Headline
CVE-2021-44927: Null Pointer Dereference in gf_sg_vrml_mf_append() · Issue #1960 · gpac/gpac
A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_sg_vrml_mf_append function, which causes a segmentation fault and application crash.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- I looked for a similar issue and couldn’t find any.
- I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
A null pointer dereference was discovered in gf_sg_vrml_mf_append().
Version:
MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration:
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
System information
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz
command:
poc2.zip
Result
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type e`ds in parent mp4s
[iso file] Incomplete box mdat - start 11495 size 861283
[iso file] Incomplete file while reading for dump - aborting parsing
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[iso file] Unknown box type e`ds in parent mp4s
[iso file] Incomplete box mdat - start 11495 size 861283
[iso file] Incomplete file while reading for dump - aborting parsing
MPEG-4 BIFS Scene Parsing
[1] 2696339 segmentation fault ./MP4Box -bt ./submit/poc2
gdb
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
RAX 0x0
RBX 0x7fffffff6c10 ◂— 0x3800000000
RCX 0x7fffffff6ce0 ◂— 0x2c00000000
RDX 0x7fffffff6c18 ◂— 0x0
RDI 0x0
RSI 0x2c
R8 0x5555555df8d0 —▸ 0x5555555df840 ◂— 0x2c00
R9 0x7
R10 0x7ffff775be46 ◂— 'gf_sg_vrml_mf_append'
R11 0x7ffff78a1070 (gf_sg_vrml_mf_append) ◂— endbr64
R12 0x7fffffff6ce0 ◂— 0x2c00000000
R13 0x5555555d5f80 ◂— 0x0
R14 0x0
R15 0x0
RBP 0x5555555ded90 ◂— 0x0
RSP 0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test eax, eax
RIP 0x7ffff78a1074 (gf_sg_vrml_mf_append+4) ◂— mov eax, dword ptr [rdi]
──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
0x7ffff78a1070 <gf_sg_vrml_mf_append> endbr64
► 0x7ffff78a1074 <gf_sg_vrml_mf_append+4> mov eax, dword ptr [rdi]
0x7ffff78a1076 <gf_sg_vrml_mf_append+6> lea ecx, [rax + 2]
0x7ffff78a1079 <gf_sg_vrml_mf_append+9> jmp gf_sg_vrml_mf_insert@plt <gf_sg_vrml_mf_insert@plt>
↓
0x7ffff77e66a0 <gf_sg_vrml_mf_insert@plt> endbr64
0x7ffff77e66a4 <gf_sg_vrml_mf_insert@plt+4> bnd jmp qword ptr [rip + 0x7ba34d] <0x7ffff77dd3f0>
↓
0x7ffff77dd3f0 endbr64
0x7ffff77dd3f4 push 0x73c
0x7ffff77dd3f9 bnd jmp 0x7ffff77d6020 <0x7ffff77d6020>
↓
0x7ffff77d6020 push qword ptr [rip + 0x7c6fe2] <0x7ffff7f9d008>
0x7ffff77d6026 bnd jmp qword ptr [rip + 0x7c6fe3] <0x7ffff7fe7bb0>
──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
00:0000│ rsp 0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test eax, eax
01:0008│ 0x7fffffff6bd0 ◂— 0x0
02:0010│ 0x7fffffff6bd8 ◂— 0x0
03:0018│ 0x7fffffff6be0 ◂— 0x50 /* 'P' */
04:0020│ 0x7fffffff6be8 ◂— 0x0
05:0028│ 0x7fffffff6bf0 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
06:0030│ 0x7fffffff6bf8 —▸ 0x7fffffff6c08 ◂— 0x0
07:0038│ 0x7fffffff6c00 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
► f 0 0x7ffff78a1074 gf_sg_vrml_mf_append+4
f 1 0x7ffff790efa4 BD_DecMFFieldList+212
f 2 0x7ffff7906006 gf_bifs_dec_proto_list+822
f 3 0x7ffff7906549 BD_DecSceneReplace+73
f 4 0x7ffff7914e2e BM_SceneReplace+110
f 5 0x7ffff7914ff3 BM_ParseCommand+179
f 6 0x7ffff7915323 gf_bifs_decode_command_list+163
f 7 0x7ffff7aa1da2 gf_sm_load_run_isom+1218
──────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0 0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#1 0x00007ffff790efa4 in BD_DecMFFieldList () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#2 0x00007ffff7906006 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#3 0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#4 0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#5 0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#6 0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#7 0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
#8 0x00005555555844a8 in dump_isom_scene ()
#9 0x000055555557b42c in mp4boxMain ()
#10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe158, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe148) at ../csu/libc-start.c:308
#11 0x000055555556c45e in _start ()