CVE-2021-45292: A segmentation fault in gf_isom_hint_rtp_read () , isomedia/hinting.c:682 · Issue #1958 · gpac/gpac

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

• [Yes ] I looked for a similar issue and couldn’t find any.
• [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
• [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
 MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
 GPAC Filters: https://doi.org/10.1145/3339825.3394929
 GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 

System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

command:

./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null poc

poc.zip

Result

[9]    3114513 segmentation fault

GDB information

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x400788 --> 0x0 
RCX: 0xcffd67 (<__libc_write+23>:   cmp    rax,0xfffffffffffff000)
RDX: 0x0 
RSI: 0x0 
RDI: 0x10f4580 --> 0x0 
RBP: 0x7fffffff9340 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
RSP: 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
RIP: 0x60afe1 (<gf_isom_hint_rtp_read+414>: mov    rax,QWORD PTR [rax+0x8])
R8 : 0x0 
R9 : 0x0 
R10: 0x0 
R11: 0x246 
R12: 0xd07990 (<__libc_csu_fini>:   endbr64)
R13: 0x0 
R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>:    endbr64)
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x60afd5 <gf_isom_hint_rtp_read+402>:    mov    rdi,rax
   0x60afd8 <gf_isom_hint_rtp_read+405>:    call   0x444624 <gf_list_add>
   0x60afdd <gf_isom_hint_rtp_read+410>:    mov    rax,QWORD PTR [rbp-0x18]
=> 0x60afe1 <gf_isom_hint_rtp_read+414>:    mov    rax,QWORD PTR [rax+0x8]
   0x60afe5 <gf_isom_hint_rtp_read+418>:    add    DWORD PTR [rbp-0x28],eax
   0x60afe8 <gf_isom_hint_rtp_read+421>:    mov    eax,DWORD PTR [rbp-0x28]
   0x60afeb <gf_isom_hint_rtp_read+424>:    cmp    eax,DWORD PTR [rbp-0x20]
   0x60afee <gf_isom_hint_rtp_read+427>:    jb     0x60afa2 <gf_isom_hint_rtp_read+351>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
0008| 0x7fffffff9308 --> 0x10e9510 --> 0xf872747020 
0016| 0x7fffffff9310 --> 0x1000000010050 
0024| 0x7fffffff9318 --> 0x4 
0032| 0x7fffffff9320 --> 0x10001 
0040| 0x7fffffff9328 --> 0x0 
0048| 0x7fffffff9330 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
0056| 0x7fffffff9338 --> 0x5fb0ffd851107300 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
682             tempSize += (u32) a->size;
gdb-peda$ bt
#0  0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
#1  0x000000000060a32f in gf_isom_hint_pck_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:329
#2  0x0000000000609f4e in gf_isom_hint_sample_read (ptr=0x10efdc0, bs=0x10eb8f0, sampleSize=0x20) at isomedia/hinting.c:212
#3  0x000000000058e156 in gf_isom_dump_hint_sample (the_file=0x10dd6c0, trackNumber=0x2, SampleNum=0xf8, trace=0x10e9f30) at isomedia/box_dump.c:2844
#4  0x0000000000419dc3 in dump_isom_rtp (file=0x10dd6c0, inName=0x7fffffffe602 "/dev/null", is_final_name=GF_TRUE) at filedump.c:860
#5  0x00000000004156b0 in mp4boxMain (argc=0xb, argv=0x7fffffffe2a8) at main.c:6090
#6  0x000000000041719b in main (argc=0xb, argv=0x7fffffffe2a8) at main.c:6496
#7  0x0000000000d07120 in __libc_start_main ()
#8  0x000000000040211e in _start ()