Headline
CVE-2021-45266: Null Pointer Dereference in lsr_read_anim_values_ex() · Issue #1985 · gpac/gpac
A null pointer dereference vulnerability exists in gpac 1.1.0 via the lsr_read_anim_values_ex function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in lsr_read_anim_values_ex(). The vulnerability causes a segmentation fault and application crash.
Version:
MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
lsr_read_anim_values_ex.part-lsr_read_animateTransform.zip
Result
lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
g:11,src:004575+004803,op:splice,rep:2
../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
g:11,src:004575+004803,op:splice,rep:2
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853091
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type 80rak in parent moov
[iso file] Incomplete box mdat - start 11495 size 853091
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 LASeR Scene Parsing
[LASeR] memory overread - corrupted decoding
[1] 1634950 segmentation fault ../../test/lib/MP4Box -bt
gdb
lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,si
g:11,src:004575+004803,op:splice,rep:2
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x5
RCX 0x5555555c6010 ◂— 0x70006
RDX 0x6
RDI 0x5555556e4020 ◂— 0x0
RSI 0x1
R8 0x5555556e4000 ◂— 0x0
R9 0x0
R10 0x7ffff7759e4a ◂— 'gf_list_insert'
R11 0x206
R12 0x5555555e1020 ◂— 0x54 /* 'T' */
R13 0x5555556e4000 ◂— 0x0
R14 0x5555555e35c0 —▸ 0x5555555e3630 ◂— 0x0
R15 0x5555556e4020 ◂— 0x0
RBP 0x3
RSP 0x7fffffff6c90 ◂— 0xf00000003
RIP 0x7ffff7b551a6 (lsr_read_anim_values_ex.part+1078) ◂— movss xmm0, dword ptr [rax]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
► 0x7ffff7b551a6 <lsr_read_anim_values_ex.part+1078> movss xmm0, dword ptr [rax]
0x7ffff7b551aa <lsr_read_anim_values_ex.part+1082> movss dword ptr [r13 + 8], xmm0
0x7ffff7b551b0 <lsr_read_anim_values_ex.part+1088> call gf_list_get@plt <gf_list_get@plt>
0x7ffff7b551b5 <lsr_read_anim_values_ex.part+1093> test rax, rax
0x7ffff7b551b8 <lsr_read_anim_values_ex.part+1096> je lsr_read_anim_values_ex.part+1108 <lsr_read_anim_values_ex.part+1108>
0x7ffff7b551ba <lsr_read_anim_values_ex.part+1098> movss xmm0, dword ptr [rax]
0x7ffff7b551be <lsr_read_anim_values_ex.part+1102> movss dword ptr [r13], xmm0
0x7ffff7b551c4 <lsr_read_anim_values_ex.part+1108> mov esi, 2
0x7ffff7b551c9 <lsr_read_anim_values_ex.part+1113> mov rdi, r15
0x7ffff7b551cc <lsr_read_anim_values_ex.part+1116> call gf_list_get@plt <gf_list_get@plt>
0x7ffff7b551d1 <lsr_read_anim_values_ex.part+1121> test rax, rax
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6c90 ◂— 0xf00000003
01:0008│ 0x7fffffff6c98 ◂— 0x7fff00000008
02:0010│ 0x7fffffff6ca0 ◂— 0x350000006e /* 'n' */
03:0018│ 0x7fffffff6ca8 —▸ 0x5555555e1020 ◂— 0x54 /* 'T' */
04:0020│ 0x7fffffff6cb0 ◂— 0x0
05:0028│ 0x7fffffff6cb8 —▸ 0x5555555e0f00 —▸ 0x5555555e0f20 —▸ 0x5555555e0f60 —▸ 0x5555555e0f40 ◂— ...
06:0030│ 0x7fffffff6cc0 ◂— 0x0
07:0038│ 0x7fffffff6cc8 ◂— 0x2748627e3b91600
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff7b551a6 lsr_read_anim_values_ex.part+1078
f 1 0x7ffff7b5d9e8 lsr_read_animateTransform+424
f 2 0x7ffff7b5beeb lsr_read_scene_content_model+1547
f 3 0x7ffff7b5c89c lsr_read_group_content.part+316
f 4 0x7ffff7b60a76 lsr_read_svg+838
f 5 0x7ffff7b58817 lsr_read_command_list+759
f 6 0x7ffff7b5ab74 lsr_decode_laser_unit+708
f 7 0x7ffff7b6239d gf_laser_decode_command_list+333
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff7b551a6 in lsr_read_anim_values_ex.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#1 0x00007ffff7b5d9e8 in lsr_read_animateTransform () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#2 0x00007ffff7b5beeb in lsr_read_scene_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#3 0x00007ffff7b5c89c in lsr_read_group_content.part () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#4 0x00007ffff7b60a76 in lsr_read_svg () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#5 0x00007ffff7b58817 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#6 0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#7 0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#8 0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
#9 0x00005555555844a8 in dump_isom_scene ()
#10 0x000055555557b42c in mp4boxMain ()
#11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1b8) at ../csu/libc-start.c:308
#12 0x000055555556c45e in _start ()