4747474747474747
   f 6 0x4747474747474747
   f 7 0x4747474747474747
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x000000000047aa77 in gf_node_get_name (p=0x4747474747474747) at scenegraph/base_scenegraph.c:1293
#1  0x00000000006e1eee in gf_dump_vrml_route (sdump=0x10f75f0, r=0x7fffffff8610, dump_type=0) at scene_manager/scene_dump.c:2344
#2  0x4747474747474747 in ?? ()
#3  0x4747474747474747 in ?? ()
#4  0x4747474747474747 in ?? ()
#5  0x4747474747474747 in ?? ()
#6  0x4747474747474747 in ?? ()
#7  0x4747474747474747 in ?? ()
#8  0x4747474747474747 in ?? ()
#9  0x4747474747474747 in ?? ()
#10 0x4747474747474747 in ?? ()
#11 0x4747474747474747 in ?? ()
#12 0x4747474747474747 in ?? ()
#13 0x4747474747474747 in ?? ()
#14 0x4747474747474747 in ?? ()
#15 0x4747474747474747 in ?? ()
#16 0x4747474747474747 in ?? ()
#17 0x4747474747474747 in ?? ()
#18 0x4747474747474747 in ?? ()
#19 0x4747474747474747 in ?? ()
#20 0x4747474747474747 in ?? ()
#21 0x4747474747474747 in ?? ()
#22 0x4747474747474747 in ?? ()
#23 0x4747474747474747 in ?? ()
#24 0x4747474747474747 in ?? ()
#25 0x4747474747474747 in ?? ()
#26 0x4747474747474747 in ?? ()
#27 0x4747474747474747 in ?? ()
#28 0x4747474747474747 in ?? ()
#29 0x4747474747474747 in ?? ()
#30 0x4747474747474747 in ?? ()
#31 0x4747474747474747 in ?? ()
#32 0x4747474747474747 in ?? ()
#33 0x4747474747474747 in ?? ()
#34 0x4747474747474747 in ?? ()
#35 0x4747474747474747 in ?? ()
#36 0x4747474747474747 in ?? ()
#37 0x4747474747474747 in ?? ()
#38 0x4747474747474747 in ?? ()
#39 0x4747474747474747 in ?? ()
#40 0x4747474747474747 in ?? ()
#41 0x4747474747474747 in ?? ()
#42 0x4747474747474747 in ?? ()
#43 0x4747474747474747 in ?? ()
#44 0x4747474747474747 in ?? ()
#45 0x4747474747474747 in ?? ()
#46 0x4747474747474747 in ?? ()
#47 0x4747474747474747 in ?? ()
#48 0x4747474747474747 in ?? ()
#49 0x4747474747474747 in ?? ()
#50 0x4747474747474747 in ?? ()
#51 0x4747474747474747 in ?? ()
#52 0x4747474747474747 in ?? ()
#53 0x4747474747474747 in ?? ()
#54 0x4747474747474747 in ?? ()
#55 0x47474747ef474747 in ?? ()
#56 0x4747474747474747 in ?? ()
#57 0x4747474747474747 in ?? ()
#58 0x4747474747474747 in ?? ()
#59 0x0047474747474747 in ?? ()
#60 0x868bc44dfe5d4600 in ?? ()
#61 0x00007fffffff98b0 in ?? ()
#62 0x0000000000417966 in dump_isom_scene (file=<error reading variable: Cannot access memory at address 0x474747474747366f>, inName=<error reading variable: Cannot access memory at address 0x4747474747473667>, is_final_name=<error reading variable: Cannot access memory at address 0x4747474747473663>, dump_mode=<error reading variable: Cannot access memory at address 0x474747474747365f>, do_log=<error reading variable: Cannot access memory at address 0x474747474747365b>, no_odf_conv=<error reading variable: Cannot access memory at address 0x4747474747473657>) at filedump.c:213
Backtrace stopped: Cannot access memory at address 0x474747474747474f

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE