Headline
CVE-2021-46042: Untrusted pointer dereference in __fseeko() · Issue #2002 · gpac/gpac
A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the _fseeko function, which causes a Denial of Service.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
command:
./bin/gcc/MP4Box -hint POC4
POC4.zip
Result
bt
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7544911 in __fseeko (fp=0x5555555e1510, offset=2560, whence=0) at fseeko.c:39
39 fseeko.c: No such file or directory.
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────
RAX 0x0
RBX 0x5555555e1510 ◂— 0x8013fbad2494
RCX 0x0
RDX 0x0
RDI 0x5569555e1604
RSI 0xa00
R8 0x5555555e0f70 ◂— 0x1400000014
R9 0x7fffffff7f00 —▸ 0x7ffff76a15c0 (_IO_2_1_stderr_) ◂— 0xfbad2887
R10 0x7ffff76d927a ◂— 'gf_isom_box_size'
R11 0x7ffff78fa0d0 (gf_isom_box_size) ◂— endbr64
R12 0x0
R13 0x7ffff697e740 ◂— 0x7ffff697e740
R14 0x7fffffff84e0 ◂— 0x0
R15 0x7fffffff8040 ◂— 0x15f
RBP 0xa00
RSP 0x7fffffff7fd0 ◂— 0x0
RIP 0x7ffff7544911 (fseeko64+49) ◂— cmp qword ptr [rdi + 8], r13
[ DISASM ]
► 0x7ffff7544911 <fseeko64+49> cmp qword ptr [rdi + 8], r13
0x7ffff7544915 <fseeko64+53> je fseeko64+86 <fseeko64+86>
↓
0x7ffff7544936 <fseeko64+86> add dword ptr [rdi + 4], 1
0x7ffff754493a <fseeko64+90> mov ecx, 3
0x7ffff754493f <fseeko64+95> mov edx, r12d
0x7ffff7544942 <fseeko64+98> mov rsi, rbp
0x7ffff7544945 <fseeko64+101> mov rdi, rbx
0x7ffff7544948 <fseeko64+104> call _IO_seekoff_unlocked <_IO_seekoff_unlocked>
0x7ffff754494d <fseeko64+109> xor r8d, r8d
0x7ffff7544950 <fseeko64+112> cmp rax, -1
0x7ffff7544954 <fseeko64+116> sete r8b
[ STACK ]
00:0000│ rsp 0x7fffffff7fd0 ◂— 0x0
01:0008│ 0x7fffffff7fd8 —▸ 0x5555555df7a0 —▸ 0x5555555e1510 ◂— 0x8013fbad2494
02:0010│ 0x7fffffff7fe0 ◂— 0xa00
03:0018│ 0x7fffffff7fe8 ◂— 0x0
04:0020│ 0x7fffffff7ff0 —▸ 0x7fffffff84d8 ◂— 0x14
05:0028│ 0x7fffffff7ff8 —▸ 0x7ffff77767f4 (gf_bs_seek+452) ◂— mov qword ptr [rbx + 0x18], rbp
06:0030│ 0x7fffffff8000 —▸ 0x5555555da950 ◂— 0x0
07:0038│ 0x7fffffff8008 —▸ 0x5555555df7a0 —▸ 0x5555555e1510 ◂— 0x8013fbad2494
[ BACKTRACE ]
► f 0 0x7ffff7544911 fseeko64+49
f 1 0x7ffff77767f4 gf_bs_seek+452
f 2 0x7ffff7910c98 inplace_shift_mdat+312
f 3 0x7ffff7915009 WriteToFile+2713
f 4 0x7ffff7906432 gf_isom_write+370
f 5 0x7ffff79064b8 gf_isom_close+24
f 6 0x55555557bd12 mp4boxMain+7410
f 7 0x7ffff74dc0b3 __libc_start_main+243
───────────────────────────────────────────────