Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-45263: Invalid free in gf_svg_delete_attribute_value() · Issue #1975 · gpac/gpac

An invalid free vulnerability exists in gpac 1.1.0 via the gf_svg_delete_attribute_value function, which causes a segmentation fault and application crash.

CVE
Open in Source
#vulnerability#ubuntu#linux#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid free was discovered in gf_svg_delete_attribute_value(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

./MP4Box -lsr ./poc/poc_12

poc_12.zip

Result

./MP4Box -lsr ./poc/poc_12
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Incomplete box mdat - start 11495 size 803523
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] Box "stco" (start 2057) has 6144 extra bytes
[iso file] Box "stco" is larger than container box
[iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
[iso file] Unknown box type 00040000 in parent dref
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Incomplete box mdat - start 11495 size 803523
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[MP4 Loading] Unable to fetch sample 1 from track ID 7 - aborting track import
[LASeR] sametext coded in bitstream but no text defined !
[LASeR] samerect coded in bitstream but no rect defined !
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[LASeR] memory overread - corrupted decoding
[MP4 Loading] decoding sample 1 from track ID 8 failed
[1]    4148207 segmentation fault  ./MP4Box -lsr ./poc/poc_12

gdb

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x4183400000000000) at malloc.c:3102
3102    malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
 RSP  0x7fffffff7040 ◂— 0x0
 RIP  0x7ffff75d9870 (free+32) ◂— mov    rax, qword ptr [rdi - 8]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff75d9870 <free+32>         mov    rax, qword ptr [rdi - 8]
   0x7ffff75d9874 <free+36>         lea    rsi, [rdi - 0x10]
   0x7ffff75d9878 <free+40>         test   al, 2
   0x7ffff75d987a <free+42>         jne    free+96                <free+96>
    ↓
   0x7ffff75d98b0 <free+96>         mov    edx, dword ptr [rip + 0x14d9fe] <0x7ffff77272b4>
   0x7ffff75d98b6 <free+102>        test   edx, edx
   0x7ffff75d98b8 <free+104>        jne    free+123                <free+123>
    ↓
   0x7ffff75d98cb <free+123>        mov    rdi, rsi
   0x7ffff75d98ce <free+126>        add    rsp, 0x18
   0x7ffff75d98d2 <free+130>        jmp    munmap_chunk                <munmap_chunk>
    ↓
   0x7ffff75d4630 <munmap_chunk>    sub    rsp, 8
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7040 ◂— 0x0
... ↓        2 skipped
03:0018│     0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
04:0020│     0x7fffffff7060 ◂— 0x0
05:0028│     0x7fffffff7068 ◂— 0x1
06:0030│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
07:0038│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff75d9870 free+32
   f 1   0x7ffff78c805d gf_svg_delete_attribute_value+173
   f 2   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 3   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 4   0x7ffff78c7c2a gf_svg_node_del+282
   f 5   0x7ffff784a51d gf_node_unregister+349
   f 6   0x7ffff784a6f4 gf_node_unregister_children+36
   f 7   0x7ffff784a731 gf_sg_parent_reset+17
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  __GI___libc_free (mem=0x4183400000000000) at malloc.c:3102
#1  0x00007ffff78c805d in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2  0x00007ffff78c815b in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3  0x00007ffff78e1b65 in gf_node_delete_attributes () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4  0x00007ffff78c7c2a in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5  0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6  0x00007ffff784a6f4 in gf_node_unregister_children () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7  0x00007ffff784a731 in gf_sg_parent_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8  0x00007ffff78c7c32 in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#9  0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#10 0x00007ffff784a6f4 in gf_node_unregister_children () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#11 0x00007ffff784a731 in gf_sg_parent_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#12 0x00007ffff78c7c32 in gf_svg_node_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#13 0x00007ffff784a51d in gf_node_unregister () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#14 0x00007ffff784f396 in gf_sg_command_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#15 0x00007ffff7a88203 in gf_sm_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#16 0x0000555555584423 in dump_isom_scene ()
#17 0x000055555557b42c in mp4boxMain ()
#18 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
#19 0x000055555556c45e in _start ()

break gf_svg_delete_attribute_value

0x00007ffff78c8058 in gf_svg_delete_attribute_value () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x7ffff78c8050 (gf_svg_delete_attribute_value+160) ◂— mov    rdi, qword ptr [rsi]
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
 RSP  0x7fffffff7060 ◂— 0x0
*RIP  0x7ffff78c8058 (gf_svg_delete_attribute_value+168) ◂— call   0x7ffff77e2cb0
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff78c7fda <gf_svg_delete_attribute_value+42>     add    rax, rdx
   0x7ffff78c7fdd <gf_svg_delete_attribute_value+45>     jmp    rax
    ↓
   0x7ffff78c8050 <gf_svg_delete_attribute_value+160>    mov    rdi, qword ptr [rsi]
   0x7ffff78c8053 <gf_svg_delete_attribute_value+163>    test   rdi, rdi
   0x7ffff78c8056 <gf_svg_delete_attribute_value+166>    je     gf_svg_delete_attribute_value+78                <gf_svg_delete_attribute_value+78>

 ► 0x7ffff78c8058 <gf_svg_delete_attribute_value+168>    call   gf_free@plt                <gf_free@plt>
        rdi: 0x4183400000000000
        rsi: 0x5555555dfce0 ◂— 0x4183400000000000
        rdx: 0x7ffff7e0d800 ◂— 0xffaba7feffaba850
        rcx: 0x0

   0x7ffff78c805d <gf_svg_delete_attribute_value+173>    jmp    gf_svg_delete_attribute_value+78                <gf_svg_delete_attribute_value+78>

   0x7ffff78c805f <gf_svg_delete_attribute_value+175>    nop
   0x7ffff78c8060 <gf_svg_delete_attribute_value+176>    mov    r14, qword ptr [rsi]
   0x7ffff78c8063 <gf_svg_delete_attribute_value+179>    xor    ebx, ebx
   0x7ffff78c8065 <gf_svg_delete_attribute_value+181>    mov    rdi, r14
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7060 ◂— 0x0
01:0008│     0x7fffffff7068 ◂— 0x1
02:0010│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
03:0018│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
04:0020│     0x7fffffff7080 ◂— 0x2a /* '*' */
05:0028│     0x7fffffff7088 ◂— 0x8
06:0030│     0x7fffffff7090 —▸ 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
07:0038│     0x7fffffff7098 —▸ 0x7ffff78c815b (gf_svg_delete_attribute_value+427) ◂— cmp    r14d, ebx
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff78c8058 gf_svg_delete_attribute_value+168
   f 1   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 2   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 3   0x7ffff78c7c2a gf_svg_node_del+282
   f 4   0x7ffff784a51d gf_node_unregister+349
   f 5   0x7ffff784a6f4 gf_node_unregister_children+36
   f 6   0x7ffff784a731 gf_sg_parent_reset+17
   f 7   0x7ffff78c7c32 gf_svg_node_del+290
──────────────────────────────────────────────────────────────────────────────────────────────────────
__GI___libc_free (mem=0x4183400000000000) at malloc.c:3087
3087    malloc.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x7ffff78c8050 (gf_svg_delete_attribute_value+160) ◂— mov    rdi, qword ptr [rsi]
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
 RSP  0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
*RIP  0x7ffff75d9850 (free) ◂— endbr64
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
   0x7ffff77e2cb4 <gf_free@plt+4>    bnd jmp qword ptr [rip + 0x7bc045]   <gf_free>
    ↓
   0x7ffff77f9f30 <gf_free>          endbr64
   0x7ffff77f9f34 <gf_free+4>        jmp    free@plt                <free@plt>
    ↓
   0x7ffff77e2840 <free@plt>         endbr64
   0x7ffff77e2844 <free@plt+4>       bnd jmp qword ptr [rip + 0x7bc27d]   <free>
    ↓
 ► 0x7ffff75d9850 <free>             endbr64
   0x7ffff75d9854 <free+4>           sub    rsp, 0x18
   0x7ffff75d9858 <free+8>           mov    rax, qword ptr [rip + 0x14d699]
   0x7ffff75d985f <free+15>          mov    rax, qword ptr [rax]
   0x7ffff75d9862 <free+18>          test   rax, rax
   0x7ffff75d9865 <free+21>          jne    free+152                <free+152>
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
01:0008│     0x7fffffff7060 ◂— 0x0
02:0010│     0x7fffffff7068 ◂— 0x1
03:0018│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
04:0020│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
05:0028│     0x7fffffff7080 ◂— 0x2a /* '*' */
06:0030│     0x7fffffff7088 ◂— 0x8
07:0038│     0x7fffffff7090 —▸ 0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff75d9850 free
   f 1   0x7ffff78c805d gf_svg_delete_attribute_value+173
   f 2   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 3   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 4   0x7ffff78c7c2a gf_svg_node_del+282
   f 5   0x7ffff784a51d gf_node_unregister+349
   f 6   0x7ffff784a6f4 gf_node_unregister_children+36
   f 7   0x7ffff784a731 gf_sg_parent_reset+17
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x4183400000000000) at malloc.c:3102
3102    in malloc.c
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
*RAX  0x0
 RBX  0x1
 RCX  0x0
 RDX  0x7ffff7e0d800 ◂— 0xffaba7feffaba850
 RDI  0x4183400000000000
 RSI  0x5555555dfce0 ◂— 0x4183400000000000
 R8   0x7
 R9   0xfffffff6
 R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
 R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
 R12  0x5555555d40d0 ◂— 0x0
 R13  0x2a
 R14  0x8
 R15  0x5555555dfcc0 —▸ 0x5555555dfd00 —▸ 0x5555555dfce0 ◂— 0x4183400000000000
 RBP  0x5555555dfce0 ◂— 0x4183400000000000
*RSP  0x7fffffff7040 ◂— 0x0
*RIP  0x7ffff75d9870 (free+32) ◂— mov    rax, qword ptr [rdi - 8]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff75d9870 <free+32>         mov    rax, qword ptr [rdi - 8]
   0x7ffff75d9874 <free+36>         lea    rsi, [rdi - 0x10]
   0x7ffff75d9878 <free+40>         test   al, 2
   0x7ffff75d987a <free+42>         jne    free+96                <free+96>
    ↓
   0x7ffff75d98b0 <free+96>         mov    edx, dword ptr [rip + 0x14d9fe] <0x7ffff77272b4>
   0x7ffff75d98b6 <free+102>        test   edx, edx
   0x7ffff75d98b8 <free+104>        jne    free+123                <free+123>
    ↓
   0x7ffff75d98cb <free+123>        mov    rdi, rsi
   0x7ffff75d98ce <free+126>        add    rsp, 0x18
   0x7ffff75d98d2 <free+130>        jmp    munmap_chunk                <munmap_chunk>
    ↓
   0x7ffff75d4630 <munmap_chunk>    sub    rsp, 8
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff7040 ◂— 0x0
... ↓        2 skipped
03:0018│     0x7fffffff7058 —▸ 0x7ffff78c805d (gf_svg_delete_attribute_value+173) ◂— jmp    0x7ffff78c7ffe
04:0020│     0x7fffffff7060 ◂— 0x0
05:0028│     0x7fffffff7068 ◂— 0x1
06:0030│     0x7fffffff7070 —▸ 0x5555555dfca0 ◂— 0x101
07:0038│     0x7fffffff7078 —▸ 0x5555555d40d0 ◂— 0x0
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff75d9870 free+32
   f 1   0x7ffff78c805d gf_svg_delete_attribute_value+173
   f 2   0x7ffff78c815b gf_svg_delete_attribute_value+427
   f 3   0x7ffff78e1b65 gf_node_delete_attributes+69
   f 4   0x7ffff78c7c2a gf_svg_node_del+282
   f 5   0x7ffff784a51d gf_node_unregister+349
   f 6   0x7ffff784a6f4 gf_node_unregister_children+36
   f 7   0x7ffff784a731 gf_sg_parent_reset+17
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE