A heab-based buffer overflow vulnerability exists in MP4Box in GPAC 1.0.1 via media.c, which allows attackers to cause a denial of service or execute arbitrary code via a crafted file.

Hello,  
A heap-buffer-overflow has occurred when running program MP4Box,which leads to a Deny of Service caused by dividing zero without sanity check,this can reproduce on the lattest commit.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

poc.zip

file: media.c  
function:gf\_isom\_get\_3gpp\_audio\_esd  
line: 105  
As below code shows:

    97		gf_bs_write_data(bs, "\x41\x6D\x7F\x5E\x15\xB1\xD0\x11\xBA\x91\x00\x80\x5F\xB4\xB9\x7E", 16);
    98		gf_bs_write_u16_le(bs, 1);
    99		memset(szName, 0, 80);
    100		strcpy(szName, "QCELP-13K(GPAC-emulated)");
    101		gf_bs_write_data(bs, szName, 80);
    102		ent = &stbl->TimeToSample->entries[0];
    103		sample_rate = entry->samplerate_hi;
    104		block_size = ent ? ent->sampleDelta : 160;
    105		gf_bs_write_u16_le(bs, 8*sample_size*sample_rate/block_size);      <------ block_size can be zero
    106		gf_bs_write_u16_le(bs, sample_size);
    107		gf_bs_write_u16_le(bs, block_size);
    108		gf_bs_write_u16_le(bs, sample_rate);
    109		gf_bs_write_u16_le(bs, entry->bitspersample);
    110		gf_bs_write_u32_le(bs, sample_size ? 0 : 7);
    

Verification steps：  
1.Get the source code of gpac  
2.Compile

    cd gpac-master
    CC=gcc CXX=g++ CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" ./configure
    make
    

3.run MP4Box

    ./MP4Box -hint poc -out /dev/null
    

In Command line:

    [iso file] Unknown box type esJs in parent enca
    [iso file] Unknown box type stts in parent enca
    [iso file] Box "enca" (start 1455) has 5 extra bytes
    [iso file] Box "enca" is larger than container box
    [iso file] Box "stsd" size 171 (start 1439) invalid (read 192)
    Floating point exception
    

gdb info

![1625476927(1)](https://user-images.githubusercontent.com/83855894/124471055-ffd3bc80-ddce-11eb-8902-1e7c60e568bb.png)

asan info

    =================================================================
    ==967870==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001874 at pc 0x7f3a53c0836c bp 0x7ffcce36e790 sp 0x7ffcce36e780
    READ of size 4 at 0x602000001874 thread T0
        #0 0x7f3a53c0836b in gf_isom_get_3gpp_audio_esd isomedia/media.c:104
        #1 0x7f3a53c0836b in Media_GetESD isomedia/media.c:330
        #2 0x7f3a53b1ac04 in gf_isom_get_decoder_config isomedia/isom_read.c:1329
        #3 0x7f3a53b56d2e in gf_isom_guess_specification isomedia/isom_read.c:4035
        #4 0x5602827ad1d1 in HintFile /home/.../gpac/gpac-master-A/applications/mp4box/main.c:3379
        #5 0x5602827c4d54 in mp4boxMain /home/.../gpac/gpac-master-A/applications/mp4box/main.c:6297
        #6 0x7f3a52d080b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x560282777f1d in _start (/home/.../gpac/gpac-master-A/bin/gcc/MP4Box+0x48f1d)
    
    0x602000001874 is located 3 bytes to the right of 1-byte region [0x602000001870,0x602000001871)
    allocated by thread T0 here:
        #0 0x7f3a55be6bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
        #1 0x7f3a539e10ec in stts_box_read isomedia/box_code_base.c:5788
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/media.c:104 in gf_isom_get_3gpp_audio_esd
    Shadow bytes around the buggy address:
      0x0c047fff82b0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82c0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa 00 00
      0x0c047fff82d0: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 01 fa fa fa 00 00 fa fa 00 00
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8300: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa[01]fa
      0x0c047fff8310: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 fa
      0x0c047fff8320: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8330: fa fa 01 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8340: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fd
      0x0c047fff8350: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==967870==ABORTING

CVE-2021-36414: heap buffer overflow issue with gpac MP4Box · Issue #1840 · gpac/gpac

There is an Assertion `scaling_list_pred_matrix_id_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file, which allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file or possibly have unspecified other impact.

Hello,  
There is an Assertion \`scaling\_list\_pred\_matrix\_id\_delta==1' failed at sps.cc:925 in libde265 v1.0.8 when decoding file.  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (3).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 16
    

3.run dec265

Output

    WARNING: non-existing PPS referenced
    dec265: /home/dh/sda3/libde265-master/libde265-master/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    Aborted(core dumped)
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: non-existing PPS referenced
    dec265-afl++: /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc:925: de265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.
    
    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff6c3a680 (0x00007ffff6c3a680)
    RCX: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff1ab0 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff6f7b588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff1ab0 --> 0x0 
    RIP: 0x7ffff6e0618b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff1ab0 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7538760 ("/home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/sps.cc")
    R13: 0x39d 
    R14: 0x7ffff75388a0 ("scaling_list_pred_matrix_id_delta==1")
    R15: 0x0
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6e0617f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff6e06184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff6e06189 <__GI_raise+201>:	syscall 
    => 0x7ffff6e0618b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff6e06193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff6e0619c <__GI_raise+220>:	jne    0x7ffff6e061c4 <__GI_raise+260>
       0x7ffff6e0619e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff6e061a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff1ab0 --> 0x0 
    0008| 0x7fffffff1ab8 --> 0x7ffff768f6f0 (<free>:	endbr64)
    0016| 0x7fffffff1ac0 --> 0xe4e4e4e3fbad8000 
    0024| 0x7fffffff1ac8 --> 0x612000000040 --> 0x612d353606800001 
    0032| 0x7fffffff1ad0 --> 0x6120000000a5 ("265_error read_scaling_list(bitreader*, const seq_parameter_set*, scaling_list_data*, bool): Assertion `scaling_list_pred_matrix_id_delta==1' failed.\n")
    0040| 0x7fffffff1ad8 --> 0x612000000040 --> 0x612d353606800001 
    0048| 0x7fffffff1ae0 --> 0x612000000040 --> 0x612d353606800001 
    0056| 0x7fffffff1ae8 --> 0x61200000013b --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    
    

source code of sps.cc:925

    912 if (scaling_list_pred_matrix_id_delta==0) {
    913         if (sizeId==0) {
    914           memcpy(curr_scaling_list, default_ScalingList_4x4, 16);
    915          }
    916         else {
    917            if (canonicalMatrixId<3)
    918              { memcpy(curr_scaling_list, default_ScalingList_8x8_intra,64); }
    919            else
    920              { memcpy(curr_scaling_list, default_ScalingList_8x8_inter,64); }
    921          }
    922        }
    923        else {
    924          // TODO: CHECK: for sizeID=3 and the second matrix, should we have delta=1 or delta=3 ?
    925          if (sizeId==3) { assert(scaling_list_pred_matrix_id_delta==1); }
    926
    927          int mID = matrixId - scaling_list_pred_matrix_id_delta;
    928
    929          int len = (sizeId == 0 ? 16 : 64);
    930          memcpy(curr_scaling_list, scaling_list[mID], len);
    931
    932          scaling_list_dc_coef       = dc_coeff[sizeId][mID];
    933          dc_coeff[sizeId][matrixId] = dc_coeff[sizeId][mID];
    934        }
    935      }

CVE-2021-36409: There is an Assertion failed at sps.cc · Issue #300 · strukturag/libde265

An issue has been found in libde265 v1.0.8 due to incorrect access control. A SEGV caused by a READ memory access in function derive_boundaryStrength of deblock.cc has occurred. The vulnerability causes a segmentation fault and application crash, which leads to remote denial of service.

Hello,  
A SEGV of deblock.cc in function derive\_boundaryStrength has occurred when running program dec265，

source code

    283 if ((edgeFlags & transformEdgeMask) &&
    284              (img->get_nonzero_coefficient(xDi   ,yDi) ||
    285               img->get_nonzero_coefficient(xDiOpp,yDiOpp))) {
    286            bS = 1;
    287          }
    288          else {
    289
    290            bS = 0;
    291
    292            const PBMotion& mviP = img->get_mv_info(xDiOpp,yDiOpp);
    293            const PBMotion& mviQ = img->get_mv_info(xDi   ,yDi);
    294
    295            slice_segment_header* shdrP = img->get_SliceHeader(xDiOpp,yDiOpp);
    296            slice_segment_header* shdrQ = img->get_SliceHeader(xDi   ,yDi);
    297
    298            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;
    299            int refPicP1 = mviP.predFlag[1] ? shdrP->RefPicList[1][ mviP.refIdx[1] ] : -1;
    300            int refPicQ0 = mviQ.predFlag[0] ? shdrQ->RefPicList[0][ mviQ.refIdx[0] ] : -1;
    301            int refPicQ1 = mviQ.predFlag[1] ? shdrQ->RefPicList[1][ mviQ.refIdx[1] ] : -1;
    302
    303            bool samePics = ((refPicP0==refPicQ0 && refPicP1==refPicQ1) ||
    304                             (refPicP0==refPicQ1 && refPicP1==refPicQ0));
    

**Due to incorrect access control, a SEGV caused by a READ memory access occurred at line 298 of the code. This issue can cause a Denial of Service attack.**

System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc.zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265(without asan)

Output

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    Segmentation fault(core dumped)
    
    

AddressSanitizer output

    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3532158==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000003d0 (pc 0x7f19b4f52978 bp 0x616000001580 sp 0x7fff00e87c20 T0)
    ==3532158==The signal is caused by a READ memory access.
    ==3532158==Hint: address points to the zero page.
        #0 0x7f19b4f52977 in derive_boundaryStrength(de265_image*, bool, int, int, int, int) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298
        #1 0x7f19b4f56835 in apply_deblocking_filter(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:1046
        #2 0x7f19b4f7e626 in decoder_context::run_postprocessing_filters_sequential(de265_image*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1880
        #3 0x7f19b4f9baa0 in decoder_context::decode_some(bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:769
        #4 0x7f19b4f9f95e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1329
        #5 0x55704ed8c8fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #6 0x7f19b4aee0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #7 0x55704ed8f76d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/dh/sda3/libde265-master/libde265-master/libde265/deblock.cc:298 in derive_boundaryStrength(de265_image*, bool, int, int, int, int)
    ==3532158==ABORTING
    
    
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: non-existing reference picture accessed
    WARNING: CTB outside of image area (concealing stream error...)
    WARNING: CTB outside of image area (concealing stream error...)
    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x2 
    RCX: 0x61b000001580 --> 0xbebebebe00000000 
    RDX: 0x0 
    RSI: 0x7a ('z')
    RDI: 0x3d0 
    RBP: 0x616000001580 --> 0xbebebebe00000007 
    RSP: 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    RIP: 0x7ffff724b978 (<derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8])
    R8 : 0x3 
    R9 : 0x0 
    R10: 0x6330000d6800 --> 0x8ffff00000101 
    R11: 0x6330000d6200 --> 0x60101 
    R12: 0x0 
    R13: 0xffffffffffffff90 
    R14: 0x7ffff31ff800 --> 0xbebebebebebebebe 
    R15: 0x6
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff724b96e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6014>:	
        jl     0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>
       0x7ffff724b970 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6016>:	test   dl,dl
       0x7ffff724b972 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6018>:	
        jne    0x7ffff724dd87 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+15255>
    => 0x7ffff724b978 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6024>:	mov    ebx,DWORD PTR [r9+r15*4+0x3b8]
       0x7ffff724b980 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6032>:	mov    edx,0x376d
       0x7ffff724b985 <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6037>:	mov    eax,0xafce
       0x7ffff724b98a <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6042>:	lea    r15,[r11+0x1]
       0x7ffff724b98e <derive_boundaryStrength(de265_image*, bool, int, int, int, int)+6046>:	mov    rdi,r15
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff36e0 --> 0x3000000000 --> 0x0 
    0008| 0x7fffffff36e8 --> 0x6160000016f8 --> 0x4000000080 --> 0x0 
    0016| 0x7fffffff36f0 --> 0x6160000016e8 --> 0x625000057900 --> 0x0 
    0024| 0x7fffffff36f8 --> 0xa000000080 --> 0x0 
    0032| 0x7fffffff3700 --> 0x1 
    0040| 0x7fffffff3708 --> 0xbf000000c0 --> 0x0 
    0048| 0x7fffffff3710 --> 0x61600000167c --> 0x4000000003 --> 0x0 
    0056| 0x7fffffff3718 --> 0xff00f800 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff724b978 in derive_boundaryStrength (img=img@entry=0x616000001580, 
        vertical=vertical@entry=0x0, yStart=yStart@entry=0x0, 
        yEnd=<optimized out>, xStart=xStart@entry=0x0, xEnd=<optimized out>)
        at /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/deblock.cc:298
    298	            int refPicP0 = mviP.predFlag[0] ? shdrP->RefPicList[0][ mviP.refIdx[0] ] : -1;

CVE-2021-36411: A SEGV has occurred when running program dec265 · Issue #302 · strukturag/libde265

An Incorrect Access Control vulnerability exists in libde265 v1.0.8 due to a SEGV in slice.cc.

Hello,  
A SEGV has occurred when running program dec265，  
System info：  
Ubuntu 20.04.1 : clang 10.0.0 , gcc 9.3.0

Dec265 v1.0.8

poc (1).zip

Verification steps：  
1.Get the source code of libde265  
2.Compile

    cd libde265
    mkdir build && cd build
    cmake ../ -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_CXX_FLAGS="fsanitize=address"
    make -j 32
    

3.run dec265(without asan)

Output

    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    Segmentation fault(core dumped)
    
    

AddressSanitizer output

    =================================================================
    ==1960598==ERROR: AddressSanitizer: SEGV on unknown address 0x00009fff8000 (pc 0x7f65de25eac3 bp 0x61b000001c80 sp 0x7ffe41764b90 T0)
    ==1960598==The signal is caused by a READ memory access.
        #0 0x7f65de25eac2 in slice_segment_header::read(bitreader*, decoder_context*, bool*) /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:390
        #1 0x7f65de14837a in decoder_context::read_slice_NAL(bitreader&, NAL_unit*, nal_header&) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:626
        #2 0x7f65de14a839 in decoder_context::decode_NAL(NAL_unit*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1230
        #3 0x7f65de14be1e in decoder_context::decode(int*) /home/dh/sda3/libde265-master/libde265-master/libde265/decctx.cc:1318
        #4 0x55d4ecf488fd in main /home/dh/sda3/libde265-master/libde265-master/dec265/dec265.cc:764
        #5 0x7f65ddc9a0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
        #6 0x55d4ecf4b76d in _start (/home/dh/sda3/libde265-master/libde265-master/dec265+0xa76d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/dh/sda3/libde265-master/libde265-master/libde265/slice.cc:390 in slice_segment_header::read(bitreader*, decoder_context*, bool*)
    ==1960598==ABORTING
    
    
    

gdb info

    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    WARNING: end_of_sub_stream_one_bit not set to 1 when it should be
    WARNING: slice header invalid
    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0xffffffffffffff90 
    RCX: 0x617000000090 --> 0x100000000 --> 0x0 
    RDX: 0xc2e00000013 --> 0x0 
    RSI: 0x20000000 ('')
    RDI: 0x617000000098 --> 0x100000001 --> 0x0 
    RBP: 0x61b000001c80 --> 0xbebebebe00000000 
    RSP: 0x7fffffff3570 --> 0x0 
    RIP: 0x7ffff73abac3 (<slice_segment_header::read(bitreader*, decoder_context*, bool*)+2387>:	movzx  r14d,BYTE PTR [rsi+0x7fff8000])
    R8 : 0xfffff8f8 --> 0x0 
    R9 : 0x7 
    R10: 0x9 ('\t')
    R11: 0xfffffffe6c8 --> 0x0 
    R12: 0x7ffff31ff800 --> 0xbebebebebebebebe 
    R13: 0x7fffffff3a40 --> 0x62e000078405 --> 0xbebebebebebebebe 
    R14: 0xffffe641bdb --> 0x0 
    R15: 0x555555569bd0 --> 0x7ffff31ff800 --> 0xbebebebebebebebe
    EFLAGS: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff73abab6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2374>:	mov    rsi,QWORD PTR [rcx+0x8]
       0x7ffff73ababa <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2378>:	mov    QWORD PTR [rsp+0x10],rsi
       0x7ffff73ababf <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2383>:	shr    rsi,0x3
    => 0x7ffff73abac3 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2387>:	movzx  r14d,BYTE PTR [rsi+0x7fff8000]
       0x7ffff73abacb <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2395>:	test   r14b,r14b
       0x7ffff73abace <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2398>:	
        je     0x7ffff73abad6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2406>:	    je     0x7ffff73abad6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2406>
       0x7ffff73abad0 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2400>:	
        jle    0x7ffff73b31dc <slice_segment_header::read(bitreader*, decoder_context*, bool*)+32876>:	    jle    0x7ffff73b31dc <slice_segment_header::read(bitreader*, decoder_context*, bool*)+32876>
       0x7ffff73abad6 <slice_segment_header::read(bitreader*, decoder_context*, bool*)+2406>:	mov    rax,QWORD PTR [rsp+0x10]
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff3570 --> 0x0 
    0008| 0x7fffffff3578 --> 0x621000000100 --> 0x7ffff7565f30 --> 0x7ffff72719e0 (<decoder_context::~decoder_context()>:	endbr64)
    0016| 0x7fffffff3580 --> 0x100000001 --> 0x0 
    0024| 0x7fffffff3588 --> 0x61b000001c88 --> 0x617000000090 --> 0x100000000 --> 0x0 
    0032| 0x7fffffff3590 --> 0x7fffffff3780 --> 0x0 
    0040| 0x7fffffff3598 --> 0x7fffffff3620 --> 0x41b58ab3 
    0048| 0x7fffffff35a0 --> 0x61b000001ca0 --> 0xbebebe00 --> 0x0 
    0056| 0x7fffffff35a8 --> 0xfffffffe6c4 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff73abac3 in slice_segment_header::read (
        this=this@entry=0x61b000001c80, br=br@entry=0x7fffffff3a40, 
        ctx=ctx@entry=0x621000000100, 
        continueDecoding=continueDecoding@entry=0x7fffffff3780)
        at /home/dh/sda3/AFLplusplus/libde265-master/libde265-master-afl++/libde265/slice.cc:390
    390	  if (!sps->sps_read) {
    
    

**This issue will cause Denial of Service attacks**

CVE-2021-35452: SEGV in slice.cc · Issue #298 · strukturag/libde265

A Null pointer dereference vulnerability exits in MP4Box - GPAC version 0.8.0-rev177-g51a8ef874-master via the gf_isom_get_track_id function, which causes a denial of service.

@@ -205,17 +205,11 @@ GF\_Err gf\_isom\_box\_parse\_ex(GF\_Box \*\*outBox, GF\_BitStream \*bs, u32 parent\_type,

  

newBox->size = size - hdr\_size;

  

if (newBox->size) {

e = gf\_isom\_full\_box\_read(newBox, bs);

if (!e) e = gf\_isom\_box\_read(newBox, bs);

newBox->size = size;

end = gf\_bs\_get\_position(bs);

} else {

newBox->size = size;

//empty box

e = GF\_OK;

end = gf\_bs\_get\_position(bs);

}

//parse even if size is 0 - this makes sure that we perform box parsing (usually in box->read)

e = gf\_isom\_full\_box\_read(newBox, bs);

if (!e) e = gf\_isom\_box\_read(newBox, bs);

newBox->size = size;

end = gf\_bs\_get\_position(bs);

  

if (e && (e != GF\_ISOM\_INCOMPLETE\_FILE)) {

gf\_isom\_box\_del(newBox);

CVE-2020-25427: fixed potential crash - cf #1406 · gpac/gpac@8e585e6

When running with FIPS mode enabled, Mirantis Container Runtime 20.10.8 leaks memory during TLS Handshakes which could be abused to cause a denial of service.

Permalink

**Memory Leak in Mirantis Container Runtime (MCR) running in FIPS mode causes a Denial of Service (DoS)****Release Date**

2022/01/10

**Overview**

When running with FIPS mode enabled, Mirantis Container Runtime leaks memory during TLS Handshakes which could be abused to cause a denial of service.

**Affected Products**

Mirantis Container Runtime (MCR) version 20.10.8

**Vulnerability Information****CVE Identifier**

CVE-2021-23218

**CVSSv3.1**

5.3 (Medium) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

**CWEs**

CWE-401

**Mitigations**

FIPS mode is not the default mode of operation

**Work arounds**

Disable FIPS mode

**Acknowledgements**

Found by Mirantis PSIRT

**Disclosure Timeline**

2022/01/10: public advisory released

2021/12/21: 20.10.8 released

2021/12/09: Mirantis PSIRT reported vulnerability to MCR team

CVE-2021-23218: security/0002.md at main · Mirantis/security

LibTIFF 4.3.0 has an out-of-bounds read in _TIFFmemcpy in tif_unix.c in certain situations involving a custom tag and 0x0200 as the second word of the DE field.

Skip to content

Open Issue created Jan 04, 2022 by **4ugustus@waugustus**Contributor

**tiffset: Global-buffer-overflow in \_TIFFmemcpy, tif\_unix.c:346**

Summary

There is a global buffer overflow in \_TIFFmemcpy in libtiff/tif\_unix.c:346. Remote attackers could leverage this vulnerability to cause a denial-of-service via a crafted tiff file.

Version

LIBTIFF, Version 4.3.0, commit id cd57b554 (Wed Dec 29 18:43:34 2021 +0000)

Steps to reproduce

    # ./build_asan/bin/tiffset -s 93 helloworld ./poc
    TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.
    TIFFReadDirectory: Warning, Unknown field with tag 2 (0x2) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 0 (0x0) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65280 (0xff00) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 250 (0xfa) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 9 (0x9) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 15 (0xf) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 65535 (0xffff) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 23901 (0x5d5d) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 93 (0x5d) encountered.
    TIFFReadDirectory: Warning, Unknown field with tag 58624 (0xe500) encountered.
    TIFFReadDirectory: Warning, Ignoring TransferFunction since BitsPerSample tag not found.
    TIFFReadDirectory: Warning, Invalid data type for tag StripByteCounts.
    TIFFReadDirectory: Warning, Invalid data type for tag TileOffsets.
    TIFFFetchStripThing: Warning, Incorrect count for "TileOffsets"; tag ignored.
    TIFFReadDirectory: Warning, Wrong "StripByteCounts" field, ignoring and calculating from imagelength.
    =================================================================
    ==62478==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000004030e7 at pc 0x7f851f5cb935 bp 0x7fff7a6c4d30 sp 0x7fff7a6c44d8
    READ of size 2053925041 at 0x0000004030e7 thread T0
        #0 0x7f851f5cb934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
        #1 0x7f851f2dd249 in _TIFFmemcpy /root/test4/libtiff/libtiff/tif_unix.c:346
        #2 0x7f851f1e398c in setByteArray /root/test4/libtiff/libtiff/tif_dir.c:54
        #3 0x7f851f1eaa9f in _TIFFVSetField /root/test4/libtiff/libtiff/tif_dir.c:592
        #4 0x7f851f1ed75d in TIFFVSetField /root/test4/libtiff/libtiff/tif_dir.c:890
        #5 0x7f851f1ed18d in TIFFSetField /root/test4/libtiff/libtiff/tif_dir.c:834
        #6 0x401ab0 in main /root/test4/libtiff/tools/tiffset.c:149
        #7 0x7f851ee0683f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
        #8 0x4012e8 in _start (/root/test4/libtiff/build_asan/bin/tiffset+0x4012e8)
    
    0x0000004030e7 is located 57 bytes to the left of global variable '*.LC0' defined in 'tiffset.c' (0x403120) of size 5
      '*.LC0' is ascii string '%s
    
    '
    0x0000004030e7 is located 0 bytes to the right of global variable 'usageMsg' defined in 'tiffset.c:49:19' (0x402f80) of size 359
      'usageMsg' is ascii string 'Set the value of a TIFF header to a specified value
    
    usage: tiffset [options] filename
    where options are:
     -s  <tagname> [count] <value>...   set the tag value
     -u  <tagname> to unset the tag
     -d  <dirno> set the directory
     -sd <diroff> set the subdirectory
     -sf <tagname> <filename>  read the tag value from file (for ASCII tags only)
     -h  this help screen
    '
    SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memcpy
    Shadow bytes around the buggy address:
      0x0000800785c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0000800785f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080078600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x000080078610: 00 00 00 00 00 00 00 00 00 00 00 00[07]f9 f9 f9
      0x000080078620: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      0x000080078630: 04 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
      0x000080078640: 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
      0x000080078650: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
      0x000080078660: 03 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Heap right redzone:      fb
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack partial redzone:   f4
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
    ==62478==ABORTING

Platform

    # uname -a 
    Linux 37d1a8efe7bb 4.15.0-142-generic #146~16.04.1-Ubuntu SMP Tue Apr 13 09:27:15 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

POC File

tiffset\_poc

CVE-2022-22844: tiffset: Global-buffer-overflow in _TIFFmemcpy, tif_unix.c:346 (#355) · Issues · libtiff / libtiff · GitLab

A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the gf_fileio_check function, which could cause a Denial of Service.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

**command:**

    ./bin/gcc/MP4Box -par 1=4:3 POC13
    

POC13.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x5555555db320 --> 0x5dfd555e1548 
    RCX: 0x0 
    RDX: 0x0 
    RSI: 0x8a8000032c4 
    RDI: 0x5dfd555e1548 
    RBP: 0x5dfd555e1548 
    RSP: 0x7fffffff7fa8 --> 0x7ffff777227c (<gf_fseek+28>:	test   eax,eax)
    RIP: 0x7ffff77718e2 (<gf_fileio_check+50>:	mov    edx,DWORD PTR [rdi])
    R8 : 0x5555555e0e80 --> 0x7ffff76a11e0 --> 0x7ffff76a11d0 --> 0x7ffff76a11c0 --> 0x7ffff76a11b0 --> 0x7ffff76a11a0 (--> ...)
    R9 : 0x0 
    R10: 0x7ffff76d4625 ("gf_bs_write_long_int")
    R11: 0x7ffff77747d0 (<gf_bs_write_long_int>:	endbr64)
    R12: 0x8a8000032c4 
    R13: 0x0 
    R14: 0x7fffffff84b0 --> 0x0 
    R15: 0x7fffffff8010 --> 0x5555555c7060 --> 0x0
    EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff77718db <gf_fileio_check+43>:	je     0x7ffff77718f8 <gf_fileio_check+72>
       0x7ffff77718dd <gf_fileio_check+45>:	test   rdi,rdi
       0x7ffff77718e0 <gf_fileio_check+48>:	je     0x7ffff77718f8 <gf_fileio_check+72>
    => 0x7ffff77718e2 <gf_fileio_check+50>:	mov    edx,DWORD PTR [rdi]
       0x7ffff77718e4 <gf_fileio_check+52>:	test   edx,edx
       0x7ffff77718e6 <gf_fileio_check+54>:	jne    0x7ffff77718f8 <gf_fileio_check+72>
       0x7ffff77718e8 <gf_fileio_check+56>:	xor    eax,eax
       0x7ffff77718ea <gf_fileio_check+58>:	cmp    QWORD PTR [rdi+0x8],rdi
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff7fa8 --> 0x7ffff777227c (<gf_fseek+28>:	test   eax,eax)
    0008| 0x7fffffff7fb0 --> 0x8a8000032c4 
    0016| 0x7fffffff7fb8 --> 0x0 
    0024| 0x7fffffff7fc0 --> 0x7fffffff84a0 --> 0x8a8 
    0032| 0x7fffffff7fc8 --> 0x7ffff77767f4 (<gf_bs_seek+452>:	mov    QWORD PTR [rbx+0x18],rbp)
    0040| 0x7fffffff7fd0 --> 0x5555555daa30 --> 0x0 
    0048| 0x7fffffff7fd8 --> 0x5555555db320 --> 0x5dfd555e1548 
    0056| 0x7fffffff7fe0 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff77718e2 in gf_fileio_check () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff77718e2 in gf_fileio_check () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff777227c in gf_fseek () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff77767f4 in gf_bs_seek () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #3  0x00007ffff7910c98 in inplace_shift_mdat () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #4  0x00007ffff791549c in WriteToFile () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #5  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #6  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #7  0x000055555557bd12 in mp4boxMain ()
    #8  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x4, argv=0x7fffffffe338, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe328) at ../csu/libc-start.c:308
    #9  0x000055555556d45e in _start ()

CVE-2021-46049: Untrusted pointer dereference in gf_fileio_check() · Issue #2013 · gpac/gpac

A Pointer Dereference Vulnerability exists in GPAC 1.0.1 via the Media_IsSelfContained function, which could cause a Denial of Service. .

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: 
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB
    

**command:**

    ./bin/gcc/MP4Box -hint POC11
    

POC11.zip

**Result**

**bt**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x5569555dfdc4 
    RBX: 0x1 
    RCX: 0x5555555e18c0 --> 0x3712 
    RDX: 0x4015 
    RSI: 0x1 
    RDI: 0x5555555e2840 --> 0x146d646975 
    RBP: 0x5555555e2840 --> 0x146d646975 
    RSP: 0x7fffffff7f70 --> 0x5555555e0e14 --> 0x4017 
    RIP: 0x7ffff79286ca (<Media_IsSelfContained+26>:	mov    rax,QWORD PTR [rax+0x30])
    R8 : 0x5555555e18c0 --> 0x3712 
    R9 : 0x7fffffff7f00 --> 0x2 
    R10: 0x7ffff76d927a ("gf_isom_box_size")
    R11: 0x7ffff76a0be0 --> 0x5555555e8770 --> 0x5555555e18d4 --> 0x640204c700000000 
    R12: 0x14 
    R13: 0x5555555e05c0 --> 0x73747363 ('csts')
    R14: 0x5555555e8740 --> 0x636f3648 ('H6oc')
    R15: 0x1
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff79286c3 <Media_IsSelfContained+19>:	push   rbx
       0x7ffff79286c4 <Media_IsSelfContained+20>:	mov    rax,QWORD PTR [rdi+0x40]
       0x7ffff79286c8 <Media_IsSelfContained+24>:	mov    ebx,esi
    => 0x7ffff79286ca <Media_IsSelfContained+26>:	mov    rax,QWORD PTR [rax+0x30]
       0x7ffff79286ce <Media_IsSelfContained+30>:	mov    r12,QWORD PTR [rax+0x48]
       0x7ffff79286d2 <Media_IsSelfContained+34>:	test   esi,esi
       0x7ffff79286d4 <Media_IsSelfContained+36>:	je     0x7ffff7928780 <Media_IsSelfContained+208>
       0x7ffff79286da <Media_IsSelfContained+42>:	test   r12,r12
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff7f70 --> 0x5555555e0e14 --> 0x4017 
    0008| 0x7fffffff7f78 --> 0x5555555e8740 --> 0x636f3648 ('H6oc')
    0016| 0x7fffffff7f80 --> 0x14 
    0024| 0x7fffffff7f88 --> 0x7ffff790ffcb (<shift_chunk_offsets.part.0+75>:	test   eax,eax)
    0032| 0x7fffffff7f90 --> 0x5555555e2840 --> 0x146d646975 
    0040| 0x7fffffff7f98 --> 0x5555555e05c0 --> 0x73747363 ('csts')
    0048| 0x7fffffff7fa0 --> 0x0 
    0056| 0x7fffffff7fa8 --> 0x7fffffff7ff0 --> 0x5555555e8740 --> 0x636f3648 ('H6oc')
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff79286ca in Media_IsSelfContained () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff79286ca in Media_IsSelfContained () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff790ffcb in shift_chunk_offsets.part () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff79103a7 in inplace_shift_moov_meta_offsets () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #3  0x00007ffff7910e3c in inplace_shift_mdat () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #4  0x00007ffff7915009 in WriteToFile () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #5  0x00007ffff7906432 in gf_isom_write () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #6  0x00007ffff79064b8 in gf_isom_close () from /home/zxq/CVE_testing/source/gpac/bin/gcc/libgpac.so.10
    #7  0x000055555557bd12 in mp4boxMain ()
    #8  0x00007ffff74dc0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe388, init=<optimized out>, fini=<optimized out>, 
        rtld_fini=<optimized out>, stack_end=0x7fffffffe378) at ../csu/libc-start.c:308
    #9  0x000055555556d45e in _start ()

CVE-2021-46051: Untrusted pointer dereference in Media_IsSelfContained () · Issue #2011 · gpac/gpac

A Denial of Service vulnerability exists in Binaryen 104 due to an assertion abort in wasm::WasmBinaryBuilder::readFunctions.

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff4416040 (0x00007ffff4416040)
    RCX: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff9970 --> 0x0 
    RDI: 0x2 
    RBP: 0x7ffff45d5588 ("%s%s%s:%u: %s%sAssertion `%s' failed.\n%n")
    RSP: 0x7fffffff9970 --> 0x0 
    RIP: 0x7ffff446018b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff9970 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff7b29060 ("/home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp")
    R13: 0x8d4 
    R14: 0x7ffff7b2b8e0 ("exceptionTargetNames.empty()")
    R15: 0x615000006200 --> 0x60300001aba0 --> 0x30246c6562616c ('label$0')
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff446017f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff4460184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff4460189 <__GI_raise+201>:	syscall 
    => 0x7ffff446018b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff4460193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff446019c <__GI_raise+220>:	jne    0x7ffff44601c4 <__GI_raise+260>
       0x7ffff446019e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff44601a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff9970 --> 0x0 
    0008| 0x7fffffff9978 --> 0x4cb020 (<free>:	push   rbp)
    0016| 0x7fffffff9980 --> 0xfbad8000 --> 0x0 
    0024| 0x7fffffff9988 --> 0x612000000340 --> 0x74706f2d63000001 
    0032| 0x7fffffff9990 --> 0x6120000003a5 ("Builder::readFunctions(): Assertion `exceptionTargetNames.empty()' failed.\n")
    0040| 0x7fffffff9998 --> 0x612000000340 --> 0x74706f2d63000001 
    0048| 0x7fffffff99a0 --> 0x612000000340 --> 0x74706f2d63000001 
    0056| 0x7fffffff99a8 --> 0x6120000003f0 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff443f859 in __GI_abort () at abort.c:79
    #2  0x00007ffff443f729 in __assert_fail_base (fmt=0x7ffff45d5588 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=0x7ffff7b2b8e0 <str> "exceptionTargetNames.empty()", 
        file=0x7ffff7b29060 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp", line=0x8d4, function=<optimized out>) at assert.c:92
    #3  0x00007ffff4450f36 in __GI___assert_fail (assertion=0x7ffff7b2b8e0 <str> "exceptionTargetNames.empty()", file=0x7ffff7b29060 <str> "/home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp", 
        line=0x8d4, function=0x7ffff7b2b840 <__PRETTY_FUNCTION__._ZN4wasm17WasmBinaryBuilder13readFunctionsEv> "void wasm::WasmBinaryBuilder::readFunctions()") at assert.c:101
    #4  0x00007ffff6ea794d in wasm::WasmBinaryBuilder::readFunctions (this=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:2260
    #5  0x00007ffff6e988a2 in wasm::WasmBinaryBuilder::read (this=0x7fffffffa6e0) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-binary.cpp:1426
    #6  0x00007ffff7046785 in wasm::ModuleReader::readBinaryData (this=<optimized out>, input=..., wasm=..., sourceMapFilename=<incomplete type>) at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:63
    #7  0x00007ffff7046f76 in wasm::ModuleReader::readBinary (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
        at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:74
    #8  0x00007ffff7047e1c in wasm::ModuleReader::read (this=<optimized out>, filename=<incomplete type>, wasm=..., sourceMapFilename=<incomplete type>)
        at /home/zxq/CVE_testing/project/binaryen/src/wasm/wasm-io.cpp:97
    #9  0x00000000006ae0ff in main (argc=<optimized out>, argv=<optimized out>) at /home/zxq/CVE_testing/project/binaryen/src/tools/wasm-opt.cpp:249
    #10 0x00007ffff44410b3 in __libc_start_main (main=0x6a6b70 <main(int, char const**)>, argc=0x2, argv=0x7fffffffe328, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
        stack_end=0x7fffffffe318) at ../csu/libc-start.c:308
    #11 0x0000000000452bde in _start () at /usr/bin/../lib/gcc/x86_64-linux-gnu/9/../../../../include/c++/9/iostream:74

Tag

#dos