Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-45266: Null Pointer Dereference in lsr_read_anim_values_ex() · Issue #1985 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash.

CVE
Open in Source
#vulnerability#ubuntu#linux#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in lsr_read_anim_values_ex(). The vulnerability causes a segmentation fault and application crash.

Version:

MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D

System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

command:

lsr_read_anim_values_ex.part-lsr_read_animateTransform.zip

Result

lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
g:11,src:004575+004803,op:splice,rep:2

 ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
g:11,src:004575+004803,op:splice,rep:2
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853091
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853091
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] memory overread - corrupted decoding
[1]    1634950 segmentation fault  ../../test/lib/MP4Box -bt

gdb

lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
g:11,src:004575+004803,op:splice,rep:2

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
 RAX  0x0
 RBX  0x5
 RCX  0x5555555c6010 ◂— 0x70006
 RDX  0x6
 RDI  0x5555556e4020 ◂— 0x0
 RSI  0x1
 R8   0x5555556e4000 ◂— 0x0
 R9   0x0
 R10  0x7ffff7759e4a ◂— 'gf_list_insert'
 R11  0x206
 R12  0x5555555e1020 ◂— 0x54 /* 'T' */
 R13  0x5555556e4000 ◂— 0x0
 R14  0x5555555e35c0 —▸ 0x5555555e3630 ◂— 0x0
 R15  0x5555556e4020 ◂— 0x0
 RBP  0x3
 RSP  0x7fffffff6c90 ◂— 0xf00000003
 RIP  0x7ffff7b551a6 (lsr_read_anim_values_ex.part+1078) ◂— movss  xmm0, dword ptr [rax]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
 ► 0x7ffff7b551a6 <lsr_read_anim_values_ex.part+1078>    movss  xmm0, dword ptr [rax]
   0x7ffff7b551aa <lsr_read_anim_values_ex.part+1082>    movss  dword ptr [r13 + 8], xmm0
   0x7ffff7b551b0 <lsr_read_anim_values_ex.part+1088>    call   gf_list_get@plt                <gf_list_get@plt>

   0x7ffff7b551b5 <lsr_read_anim_values_ex.part+1093>    test   rax, rax
   0x7ffff7b551b8 <lsr_read_anim_values_ex.part+1096>    je     lsr_read_anim_values_ex.part+1108                <lsr_read_anim_values_ex.part+1108>

   0x7ffff7b551ba <lsr_read_anim_values_ex.part+1098>    movss  xmm0, dword ptr [rax]
   0x7ffff7b551be <lsr_read_anim_values_ex.part+1102>    movss  dword ptr [r13], xmm0
   0x7ffff7b551c4 <lsr_read_anim_values_ex.part+1108>    mov    esi, 2
   0x7ffff7b551c9 <lsr_read_anim_values_ex.part+1113>    mov    rdi, r15
   0x7ffff7b551cc <lsr_read_anim_values_ex.part+1116>    call   gf_list_get@plt                <gf_list_get@plt>

   0x7ffff7b551d1 <lsr_read_anim_values_ex.part+1121>    test   rax, rax
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6c90 ◂— 0xf00000003
01:0008│     0x7fffffff6c98 ◂— 0x7fff00000008
02:0010│     0x7fffffff6ca0 ◂— 0x350000006e /* 'n' */
03:0018│     0x7fffffff6ca8 —▸ 0x5555555e1020 ◂— 0x54 /* 'T' */
04:0020│     0x7fffffff6cb0 ◂— 0x0
05:0028│     0x7fffffff6cb8 —▸ 0x5555555e0f00 —▸ 0x5555555e0f20 —▸ 0x5555555e0f60 —▸ 0x5555555e0f40 ◂— ...
06:0030│     0x7fffffff6cc0 ◂— 0x0
07:0038│     0x7fffffff6cc8 ◂— 0x2748627e3b91600
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
 ► f 0   0x7ffff7b551a6 lsr_read_anim_values_ex.part+1078
   f 1   0x7ffff7b5d9e8 lsr_read_animateTransform+424
   f 2   0x7ffff7b5beeb lsr_read_scene_content_model+1547
   f 3   0x7ffff7b5c89c lsr_read_group_content.part+316
   f 4   0x7ffff7b60a76 lsr_read_svg+838
   f 5   0x7ffff7b58817 lsr_read_command_list+759
   f 6   0x7ffff7b5ab74 lsr_decode_laser_unit+708
   f 7   0x7ffff7b6239d gf_laser_decode_command_list+333
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#1  0x00007ffff7b5d9e8 in lsr_read_animateTransform () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#2  0x00007ffff7b5beeb in lsr_read_scene_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#3  0x00007ffff7b5c89c in lsr_read_group_content.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#4  0x00007ffff7b60a76 in lsr_read_svg () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#5  0x00007ffff7b58817 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#6  0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#7  0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#8  0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#9  0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1b8) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE