Headline
CVE-2021-46043: Untrusted Pointer Dereference in gf_list_count () · Issue #2001 · gpac/gpac
A Pointer Dereference Vulnerability exits in GPAC 1.0.1 in the gf_list_count function, which causes a Denial of Service.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
command:
./bin/gcc/MP4Box -hint POC3
POC3.zip
Result
bt
0x00007ffff7773949 in gf_list_count () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────[ REGISTERS ]────────────────────────────────────────────────────────────────────────
RAX 0x5555555e0010 ◂— 0x7374626c /* 'lbts' */
RBX 0x15
RCX 0x5555555e8230 ◂— 0x33483
RDX 0x2315
RDI 0x5569555e0124
RSI 0x15
R8 0x5555555e8230 ◂— 0x33483
R9 0x7fffffff7f00 ◂— 0x158
R10 0x7ffff76d927a ◂— 'gf_isom_box_size'
R11 0x7ffff76a0be0 (main_arena+96) —▸ 0x5555555e8380 ◂— 0x14
R12 0x5555555e29d0 ◂— 0x1473747378
R13 0x5555555e0530 ◂— 0x73747363 /* 'csts' */
R14 0x5555555e81f0 ◂— 0x636f3634 /* '46oc' */
R15 0x1
RBP 0x5555555dfc30 ◂— 0x6d646961 /* 'aidm' */
RSP 0x7fffffff7f28 —▸ 0x7ffff79286ed (Media_IsSelfContained+61) ◂— cmp ebx, eax
RIP 0x7ffff7773949 (gf_list_count+9) ◂— mov eax, dword ptr [rdi + 8]
─[ DISASM ]─
► 0x7ffff7773949 <gf_list_count+9> mov eax, dword ptr [rdi + 8]
0x7ffff777394c <gf_list_count+12> ret
0x7ffff777394d <gf_list_count+13> nop dword ptr [rax]
0x7ffff7773950 <gf_list_count+16> xor eax, eax
0x7ffff7773952 <gf_list_count+18> ret
0x7ffff7773953 nop word ptr cs:[rax + rax]
0x7ffff777395e nop
0x7ffff7773960 <gf_list_get> endbr64
0x7ffff7773964 <gf_list_get+4> test rdi, rdi
0x7ffff7773967 <gf_list_get+7> je gf_list_get+32 <gf_list_get+32>
↓
0x7ffff7773980 <gf_list_get+32> xor eax, eax
[ STACK ]
00:0000│ rsp 0x7fffffff7f28 —▸ 0x7ffff79286ed (Media_IsSelfContained+61) ◂— cmp ebx, eax
01:0008│ 0x7fffffff7f30 —▸ 0x5555555e2974 ◂— 0x140000232b /* '+#' */
02:0010│ 0x7fffffff7f38 —▸ 0x5555555e81f0 ◂— 0x636f3634 /* '46oc' */
03:0018│ 0x7fffffff7f40 ◂— 0x14
04:0020│ 0x7fffffff7f48 —▸ 0x7ffff790ffcb (shift_chunk_offsets.part+75) ◂— test eax, eax
05:0028│ 0x7fffffff7f50 —▸ 0x5555555dfc30 ◂— 0x6d646961 /* 'aidm' */
06:0030│ 0x7fffffff7f58 —▸ 0x5555555e0530 ◂— 0x73747363 /* 'csts' */
07:0038│ 0x7fffffff7f60 ◂— 0x0
──────[ BACKTRACE ]────
► f 0 0x7ffff7773949 gf_list_count+9
f 1 0x7ffff79286ed Media_IsSelfContained+61
f 2 0x7ffff790ffcb shift_chunk_offsets.part+75
f 3 0x7ffff79103a7 inplace_shift_moov_meta_offsets+231
f 4 0x7ffff7910e3c inplace_shift_mdat+732
f 5 0x7ffff7915009 WriteToFile+2713
f 6 0x7ffff7906432 gf_isom_write+370
f 7 0x7ffff79064b8 gf_isom_close+24