Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46240: Null Pointer Dereference in gf_dump_vrml_sffield () at scene_manager/scene_dump.c:588 · Issue #2028 · gpac/gpac

A NULL pointer dereference vulnerability exists in GPAC v1.1.0 via the function gf_dump_vrml_sffield () at scene_manager/scene_dump.c. This vulnerability can lead to a Denial of Service (DoS).

CVE
Open in Source
#vulnerability#linux#dos#js#git

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

  • I looked for a similar issue and couldn’t find any.
  • I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
  • I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line …). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop_hosted.phpdrop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

./MP4Box -version
MP4Box - GPAC version 1.1.0-DEV-rev1582-g94db9779c-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
    GPAC Filters: https://doi.org/10.1145/3339825.3394929
    GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D

command:

./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null POC3

POC3.zip

Result

bt

Program received signal SIGSEGV, Segmentation fault.
0x0000000000d6de15 in __strlen_avx2 ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x0
 RBX  0xe040d1 ◂— 'SFScript'
 RCX  0x0
 RDX  0x0
 RDI  0x0
 RSI  0xd
 R8   0x1107f30 —▸ 0x1107f60 ◂— 0x100010051 /* 'Q' */
 R9   0x1
 R10  0x0
 R11  0x1111f70 ◂— 0x0
 R12  0x1111f70 ◂— 0x0
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80db0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff8370 —▸ 0x7fffffff83c0 —▸ 0x7fffffff8480 —▸ 0x7fffffff85b0 —▸ 0x7fffffff8660 ◂— ...
 RSP  0x7fffffff82c8 —▸ 0x6db0ac (gf_dump_vrml_sffield+1108) ◂— mov    dword ptr [rbp - 0x6c], eax
 RIP  0xd6de15 (__strlen_avx2+21) ◂— vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
────────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0xd6de15 <__strlen_avx2+21>     vpcmpeqb ymm1, ymm0, ymmword ptr [rdi]
   0xd6de19 <__strlen_avx2+25>     vpmovmskb eax, ymm1
   0xd6de1d <__strlen_avx2+29>     test   eax, eax
   0xd6de1f <__strlen_avx2+31>     jne    __strlen_avx2+272                      <__strlen_avx2+272>
    ↓
   0xd6df10 <__strlen_avx2+272>    tzcnt  eax, eax
   0xd6df14 <__strlen_avx2+276>    add    rax, rdi
   0xd6df17 <__strlen_avx2+279>    sub    rax, rdx
   0xd6df1a <__strlen_avx2+282>    vzeroupper 
   0xd6df1d <__strlen_avx2+285>    ret    
 
   0xd6df1e <__strlen_avx2+286>    nop    
   0xd6df20 <__strlen_avx2+288>    tzcnt  eax, eax
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]─────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff82c8 —▸ 0x6db0ac (gf_dump_vrml_sffield+1108) ◂— mov    dword ptr [rbp - 0x6c], eax
01:0008│     0x7fffffff82d0 —▸ 0x1107f30 —▸ 0x1107f60 ◂— 0x100010051 /* 'Q' */
02:0010│     0x7fffffff82d8 —▸ 0x1112010 ◂— 0x0
03:0018│     0x7fffffff82e0 ◂— 0xd00000000
04:0020│     0x7fffffff82e8 —▸ 0x10f7610 —▸ 0x10fabd0 ◂— 0x0
05:0028│     0x7fffffff82f0 —▸ 0x7fffffff83f0 ◂— 0x0
06:0030│     0x7fffffff82f8 —▸ 0x443f20 (gf_fprintf+247) ◂— mov    dword ptr [rbp - 0xd4], eax
07:0038│     0x7fffffff8300 —▸ 0xe3f948 ◂— 0x6c696863005d0020 /* ' ' */
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0xd6de15 __strlen_avx2+21
   f 1         0x6db0ac gf_dump_vrml_sffield+1108
   f 2         0x6dbb5a gf_dump_vrml_simple_field+361
   f 3         0x6dcb89 gf_dump_vrml_dyn_field+1204
   f 4         0x6ded60 gf_dump_vrml_node+4696
   f 5         0x6e2bfd DumpProtos+2532
   f 6         0x6e2f97 DumpSceneReplace+426
   f 7         0x6e43d3 gf_sm_dump_command_list+999
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  0x0000000000d6de15 in __strlen_avx2 ()
#1  0x00000000006db0ac in gf_dump_vrml_sffield (sdump=0x10f7610, type=13, ptr=0x1112010, is_mf=GF_FALSE, node=0x1107f30) at scene_manager/scene_dump.c:588
#2  0x00000000006dbb5a in gf_dump_vrml_simple_field (sdump=0x10f7610, field=..., parent=0x1107f30) at scene_manager/scene_dump.c:775
#3  0x00000000006dcb89 in gf_dump_vrml_dyn_field (sdump=0x10f7610, node=0x1107f30, field=..., has_sublist=GF_FALSE) at scene_manager/scene_dump.c:1125
#4  0x00000000006ded60 in gf_dump_vrml_node (sdump=0x10f7610, node=0x1107f30, in_list=GF_TRUE, fieldContainer=0x0) at scene_manager/scene_dump.c:1666
#5  0x00000000006e2bfd in DumpProtos (sdump=0x10f7610, protoList=0x10f9ba0) at scene_manager/scene_dump.c:2522
#6  0x00000000006e2f97 in DumpSceneReplace (sdump=0x10f7610, com=0x10f9b00) at scene_manager/scene_dump.c:2572
#7  0x00000000006e43d3 in gf_sm_dump_command_list (sdump=0x10f7610, comList=0x10f79d0, indent=0, skip_first_replace=GF_TRUE) at scene_manager/scene_dump.c:2907
#8  0x00000000006e648e in gf_sm_dump (ctx=0x10ed0e0, rad_name=0x7fffffffe606 "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_BT) at scene_manager/scene_dump.c:3519
#9  0x0000000000417966 in dump_isom_scene (file=0x7fffffffe610 "__strlen_avx2-gf_dump_vrml_sffield/id:000947,sig:11,src:014856+019234,op:splice,rep:8", inName=0x7fffffffe606 "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:213
#10 0x000000000041521f in mp4boxMain (argc=11, argv=0x7fffffffe2a8) at main.c:6044
#11 0x000000000041719b in main (argc=11, argv=0x7fffffffe2a8) at main.c:6496
#12 0x0000000000d09a40 in __libc_start_main ()
#13 0x000000000040211e in _start ()
pwndbg>

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE