Headline
CVE-2021-45267: Invalid memory address dereference in svg_node_start() · Issue #1965 · gpac/gpac
An invalid memory address dereference vulnerability exists in gpac 1.1.0 via the svg_node_start function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
An invalid memory address dereference was discovered in svg_node_start(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc_2.zip
Result
[Parser] LASeR Scene Parsing: ./poc/poc_2.xsr
[1] 75845 segmentation fault ./MP4Box -lsr ./poc/poc_2.xsr
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x5555555c7750 ◂— 0x0
RCX 0x0
RDX 0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
RDI 0x7ffff7e447c9 ◂— 'Unable to parse chunk: %s'
RSI 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
R8 0x7fffffff5c3c ◂— 0x0
R9 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
R10 0x0
R11 0x0
R12 0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
R13 0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
R14 0x1
R15 0x0
RBP 0x5555555cf390 —▸ 0x7fffffff7310 ◂— 0x7
RSP 0x7fffffff5bb0 ◂— 0x0
RIP 0x7ffff7aa5f97 (svg_node_start+3095) ◂— mov rdi, qword ptr [rax + 0x20]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff7aa5f97 <svg_node_start+3095> mov rdi, qword ptr [rax + 0x20]
0x7ffff7aa5f9b <svg_node_start+3099> call gf_list_count@plt <gf_list_count@plt>
0x7ffff7aa5fa0 <svg_node_start+3104> test eax, eax
0x7ffff7aa5fa2 <svg_node_start+3106> sete r15b
0x7ffff7aa5fa6 <svg_node_start+3110> test r14d, r14d
0x7ffff7aa5fa9 <svg_node_start+3113> jne svg_node_start+6240 <svg_node_start+6240>
0x7ffff7aa5faf <svg_node_start+3119> xor esi, esi
0x7ffff7aa5fb1 <svg_node_start+3121> nop dword ptr [rax]
0x7ffff7aa5fb8 <svg_node_start+3128> mov rdi, qword ptr [rbp + 0x50]
0x7ffff7aa5fbc <svg_node_start+3132> mov edx, r15d
0x7ffff7aa5fbf <svg_node_start+3135> pxor xmm0, xmm0
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff5bb0 ◂— 0x0
01:0008│ 0x7fffffff5bb8 —▸ 0x5555555ce0d9 ◂— 'sceneUnit'
02:0010│ 0x7fffffff5bc0 ◂— 0x0
03:0018│ 0x7fffffff5bc8 ◂— 0x0
04:0020│ 0x7fffffff5bd0 —▸ 0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
05:0028│ 0x7fffffff5bd8 ◂— 0x0
06:0030│ 0x7fffffff5be0 ◂— 0x0
07:0038│ 0x7fffffff5be8 ◂— 0x3000000020 /* ' ' */
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff7aa5f97 svg_node_start+3095
f 1 0x7ffff781fbc5 xml_sax_node_start+453
f 2 0x7ffff7820e6c xml_sax_parse+3596
f 3 0x7ffff78213d6 gf_xml_sax_parse_intern+950
f 4 0x7ffff7821595 gf_xml_sax_parse+165
f 5 0x7ffff7821633 xml_sax_read_file.part+115
f 6 0x7ffff7821927 gf_xml_sax_parse_file+295
f 7 0x7ffff7aa42da load_svg_run+58
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#1 0x00007ffff781fbc5 in xml_sax_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#2 0x00007ffff7820e6c in xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#3 0x00007ffff78213d6 in gf_xml_sax_parse_intern () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#4 0x00007ffff7821595 in gf_xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#5 0x00007ffff7821633 in xml_sax_read_file.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#6 0x00007ffff7821927 in gf_xml_sax_parse_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#7 0x00007ffff7aa42da in load_svg_run () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
#8 0x00005555555844a8 in dump_isom_scene ()
#9 0x000055555557b42c in mp4boxMain ()
#10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
#11 0x000055555556c45e in _start ()