ROPium v3.1 was discovered to contain an invalid memory address dereference via the find() function.

An issue was discovered in ROPium 3.1. An invalid memory address dereference was discovered in find(). The vulnerability causes a segmentation fault and application crash.

POC

    aidai@ubuntu:~/Desktop$ ropium
    
    ROPium - v3.1
    
    (ropium)> find                                                                  
    
    	[!] You must load a binary before finding ropchains
    
    (ropium)> load -a X64 aidai                                                     
    
    	[!] Skipped: aidai (file doesn't exist)
    
    (ropium)> find                                                                  
    Segmentation fault (core dumped)
    

    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────[ REGISTERS ]──────────────────────────────────
     RAX  0x7
     RBX  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
     RCX  0x0
     RDX  0x9
     RDI  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
     RSI  0x0
     R8   0x2
     R9   0x0
     R10  0x100
     R11  0x7ffdeddde370 —▸ 0x7ffdeddde380 —▸ 0x1ecbee0 ◂— add    byte ptr [rax], al
     R12  0x1c509e0 ◂— add    byte ptr [rax], al
     R13  0x7ffdeddde640 ◂— 0x0
     R14  0x9
     R15  0x1c50a10 ◂— add    dword ptr [rax], eax
     RBP  0x1c509e0 ◂— add    byte ptr [rax], al
     RSP  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
     RIP  0x7f58fdeb5c40 ◂— mov    ecx, dword ptr [rsi]
    ───────────────────────────────────[ DISASM ]───────────────────────────────────
     ► 0x7f58fdeb5c40    mov    ecx, dword ptr [rsi]
       0x7f58fdeb5c42    mov    eax, 1
       0x7f58fdeb5c47    cmp    ecx, 0x13
       0x7f58fdeb5c4a    je     0x7f58fdeb5c53
        ↓
       0x7f58fdeb5c53    ret    
     
       0x7f58fdeb5c55    nop    dword ptr [rax]
       0x7f58fdeb5c58    sub    edx, 7
       0x7f58fdeb5c5b    cmp    edx, 1
       0x7f58fdeb5c5e    setbe  al
       0x7f58fdeb5c61    ret    
     
       0x7f58fdeb5c62    nop    dword ptr [rax]
    ───────────────────────────────────[ STACK ]────────────────────────────────────
    00:0000│ rsp  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
    01:0008│      0x7ffdeddde610 —▸ 0x7f58fa641950 ◂— or     dword ptr [rax], eax /* '\t' */
    02:0010│      0x7ffdeddde618 ◂— 0x2fa629d68
    03:0018│      0x7ffdeddde620 ◂— 0x0
    ... ↓
    06:0030│      0x7ffdeddde638 ◂— 0x56056b
    07:0038│ r13  0x7ffdeddde640 ◂— 0x0
    ─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
     ► f 0     7f58fdeb5c40
       f 1     7f58fdec0145
       f 2     7f58fa641950
       f 3        2fa629d68
       f 4                0
    ────────────────────────────────────────────────────────────────────────────────

CVE-2021-45761: Invalid memory address dereference in find() · Issue #32 · Boyan-MILANOV/ropium

GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_sg_vrml_mf_reset(). This vulnerability allows attackers to cause a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in gf\_sg\_vrml\_mf\_reset(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_14.zip

**Result**

    ./MP4Box -lsr ./poc/poc_14
    [iso file] Box "stco" (start 2057) has 6144 extra bytes
    [iso file] Box "stco" is larger than container box
    [iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
    [iso file] Unknown box type 00040000 in parent dref
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 859244
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Box "stco" (start 2057) has 6144 extra bytes
    [iso file] Box "stco" is larger than container box
    [iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
    [iso file] Unknown box type 00040000 in parent dref
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 859244
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    250723 segmentation fault  ./MP4Box -lsr ./poc/poc_14
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x7fffffff6160 ◂— 0x3f00000004
     RDX  0x8
     RDI  0x0
     RSI  0x3f
     R8   0x0
     R9   0x0
     R10  0x7ffff775c1f5 ◂— 'gf_sg_script_field_get_info'
     R11  0x7ffff788f770 (gf_sg_script_field_get_info) ◂— endbr64
     R12  0x7fffffff6160 ◂— 0x3f00000004
     R13  0x5555555deb80 ◂— 0x0
     R14  0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
     R15  0x1d61
     RBP  0x5555555d5d60 ◂— 0x0
     RSP  0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov    r15d, eax
     RIP  0x7ffff78a0d66 (gf_sg_vrml_mf_reset+6) ◂— cmp    qword ptr [rdi + 8], 0
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff78a0d66 <gf_sg_vrml_mf_reset+6>      cmp    qword ptr [rdi + 8], 0
       0x7ffff78a0d6b <gf_sg_vrml_mf_reset+11>     je     gf_sg_vrml_mf_reset+144
        <gf_sg_vrml_mf_reset+144>
        ↓
       0x7ffff78a0df0 <gf_sg_vrml_mf_reset+144>    ret
    
       0x7ffff78a0df1 <gf_sg_vrml_mf_reset+145>    nop    dword ptr [rax]
       0x7ffff78a0df8 <gf_sg_vrml_mf_reset+152>    mov    eax, dword ptr [rbp]
       0x7ffff78a0dfb <gf_sg_vrml_mf_reset+155>    mov    r13, qword ptr [rbp + 8]
       0x7ffff78a0dff <gf_sg_vrml_mf_reset+159>    test   eax, eax
       0x7ffff78a0e01 <gf_sg_vrml_mf_reset+161>    je     gf_sg_vrml_mf_reset+198
        <gf_sg_vrml_mf_reset+198>
        ↓
       0x7ffff78a0e26 <gf_sg_vrml_mf_reset+198>    mov    rdi, r13
       0x7ffff78a0e29 <gf_sg_vrml_mf_reset+201>    call   gf_free@plt                <gf_free@plt>
    
       0x7ffff78a0e2e <gf_sg_vrml_mf_reset+206>    jmp    gf_sg_vrml_mf_reset+100
        <gf_sg_vrml_mf_reset+100>
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov    r15d, eax
    01:0008│     0x7fffffff6120 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
    02:0010│     0x7fffffff6128 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
    03:0018│     0x7fffffff6130 ◂— 0x0
    04:0020│     0x7fffffff6138 —▸ 0x5555555e0210 ◂— 0x3f00000000
    05:0028│     0x7fffffff6140 —▸ 0x7fffffff6160 ◂— 0x3f00000004
    06:0030│     0x7fffffff6148 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
    07:0038│     0x7fffffff6150 ◂— 0x1d61
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff78a0d66 gf_sg_vrml_mf_reset+6
       f 1   0x7ffff790fbe2 gf_bifs_dec_field+130
       f 2   0x7ffff7916f02 ParseScriptField+274
       f 3   0x7ffff7919c50 SFScript_Parse+1056
       f 4   0x7ffff790eb3c gf_bifs_dec_sf_field+1548
       f 5   0x7ffff790eff2 BD_DecMFFieldList+242
       f 6   0x7ffff790fac5 gf_bifs_dec_node_mask+421
       f 7   0x7ffff790e158 gf_bifs_dec_node+936
    ─────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff790fbe2 in gf_bifs_dec_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7916f02 in ParseScriptField () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7919c50 in SFScript_Parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff790eb3c in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff790eff2 in BD_DecMFFieldList () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff790fac5 in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff790f3b4 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff790f7f7 in gf_bifs_dec_node_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00007ffff790e066 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #11 0x00007ffff7906580 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #12 0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #13 0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #14 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #15 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #16 0x00005555555844a8 in dump_isom_scene ()
    #17 0x000055555557b42c in mp4boxMain ()
    #18 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #19 0x000055555556c45e in _start ()

CVE-2021-45762: Invalid memory address dereference in gf_sg_vrml_mf_reset() · Issue #1978 · gpac/gpac

GPAC v1.1.0 was discovered to contain an invalid call in the function gf_node_changed(). This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid call was discovered in gf\_node\_changed(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -bt ./poc/poc_11
    

poc\_11.zip

**Result**

    ./MP4Box -bt ./poc/poc_10
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type traI in parent moov
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type traI in parent moov
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1142870 segmentation fault  ./MP4Box -bt ./poc/poc_10
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000000001 in ?? ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
     RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
     RIP  0x1
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
    Invalid address 0x1
    
    
    
    
    
    
    
    
    
    
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    01:0008│     0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    07:0038│     0x7fffffff6ac0 ◂— 0x2
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0              0x1
       f 1   0x7ffff784a1ca gf_node_changed+218
       f 2   0x7ffff784b675 gf_sg_reset+805
       f 3   0x7ffff784ba47 gf_sg_del+55
       f 4   0x7ffff788b7f8 gf_sg_proto_del+424
       f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 6   0x7ffff7913a11 BM_ParseInsert+769
       f 7   0x7ffff7914fe1 BM_ParseCommand+113
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x0000000000000001 in ?? ()
    #1  0x00007ffff784a1ca in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff784b675 in gf_sg_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff784ba47 in gf_sg_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff788b7f8 in gf_sg_proto_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff7905f88 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff7913a11 in BM_ParseInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7914fe1 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00005555555844a8 in dump_isom_scene ()
    #11 0x000055555557b42c in mp4boxMain ()
    #12 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1a8) at ../csu/libc-start.c:308
    #13 0x000055555556c45e in _start ()
    

`break gf_node_changed`

    pwndbg>
    0x00007ffff784a1c8 in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
    *RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RSP  0x7fffffff6a90 ◂— 0x0
    *RIP  0x7ffff784a1c8 (gf_node_changed+216) ◂— call   rax
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff784a1b6 <gf_node_changed+198>    je     gf_node_changed+223                <gf_node_changed+223>
    
       0x7ffff784a1b8 <gf_node_changed+200>    mov    rdi, qword ptr [r12 + 0x28]
       0x7ffff784a1bd <gf_node_changed+205>    mov    rcx, rbx
       0x7ffff784a1c0 <gf_node_changed+208>    mov    rdx, rbp
       0x7ffff784a1c3 <gf_node_changed+211>    mov    esi, 1
     ► 0x7ffff784a1c8 <gf_node_changed+216>    call   rax                           <1>
    
       0x7ffff784a1ca <gf_node_changed+218>    test   rbx, rbx
       0x7ffff784a1cd <gf_node_changed+221>    je     gf_node_changed+233                <gf_node_changed+233>
    
       0x7ffff784a1cf <gf_node_changed+223>    mov    eax, dword ptr [rbx]
       0x7ffff784a1d1 <gf_node_changed+225>    sub    eax, 0x63
       0x7ffff784a1d4 <gf_node_changed+228>    and    eax, 0xfffffffd
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    04:0020│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    05:0028│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ac0 ◂— 0x2
    07:0038│     0x7fffffff6ac8 ◂— 0x8000000000000006
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784a1c8 gf_node_changed+216
       f 1   0x7ffff784b675 gf_sg_reset+805
       f 2   0x7ffff784ba47 gf_sg_del+55
       f 3   0x7ffff788b7f8 gf_sg_proto_del+424
       f 4   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 5   0x7ffff7913a11 BM_ParseInsert+769
       f 6   0x7ffff7914fe1 BM_ParseCommand+113
       f 7   0x7ffff7915353 gf_bifs_decode_command_list+163
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000000001 in ?? ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
     RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
    *RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    *RIP  0x1
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
    Invalid address 0x1
    
    
    
    
    
    
    
    
    
    
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    01:0008│     0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    07:0038│     0x7fffffff6ac0 ◂— 0x2
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0              0x1
       f 1   0x7ffff784a1ca gf_node_changed+218
       f 2   0x7ffff784b675 gf_sg_reset+805
       f 3   0x7ffff784ba47 gf_sg_del+55
       f 4   0x7ffff788b7f8 gf_sg_proto_del+424
       f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 6   0x7ffff7913a11 BM_ParseInsert+769
       f 7   0x7ffff7914fe1 BM_ParseCommand+113
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-45763: Invalid call in gf_node_changed() · Issue #1974 · gpac/gpac

GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_list_last(). This vulnerability allows attackers to cause a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in dump\_od\_to\_saf.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_3.zip

**Result**

    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 2 systems streams
    [1]    1390552 segmentation fault  ./MP4Box -lsr ./poc/poc_3
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555df630 —▸ 0x5555555df601 ◂— 0x2100000000000000
     RCX  0x0
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x5555555e0400 ◂— 0xfbad2c84
     RSI  0x5555555df440 ◂— 0x7
     R8   0x0
     R9   0x23
     R10  0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
     R11  0x7fffffff70c7 ◂— 0x4d0552ab398a0031 /* '1' */
     R12  0x0
     R13  0x5555555df4d0 ◂— 0x0
     R14  0x5555555df070 —▸ 0x5555555e0400 ◂— 0xfbad2c84
     R15  0x5555555dfcb0 ◂— 0x700010003
     RBP  0x1
     RSP  0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
     RIP  0x7ffff7ab7e3b (dump_od_to_saf.isra+299) ◂— movzx  edx, byte ptr [rax + 8]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ab7e3b <dump_od_to_saf.isra+299>    movzx  edx, byte ptr [rax + 8]
       0x7ffff7ab7e3f <dump_od_to_saf.isra+303>    mov    ecx, dword ptr [rax + 4]
       0x7ffff7ab7e42 <dump_od_to_saf.isra+306>    xor    eax, eax
       0x7ffff7ab7e44 <dump_od_to_saf.isra+308>    mov    r8d, dword ptr [rsi + 0x18]
       0x7ffff7ab7e48 <dump_od_to_saf.isra+312>    lea    rsi, [rip + 0x38eac1]
       0x7ffff7ab7e4f <dump_od_to_saf.isra+319>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ab7e54 <dump_od_to_saf.isra+324>    mov    rdx, qword ptr [r13]
       0x7ffff7ab7e58 <dump_od_to_saf.isra+328>    mov    r9, qword ptr [rsp]
       0x7ffff7ab7e5c <dump_od_to_saf.isra+332>    test   rdx, rdx
       0x7ffff7ab7e5f <dump_od_to_saf.isra+335>    jne    dump_od_to_saf.isra+464                <dump_od_to_saf.isra+464>
    
       0x7ffff7ab7e61 <dump_od_to_saf.isra+337>    mov    rdi, qword ptr [r14]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
    01:0008│     0x7fffffff7208 ◂— 0x100000002
    02:0010│     0x7fffffff7210 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    03:0018│     0x7fffffff7218 ◂— 0x0
    04:0020│     0x7fffffff7220 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    05:0028│     0x7fffffff7228 ◂— 0x0
    06:0030│     0x7fffffff7230 ◂— 0x0
    07:0038│     0x7fffffff7238 —▸ 0x5555555df4d0 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ab7e3b dump_od_to_saf.isra+299
       f 1   0x7ffff7ac282d gf_sm_dump+1853
       f 2   0x555555584418 dump_isom_scene+616
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac282d in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x0000555555584418 in dump_isom_scene ()
    #3  0x000055555557b42c in mp4boxMain ()
    #4  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #5  0x000055555556c45e in _start ()

CVE-2021-45760: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1966 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_text_get_utf8_line function in load_text.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a buffer overflow in gf\_text\_get\_utf8\_line, in commit 592ba26 that results in system abort (core dumped).

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

This is the output of the program:

    *** stack smashing detected ***: <unknown> terminated
    Aborted (core dumped)
    

Here is the trace reported by gdb (the stack is smashed):

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f70a92 in __fortify_fail ()
    #4  0x0000000001f70a3e in __stack_chk_fail ()
    #5  0x000000000127f3ad in gf_text_get_utf8_line (szLine=<optimized out>, lineSize=<optimized out>, txt_in=<optimized out>, unicode_type=0x0) at /mnt/data/playground/gpac/src/filters/load_text.c:337
    #6  0xc2657485c3a5c37e in ?? ()
    #7  0xbcc3739fc3314583 in ?? ()
    #8  0x0748654e86c3aac3 in ?? ()
    ....
    #14 0x609ec3a0c3a7c26e in ?? ()
    #15 0x11bdcd643758a5c3 in ?? ()
    #16 0x00000000009ac35e in gf_isom_load_extra_boxes (movie=0xc53f89c4114aacc2, moov_boxes=<optimized out>, moov_boxes_size=<optimized out>, udta_only=(unknown: 2747429506)) at /mnt/data/playground/gpac/src/isomedia/isom_write.c:615
    #17 0x0000000000000000 in ?? ()

CVE-2021-40574: System abort (Core dumped) caused by buffer overflow using MP4Box in gf_text_get_utf8_line · Issue #1897 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_finalize function in reframe_av1.c, which allows attackers to cause a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault in av1dmx\_finalize, reframe\_av1.c:1075 in commit 592ba26 caused by double free issue.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f2da76 in _int_free ()
    #4  0x0000000001f31af7 in free ()
    #5  0x000000000053de4d in gf_free (ptr=<optimized out>) at /mnt/data/playground/gpac/src/utils/alloc.c:165
    #6  0x00000000013e3d4d in av1dmx_finalize (filter=<optimized out>) at /mnt/data/playground/gpac/src/filters/reframe_av1.c:1075
    #7  0x0000000000f9949c in gf_fs_del (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:646
    #8  0x0000000000c1a86a in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1242
    #9  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #10 0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #11 0x0000000001f06bb6 in generic_start_main ()
    #12 0x0000000001f071a5 in __libc_start_main ()
    #13 0x000000000041c4e9 in _start ()

CVE-2021-40572: Segmentation fault caused by double free using mp4box in av1dmx_finalize, reframe_av1.c:1075 · Issue #1893 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a null pointer dereference vulnerability in the mpgviddmx_process function in reframe_mpgvid.c, which allows attackers to cause a denial of service. This vulnerability is possibly due to an incomplete fix for CVE-2021-40566.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx\_process, reframe\_mpgvid.c:643 in commit d003a57. It seems to be an incomplete fix of issue #1887 and causes another problem.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1191-g55d6dbc-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x000000000141a950 in memcpy (__len=0xffffffffffffffff, __src=0x24ada59, __dest=0x24a5770) at /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #1  mpgviddmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:643
    #2  0x0000000000fe3e78 in gf_filter_process_task (task=0x2492f30) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x0000000000f7ab69 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000f927b8 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x0000000000c17c8b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x0000000000497345 in convert_file_info (inName=0x7fffffffe15b "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000001f06976 in generic_start_main ()
    #9  0x0000000001f06f65 in __libc_start_main ()
    #10 0x000000000041c4e9 in _start ()
    

Here is the trace reported by ASAN:

    ==29762==ERROR: AddressSanitizer: negative-size-param: (size=-1)
         #0 0x7fdaf42ff813  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79813)
         #1 0x7fdaf2897f1c in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
         #2 0x7fdaf2897f1c in mpgviddmx_process /playground/gpac/src/filters/reframe_mpgvid.c:643
         #3 0x7fdaf254efa0 in gf_filter_process_task /playground/gpac/src/filter_core/filter.c:2441
         #4 0x7fdaf250f0e2 in gf_fs_thread_proc /playground/gpac/src/filter_core/filter_session.c:1640
         #5 0x7fdaf2519fb0 in gf_fs_run /playground/gpac/src/filter_core/filter_session.c:1877
         #6 0x7fdaf1ff21f5 in gf_media_import /playground/gpac/src/media_tools/media_import.c:1178
         #7 0x55ce40c3484f in convert_file_info /playground/gpac/applications/mp4box/fileimport.c:128
         #8 0x55ce40c07635 in mp4boxMain /playground/gpac/applications/mp4box/main.c:5925
         #9 0x7fdaef9a6bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
         #10 0x55ce40be83f9 in _start (/playground/gpac/build-a/bin/gcc/MP4Box+0x873f9)
     
     0x622000007489 is located 0 bytes to the right of 5001-byte region [0x622000006100,0x622000007489)
     allocated by thread T0 here:
         #0 0x7fdaf4364b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
         #1 0x7fdaf26a0289 in filein_initialize /playground/gpac/src/filters/in_file.c:193
         #2 0x7fdaf253b0f0 in gf_filter_new_finalize /playground/gpac/src/filter_core/filter.c:425
         #3 0x7fdaf253f294 in gf_filter_new /playground/gpac/src/filter_core/filter.c:382
         #4 0x7fdaf2519310 in gf_fs_load_source_dest_internal /playground/gpac/src/filter_core/filter_session.c:2833
         #5 0x7fdaf2524a82 in gf_fs_load_source /playground/gpac/src/filter_core/filter_session.c:2873
         #6 0x7fdaf1ff21a6 in gf_media_import /playground/gpac/src/media_tools/media_import.c:1165
         #7 0x55ce40c3484f in convert_file_info /playground/gpac/applications/mp4box/fileimport.c:128
         #8 0x55ce40c07635 in mp4boxMain /playground/gpac/applications/mp4box/main.c:5925
         #9 0x7fdaef9a6bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
     
     SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79813) 
     ==29762==ABORTING

CVE-2021-40575: Segmentation fault casued by null pointer dereference using mp4box in mpgviddmx_process, reframe_mpgvid.c:643 · Issue #1905 · gpac/gpac

A Segmentation fault casued by heap use after free vulnerability exists in Gpac through 1.0.1 via the mpgviddmx_process function in reframe_mpgvid.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in mpgviddmx\_process, reframe\_mpgvid.c:851 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000cf5a9b in memcpy ()
    #1  0x00000000008a24a7 in mpgviddmx_process (filter=0x124cbd0) at /mnt/data/playground/gpac/src/filters/reframe_mpgvid.c:851
    #2  0x00000000007480a0 in gf_filter_process_task (task=0x123a0e0) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #3  0x000000000073798c in gf_fs_thread_proc (sess_thread=0x12382b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #4  0x0000000000738305 in gf_fs_run (fsess=0x1238220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #5  0x00000000006571ea in gf_media_import (importer=0x7fffffff5c20) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #6  0x000000000042cdf9 in convert_file_info (inName=0x7fffffffe163 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #7  0x00000000004168c3 in mp4boxMain (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #8  0x0000000000418d6b in main (argc=0x3, argv=0x7fffffffdde8) at /mnt/data/playground/gpac/applications/mp4box/main.c:6455
    #9  0x0000000000caaa06 in generic_start_main ()
    #10 0x0000000000caaff5 in __libc_start_main ()
    #11 0x0000000000403f39 in _start ()
    
    

The reason for this bug is that the program does not check the nullity of the pointer before copy memory to it.  
![image](https://user-images.githubusercontent.com/7632714/130580112-09339006-e245-4ade-8697-da5e6fab037d.png)

CVE-2021-40566: Segmentation fault casued by heap use after free using mp4box in mpgviddmx_process, reframe_mpgvid.c:851 · Issue #1887 · gpac/gpac

A Segmentation fault caused by a null pointer dereference vulnerability exists in Gpac through 1.0.1 via the gf_avc_parse_nalu function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by nod in gf\_avc\_parse\_nalu, av\_parsers.c:6112 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Program output:

    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    [Core] corrupted exp-golomb code, 32 leading zeros, max 31 allowed !
    Segmentation fault (core dumped)
    

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bd0648 in gf_avc_parse_nalu (bs=<optimized out>, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6112
    #1  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x3b, data=0x2491e67 "$1", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #2  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #3  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #4  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #5  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #6  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #7  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #8  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #9  0x0000000001f06bb6 in generic_start_main ()
    #10 0x0000000001f071a5 in __libc_start_main ()
    #11 0x000000000041c4e9 in _start ()

CVE-2021-40565: Segmentation fault caused by null pointer dereference using mp4box in gf_avc_parse_nalu, av_parsers.c:6112 · Issue #1902 · gpac/gpac

A Segmentation fault caused by null pointer dereference vulnerability eists in Gpac through 1.0.2 via the avc_parse_slice function in av_parsers.c when using mp4box, which causes a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault caused by null pointer dereference in avc\_parse\_slice, av\_parsers.c:5678 in commit 592ba26.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGSEGV
    gef➤  bt
    #0  0x0000000000bcd59d in avc_parse_slice (svc_idr_flag=GF_FALSE, si=0x7fffffff5020, avc=0x24ae050, bs=0x248df40) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:5678
    #1  gf_avc_parse_nalu (bs=0x248df40, avc=0x24ae050) at /mnt/data/playground/gpac/src/media_tools/av_parsers.c:6087
    #2  0x000000000144109d in naludmx_parse_nal_avc (is_islice=<synthetic pointer>, is_slice=<synthetic pointer>, skip_nal=<synthetic pointer>, nal_type=0x4, size=0x4f, data=0x2491e5b "$1\200", ctx=0x24ada70) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2348
    #3  naludmx_process (filter=0x24a0bd0) at /mnt/data/playground/gpac/src/filters/reframe_nalu.c:2874
    #4  0x0000000000fe4c18 in gf_filter_process_task (task=0x248d520) at /mnt/data/playground/gpac/src/filter_core/filter.c:2441
    #5  0x0000000000f7b909 in gf_fs_thread_proc (sess_thread=sess_thread@entry=0x248c2b0) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1640
    #6  0x0000000000f93558 in gf_fs_run (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:1877
    #7  0x0000000000c18b4b in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1178
    #8  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #9  0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #10 0x0000000001f06bb6 in generic_start_main ()
    #11 0x0000000001f071a5 in __libc_start_main ()
    #12 0x000000000041c4e9 in _start ()
    

The reason for this bug is that the program does not check the nullity of the pointer.  
![image](https://user-images.githubusercontent.com/7632714/130955606-eefd9dbd-049a-48b2-ab9f-fa46197e9d99.png)

Tag

#ubuntu