Headline
CVE-2021-45292: A segmentation fault in gf_isom_hint_rtp_read () , isomedia/hinting.c:682 · Issue #1958 · gpac/gpac
The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.
Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!
- [Yes ] I looked for a similar issue and couldn’t find any.
- [ Yes] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
- [ Yes] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95
Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/
Version:
./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
MINI build (encoders, decoders, audio and video output disabled)
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_DISABLE_3D
System information
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
command:
./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null poc
poc.zip
Result
[9] 3114513 segmentation fault
GDB information
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x400788 --> 0x0
RCX: 0xcffd67 (<__libc_write+23>: cmp rax,0xfffffffffffff000)
RDX: 0x0
RSI: 0x0
RDI: 0x10f4580 --> 0x0
RBP: 0x7fffffff9340 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
RSP: 0x7fffffff9300 --> 0x10eb8f0 --> 0x0
RIP: 0x60afe1 (<gf_isom_hint_rtp_read+414>: mov rax,QWORD PTR [rax+0x8])
R8 : 0x0
R9 : 0x0
R10: 0x0
R11: 0x246
R12: 0xd07990 (<__libc_csu_fini>: endbr64)
R13: 0x0
R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>: endbr64)
R15: 0x0
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x60afd5 <gf_isom_hint_rtp_read+402>: mov rdi,rax
0x60afd8 <gf_isom_hint_rtp_read+405>: call 0x444624 <gf_list_add>
0x60afdd <gf_isom_hint_rtp_read+410>: mov rax,QWORD PTR [rbp-0x18]
=> 0x60afe1 <gf_isom_hint_rtp_read+414>: mov rax,QWORD PTR [rax+0x8]
0x60afe5 <gf_isom_hint_rtp_read+418>: add DWORD PTR [rbp-0x28],eax
0x60afe8 <gf_isom_hint_rtp_read+421>: mov eax,DWORD PTR [rbp-0x28]
0x60afeb <gf_isom_hint_rtp_read+424>: cmp eax,DWORD PTR [rbp-0x20]
0x60afee <gf_isom_hint_rtp_read+427>: jb 0x60afa2 <gf_isom_hint_rtp_read+351>
[------------------------------------stack-------------------------------------]
0000| 0x7fffffff9300 --> 0x10eb8f0 --> 0x0
0008| 0x7fffffff9308 --> 0x10e9510 --> 0xf872747020
0016| 0x7fffffff9310 --> 0x1000000010050
0024| 0x7fffffff9318 --> 0x4
0032| 0x7fffffff9320 --> 0x10001
0040| 0x7fffffff9328 --> 0x0
0048| 0x7fffffff9330 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
0056| 0x7fffffff9338 --> 0x5fb0ffd851107300
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
682 tempSize += (u32) a->size;
gdb-peda$ bt
#0 0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
#1 0x000000000060a32f in gf_isom_hint_pck_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:329
#2 0x0000000000609f4e in gf_isom_hint_sample_read (ptr=0x10efdc0, bs=0x10eb8f0, sampleSize=0x20) at isomedia/hinting.c:212
#3 0x000000000058e156 in gf_isom_dump_hint_sample (the_file=0x10dd6c0, trackNumber=0x2, SampleNum=0xf8, trace=0x10e9f30) at isomedia/box_dump.c:2844
#4 0x0000000000419dc3 in dump_isom_rtp (file=0x10dd6c0, inName=0x7fffffffe602 "/dev/null", is_final_name=GF_TRUE) at filedump.c:860
#5 0x00000000004156b0 in mp4boxMain (argc=0xb, argv=0x7fffffffe2a8) at main.c:6090
#6 0x000000000041719b in main (argc=0xb, argv=0x7fffffffe2a8) at main.c:6496
#7 0x0000000000d07120 in __libc_start_main ()
#8 0x000000000040211e in _start ()