A stack overflow vulnerability exists in gpac 1.1.0 via the gf_bifs_dec_proto_list function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A stack overflow was discovered in gf\_bifs\_dec\_proto\_list(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_8.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type stbk in parent minf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 832544
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type stbk in parent minf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 832544
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    *** stack smashing detected ***: terminated
    [1]    3737450 abort      ./MP4Box -lsr ./poc/poc_8
    

**gdb**

    *** stack smashing detected ***: terminated
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
    *RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff68a0 ◂— 0x0
    *R8   0x0
    *R9   0x7fffffff68a0 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x7fffffff6b20 ◂— 0x0
    *R13  0x20
    *R14  0x7ffff7ffb000 ◂— 0x202a2a2a00001000
    *R15  0x1
    *RBP  0x7fffffff6c20 —▸ 0x7ffff76f607c ◂— '*** %s ***: terminated\n'
    *RSP  0x7fffffff68a0 ◂— 0x0
    *RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff68a0 ◂— 0x0
    01:0008│            0x7fffffff68a8 —▸ 0x7ffff7546278 ◂— 0x10001200005bb2
    02:0010│            0x7fffffff68b0 —▸ 0x7fffffff6c40 —▸ 0x5555555df3b0 ◂— 0x6b6
    03:0018│            0x7fffffff68b8 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff68c0 ◂— 0xcd2709f17adf5bb6
    05:0028│            0x7fffffff68c8 ◂— 0x0
    06:0030│            0x7fffffff68d0 ◂— 0x7
    07:0038│            0x7fffffff68d8 ◂— 0x1
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff766eb4a __fortify_fail+42
       f 4   0x7ffff766eb16
       f 5   0x7ffff79064bc gf_bifs_dec_proto_list+2012
       f 6 0xb6b6b6b6b6b6b6b6
       f 7 0xb6b6b6b6b6b6b6b6
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7561859 in __GI_abort () at abort.c:79
    #2  0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f607c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff766eb4a in __GI___fortify_fail (msg=msg@entry=0x7ffff76f6064 "stack smashing detected") at fortify_fail.c:26
    #4  0x00007ffff766eb16 in __stack_chk_fail () at stack_chk_fail.c:24
    #5  0x00007ffff79064bc in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0xb6b6b6b6b6b6b6b6 in ?? ()
    #7  0xb6b6b6b6b6b6b6b6 in ?? ()
    #8  0xb6b6b6b6b6b6b6b6 in ?? ()
    #9  0xb6b6b6b6b6b6b6b6 in ?? ()
    #10 0xb6b6b6b6b6b6b6b6 in ?? ()
    #11 0xb6b6b6b6b6b6b6b6 in ?? ()
    #12 0xb6b6b6b6b6b6b6b6 in ?? ()
    #13 0xb6b6b6b6b6b6b6b6 in ?? ()
    #14 0xb6b6b6b6b6b6b6b6 in ?? ()
    #15 0xb6b6b6b6b6b6b6b6 in ?? ()
    #16 0xb6b6b6b6b6b6b6b6 in ?? ()
    #17 0xb6b6b6b6b6b6b6b6 in ?? ()
    #18 0xb6b6b6b6b6b6b6b6 in ?? ()
    #19 0xb6b6b6b6b6b6b6b6 in ?? ()
    #20 0xb6b6b6b6b6b6b6b6 in ?? ()
    #21 0xb6b6b6b6b6b6b6b6 in ?? ()
    #22 0xb6b6b6b6b6b6b6b6 in ?? ()
    #23 0xb6b6b6b6b6b6b6b6 in ?? ()
    #24 0xb6b6b6b6b6b6b6b6 in ?? ()
    #25 0xb6b6b6b6b6b6b6b6 in ?? ()
    #26 0xb6b6b6b6b6b6b6b6 in ?? ()
    #27 0xb6b6b6b6b6b6b6b6 in ?? ()
    #28 0xb6b6b6b6b6b6b6b6 in ?? ()
    #29 0xb6b6b6b6b6b6b6b6 in ?? ()
    #30 0xb6b6b6b6b6b6b6b6 in ?? ()
    #31 0xb6b6b6b6b6b6b6b6 in ?? ()
    #32 0xb6b6b6b6b6b6b6b6 in ?? ()
    #33 0xb6b6b6b6b6b6b6b6 in ?? ()
    #34 0xb6b6b6b6b6b6b6b6 in ?? ()
    #35 0xb6b6b6b6b6b6b6b6 in ?? ()
    #36 0xb6b6b6b6b6b6b6b6 in ?? ()
    #37 0xb6b6b6b6b6b6b6b6 in ?? ()
    #38 0xb6b6b6b6b6b6b6b6 in ?? ()
    #39 0xb6b6b6b6b6b6b6b6 in ?? ()
    #40 0xb6b6b6b6b6b6b6b6 in ?? ()
    #41 0xb6b6b6b6b6b6b6b6 in ?? ()
    #42 0xb6b6b6b6b6b6b6b6 in ?? ()
    #43 0xb6b6b6b6b6b6b6b6 in ?? ()
    #44 0xb6b6b6b6b6b6b6b6 in ?? ()
    #45 0xb6b6b6b6b6b6b6b6 in ?? ()
    #46 0xb6b6b6b6b6b6b6b6 in ?? ()
    #47 0xb6b6b6b6b6b6b6b6 in ?? ()
    #48 0xb6b6b6b6b6b6b6b6 in ?? ()
    #49 0xb6b6b6b6b6b6b6b6 in ?? ()
    #50 0xb6b6b6b6b6b6b6b6 in ?? ()
    #51 0xb6b6b6b6b6b6b6b6 in ?? ()
    #52 0xb6b6b6b6b6b6b6b6 in ?? ()
    #53 0xb6b6b6b6b6b6b6b6 in ?? ()
    #54 0xb6b6b6b6b6b6b6b6 in ?? ()
    #55 0xb6b6b6b6b6b6b6b6 in ?? ()
    #56 0xb6b6b6b6b6b6b6b6 in ?? ()
    #57 0xb6b6b6b6b6b6b6b6 in ?? ()
    #58 0xb6b6b6b6b6b6b6b6 in ?? ()
    #59 0xb6b6b6b6b6b6b6b6 in ?? ()
    #60 0xb6b6b6b6b6b6b6b6 in ?? ()
    #61 0xb6b6b6b6b6b6b6b6 in ?? ()
    #62 0xb6b6b6b6b6b6b6b6 in ?? ()
    #63 0xb6b6b6b6b6b6b6b6 in ?? ()
    #64 0xb6b6b6b6b6b6b6b6 in ?? ()
    #65 0xb6b6b6b6b6b6b6b6 in ?? ()
    #66 0xb6b6b6b6b6b6b6b6 in ?? ()
    #67 0xb6b6b6b6b6b6b6b6 in ?? ()
    #68 0xb6b6b6b6b6b6b6b6 in ?? ()
    #69 0xb6b6b6b6b6b6b6b6 in ?? ()
    #70 0xb6b6b6b6b6b6b6b6 in ?? ()
    #71 0xb6b6b6b6b6b6b6b6 in ?? ()
    #72 0xb6b6b6b6b6b6b6b6 in ?? ()
    #73 0xb6b6b6b6b6b6b6b6 in ?? ()
    #74 0xb6b6b6b6b6b6b6b6 in ?? ()
    #75 0xb6b6b6b6b6b6b6b6 in ?? ()
    #76 0xb6b6b6b6b6b6b6b6 in ?? ()
    #77 0xb6b6b6b6b6b6b6b6 in ?? ()
    #78 0xb6b6b6b6b6b6b6b6 in ?? ()
    #79 0xb6b6b6b6b6b6b6b6 in ?? ()
    #80 0xb6b6b6b6b6b6b6b6 in ?? ()
    #81 0xb6b6b6b6b6b6b6b6 in ?? ()
    #82 0xb6b6b6b6b6b6b6b6 in ?? ()
    #83 0xb6b6b6b6b6b6b6b6 in ?? ()
    #84 0xb6b6b6b6b6b6b6b6 in ?? ()
    #85 0xb6b6b6b6b6b6b6b6 in ?? ()
    #86 0xb6b6b6b6b6b6b6b6 in ?? ()
    #87 0xb6b6b6b6b6b6b6b6 in ?? ()
    #88 0xb6b6b6b6b6b6b6b6 in ?? ()
    #89 0xb6b6b6b6b6b6b6b6 in ?? ()
    #90 0xb6b6b6b6b6b6b6b6 in ?? ()
    #91 0xb6b6b6b6b6b6b6b6 in ?? ()
    #92 0xb6b6b6b6b6b6b6b6 in ?? ()
    #93 0xb6b6b6b6b6b6b6b6 in ?? ()
    #94 0xb6b6b6b6b6b6b6b6 in ?? ()
    #95 0xb6b6b6b6b6b6b6b6 in ?? ()
    #96 0xb6b6b6b6b6b6b6b6 in ?? ()
    #97 0xb6b6b6b6b6b6b6b6 in ?? ()
    #98 0x000080b6b6b6b6b6 in ?? ()
    #99 0x0000000000000002 in ?? ()
    #100 0x0000000000000044 in ?? ()
    #101 0x0000000000000008 in ?? ()
    #102 0x00005555555c7e60 in ?? ()
    #103 0x00005555555cf500 in ?? ()
    #104 0x0000000000000000 in ?? ()
    

`break gf_bifs_dec_proto_list`

    Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────[ REGISTERS ]───────────────────────────────────
     RAX  0x1
     RBX  0x5555555d23b0 ◂— 0x0
     RCX  0x710
     RDX  0x5555555df2f0 ◂— 0x0
     RDI  0x5555555de660 ◂— 0x0
     RSI  0x5555555d23b0 ◂— 0x0
     R8   0x0
     R9   0x0
     R10  0x7ffff775bc80 ◂— 'gf_sg_command_new'
     R11  0x7ffff7727be0 (main_arena+96) —▸ 0x5555555df320 ◂— 0x0
     R12  0x5555555df2f0 ◂— 0x0
     R13  0x5555555df1d0 ◂— 0x0
     R14  0x5555555d42a0 ◂— 0x0
     R15  0x0
     RBP  0x5555555de660 ◂— 0x0
     RSP  0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov    r12d, eax
     RIP  0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
    ────────────────────────────────────[ DISASM ]────────────────────────────────────
     ► 0x7ffff7905ce0 <gf_bifs_dec_proto_list>       endbr64
       0x7ffff7905ce4 <gf_bifs_dec_proto_list+4>     push   r15
       0x7ffff7905ce6 <gf_bifs_dec_proto_list+6>     push   r14
       0x7ffff7905ce8 <gf_bifs_dec_proto_list+8>     push   r13
       0x7ffff7905cea <gf_bifs_dec_proto_list+10>    mov    r13, rsi
       0x7ffff7905ced <gf_bifs_dec_proto_list+13>    mov    esi, 1
       0x7ffff7905cf2 <gf_bifs_dec_proto_list+18>    push   r12
       0x7ffff7905cf4 <gf_bifs_dec_proto_list+20>    push   rbp
       0x7ffff7905cf5 <gf_bifs_dec_proto_list+21>    push   rbx
       0x7ffff7905cf6 <gf_bifs_dec_proto_list+22>    sub    rsp, 0x488
       0x7ffff7905cfd <gf_bifs_dec_proto_list+29>    mov    rax, qword ptr [rdi + 0x50]
    ────────────────────────────────────[ STACK ]─────────────────────────────────────
    00:0000│ rsp 0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov    r12d, eax
    01:0008│     0x7fffffff7170 —▸ 0x5555555de660 ◂— 0x0
    02:0010│     0x7fffffff7178 —▸ 0x5555555df250 —▸ 0x5555555d4030 ◂— 0x0
    03:0018│     0x7fffffff7180 —▸ 0x5555555d23b0 ◂— 0x0
    04:0020│     0x7fffffff7188 —▸ 0x5555555df1d0 ◂— 0x0
    05:0028│     0x7fffffff7190 —▸ 0x5555555d42a0 ◂— 0x0
    06:0030│     0x7fffffff7198 —▸ 0x7ffff7914e5e (BM_SceneReplace+110) ◂— mov    rsi,
     rbp
    07:0038│     0x7fffffff71a0 —▸ 0x5555555dea00 —▸ 0x5555555df1f0 —▸ 0x5555555df1a0 ◂— 0x0
    ──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
     ► f 0   0x7ffff7905ce0 gf_bifs_dec_proto_list
       f 1   0x7ffff7906559 BD_DecSceneReplace+73
       f 2   0x7ffff7914e5e BM_SceneReplace+110
       f 3   0x7ffff7915023 BM_ParseCommand+179
       f 4   0x7ffff7915353 gf_bifs_decode_command_list+163
       f 5   0x7ffff7aa1d91 gf_sm_load_run_isom+1217
       f 6   0x5555555844a8 dump_isom_scene+760
       f 7   0x55555557b42c mp4boxMain+9228
    ──────────────────────────────────────────────────────────────────────────────────
    pwndbg> c
    Continuing.
    
    Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────[ REGISTERS ]───────────────────────────────────
    *RAX  0x0
    *RBX  0x5555555df330 ◂— 0x6b6
    *RCX  0x5555555dfdf0 ◂— 0x0
    *RDX  0x0
     RDI  0x5555555de660 ◂— 0xfffffffd
     RSI  0x5555555d23b0 ◂— 0x0
    *R8   0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    *R9   0x7c
    *R10  0x7ffff775bf0a ◂— 'gf_sg_proto_get_graph'
    *R11  0x7ffff788b850 (gf_sg_proto_get_graph) ◂— endbr64
    *R12  0x5555555de660 ◂— 0xfffffffd
    *R13  0x5555555d23b0 ◂— 0x0
     R14  0x5555555d42a0 ◂— 0x0
    *R15  0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
    *RBP  0x6b6
    *RSP  0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov    dword ptr [rsp + 0x14], eax
     RIP  0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
    ────────────────────────────────────[ DISASM ]────────────────────────────────────
     ► 0x7ffff7905ce0 <gf_bifs_dec_proto_list>       endbr64
       0x7ffff7905ce4 <gf_bifs_dec_proto_list+4>     push   r15
       0x7ffff7905ce6 <gf_bifs_dec_proto_list+6>     push   r14
       0x7ffff7905ce8 <gf_bifs_dec_proto_list+8>     push   r13
       0x7ffff7905cea <gf_bifs_dec_proto_list+10>    mov    r13, rsi
       0x7ffff7905ced <gf_bifs_dec_proto_list+13>    mov    esi, 1
       0x7ffff7905cf2 <gf_bifs_dec_proto_list+18>    push   r12
       0x7ffff7905cf4 <gf_bifs_dec_proto_list+20>    push   rbp
       0x7ffff7905cf5 <gf_bifs_dec_proto_list+21>    push   rbx
       0x7ffff7905cf6 <gf_bifs_dec_proto_list+22>    sub    rsp, 0x488
       0x7ffff7905cfd <gf_bifs_dec_proto_list+29>    mov    rax, qword ptr [rdi + 0x50]
    ────────────────────────────────────[ STACK ]─────────────────────────────────────
    00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
        dword ptr [rsp + 0x14], eax
    01:0008│     0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
    02:0010│     0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
    03:0018│     0x7fffffff6cc0 ◂— 0xffff6d50
    04:0020│     0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
    05:0028│     0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    06:0030│     0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
    07:0038│     0x7fffffff6ce0 ◂— 0x0
    ──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
     ► f 0   0x7ffff7905ce0 gf_bifs_dec_proto_list
       f 1   0x7ffff79062d7 gf_bifs_dec_proto_list+1527
       f 2 0xb6b6b6b6b6b6b6b6
       f 3 0xb6b6b6b6b6b6b6b6
       f 4 0xb6b6b6b6b6b6b6b6
       f 5 0xb6b6b6b6b6b6b6b6
       f 6 0xb6b6b6b6b6b6b6b6
       f 7 0xb6b6b6b6b6b6b6b6
    ──────────────────────────────────────────────────────────────────────────────────
    pwndbg> stack 200
    00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
        dword ptr [rsp + 0x14], eax
    01:0008│     0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
    02:0010│     0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
    03:0018│     0x7fffffff6cc0 ◂— 0xffff6d50
    04:0020│     0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
    05:0028│     0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    06:0030│     0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
    07:0038│     0x7fffffff6ce0 ◂— 0x0
    ... ↓        2 skipped
    0a:0050│     0x7fffffff6cf8 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
    0b:0058│     0x7fffffff6d00 —▸ 0x7fffffff6d90 ◂— 0xb6b6b6b6b6b6b6b6
    0c:0060│     0x7fffffff6d08 ◂— 0x0
    0d:0068│     0x7fffffff6d10 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
    0e:0070│     0x7fffffff6d18 —▸ 0x7ffff7fc7368 —▸ 0x7ffff7ffe450 —▸ 0x7ffff73131e0 —▸ 0x7ffff7ffe190 ◂— ...
    0f:0078│     0x7fffffff6d20 ◂— 0x0
    10:0080│     0x7fffffff6d28 ◂— 0x0
    11:0088│     0x7fffffff6d30 ◂— 0x1
    12:0090│     0x7fffffff6d38 ◂— 0x7fff00000001
    13:0098│ r15 0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
    ... ↓        180 skipped
    pwndbg>

CVE-2021-45258: Stack Overflow in gf_bifs_dec_proto_list() · Issue #1970 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the BD_CheckSFTimeOffset function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in BD\_CheckSFTimeOffset(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_7.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796203
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796203
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1900424 segmentation fault  ./MP4Box -lsr ./poc/poc_7
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    199     ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 ◂— 0x0
    *RCX  0x17
    *RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
    *RDI  0x0
    *RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
    *R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
    *R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
    *R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
    *RBP  0x7fffffff6740 ◂— 0x200000002
    *RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    *RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
       0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
       0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
       0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
       0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
     ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
       0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
       0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
       0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
       0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
       0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    07:0038│     0x7fffffff66c0 ◂— 0x11cb
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
       f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
       f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 5   0x7ffff790e158 gf_bifs_dec_node+936
       f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 7   0x7ffff7906559 BD_DecSceneReplace+73
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    #1  0x00007ffff790dc51 in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff790ed35 in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff790f4c0 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff790fa3f in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff79062f8 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7906559 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #11 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #12 0x00005555555844a8 in dump_isom_scene ()
    #13 0x000055555557b42c in mp4boxMain ()
    #14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #15 0x000055555556c45e in _start ()
    

`break BD_CheckSFTimeOffset`

    0x00007ffff790dc4c in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x67
     RBX  0x5555555decb0 ◂— 0x0
     RCX  0x0
     RDX  0x7fffffff6740 ◂— 0x200000002
    *RDI  0x0
     RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
     RBP  0x7fffffff6740 ◂— 0x200000002
     RSP  0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    *RIP  0x7ffff790dc4c (BD_CheckSFTimeOffset+44) ◂— call   0x7ffff77e0db0
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff790dc39 <BD_CheckSFTimeOffset+25>    cmp    eax, 1
       0x7ffff790dc3c <BD_CheckSFTimeOffset+28>    je     BD_CheckSFTimeOffset+144                <BD_CheckSFTimeOffset+144>
    
       0x7ffff790dc3e <BD_CheckSFTimeOffset+30>    mov    r12, qword ptr [rbp + 0x10]
       0x7ffff790dc42 <BD_CheckSFTimeOffset+34>    lea    rsi, [rip + 0x4ef68e]
       0x7ffff790dc49 <BD_CheckSFTimeOffset+41>    mov    rdi, r12
     ► 0x7ffff790dc4c <BD_CheckSFTimeOffset+44>    call   strcasecmp@plt                <strcasecmp@plt>
            s1: 0x0
            s2: 0x7ffff7dfd2d7 ◂— 'startTime'
    
       0x7ffff790dc51 <BD_CheckSFTimeOffset+49>    test   eax, eax
       0x7ffff790dc53 <BD_CheckSFTimeOffset+51>    jne    BD_CheckSFTimeOffset+112                <BD_CheckSFTimeOffset+112>
    
       0x7ffff790dc55 <BD_CheckSFTimeOffset+53>    mov    edx, dword ptr [rbx + 0x6c]
       0x7ffff790dc58 <BD_CheckSFTimeOffset+56>    test   edx, edx
       0x7ffff790dc5a <BD_CheckSFTimeOffset+58>    jne    BD_CheckSFTimeOffset+80                <BD_CheckSFTimeOffset+80>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    01:0008│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    02:0010│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    03:0018│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    04:0020│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    05:0028│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    06:0030│     0x7fffffff66c0 ◂— 0x11cb
    07:0038│     0x7fffffff66c8 —▸ 0x7fffffff67d0 ◂— 0x2200000002
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff790dc4c BD_CheckSFTimeOffset+44
       f 1   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 2   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 3   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 4   0x7ffff790e158 gf_bifs_dec_node+936
       f 5   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 6   0x7ffff7906559 BD_DecSceneReplace+73
       f 7   0x7ffff7914e5e BM_SceneReplace+110
    

    Program received signal SIGSEGV, Segmentation fault.
    __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    199     in ../sysdeps/x86_64/multiarch/strcmp-sse42.S
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 ◂— 0x0
     RCX  0x17
     RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
     RDI  0x0
     RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
     RBP  0x7fffffff6740 ◂— 0x200000002
     RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
     RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
       0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
       0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
       0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
       0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
     ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
       0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
       0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
       0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
       0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
       0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    07:0038│     0x7fffffff66c0 ◂— 0x11cb
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
       f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
       f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 5   0x7ffff790e158 gf_bifs_dec_node+936
       f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 7   0x7ffff7906559 BD_DecSceneReplace+73

CVE-2021-44922: Null Pointer Dereference in BD_CheckSFTimeOffset() · Issue #1969 · gpac/gpac

An invalid memory address dereference vulnerability exists in gpac 1.1.0 in the dump_od_to_saf.isra function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in dump\_od\_to\_saf.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc.zip  
**Result**

    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "lpod" (start 11062) has 1 extra bytes
    [iso file] Box "REFT" is larger than container box
    [iso file] Box "tref" size 28 (start 11054) invalid (read 261)
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "lpod" (start 11062) has 1 extra bytes
    [iso file] Box "REFT" is larger than container box
    [iso file] Box "tref" size 28 (start 11054) invalid (read 261)
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 2 systems streams
    [1]    3146070 segmentation fault  ./MP4Box -lsr ./submit/poc1
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ab7dcc in dump_od_to_saf.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x61
     RBX  0x5555555df200 ◂— 0x1
     RCX  0x5555555df330 ◂— 0x8001000f
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x5555555dfe10 ◂— 0xfbad2c84
     RSI  0x7ffff7e46910 ◂— ' streamType="%d" objectTypeIndication="%d" timeStampResolution="%d"'
     R8   0x3e8
     R9   0x27
     R10  0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
     R11  0x7fffffff70e3 ◂— 0xcba6003936373233 /* '32769' */
     R12  0x5555555decc0 —▸ 0x5555555dfe10 ◂— 0xfbad2c84
     R13  0x0
     R14  0x5555555df150 ◂— 0x0
     R15  0x0
     RBP  0x0
     RSP  0x7fffffff7220 —▸ 0x5555555df330 ◂— 0x8001000f
     RIP  0x7ffff7ab7dcc (dump_od_to_saf.isra+204) ◂— movzx  edx, byte ptr [rax + 8]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ab7dcc <dump_od_to_saf.isra+204>    movzx  edx, byte ptr [rax + 8]
       0x7ffff7ab7dd0 <dump_od_to_saf.isra+208>    mov    ecx, dword ptr [rax + 4]
       0x7ffff7ab7dd3 <dump_od_to_saf.isra+211>    xor    eax, eax
       0x7ffff7ab7dd5 <dump_od_to_saf.isra+213>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ab7dda <dump_od_to_saf.isra+218>    mov    rdx, qword ptr [r14]
       0x7ffff7ab7ddd <dump_od_to_saf.isra+221>    test   rdx, rdx
       0x7ffff7ab7de0 <dump_od_to_saf.isra+224>    jne    dump_od_to_saf.isra+392                <dump_od_to_saf.isra+392>
    
       0x7ffff7ab7de6 <dump_od_to_saf.isra+230>    mov    rdi, qword ptr [r12]
       0x7ffff7ab7dea <dump_od_to_saf.isra+234>    test   r15, r15
       0x7ffff7ab7ded <dump_od_to_saf.isra+237>    je     dump_od_to_saf.isra+266                <dump_od_to_saf.isra+266>
    
       0x7ffff7ab7def <dump_od_to_saf.isra+239>    mov    rdx, qword ptr [r15 + 8]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7220 —▸ 0x5555555df330 ◂— 0x8001000f
    01:0008│     0x7fffffff7228 ◂— 0x100000002
    02:0010│     0x7fffffff7230 —▸ 0x5555555df030 —▸ 0x5555555df580 ◂— 0x0
    03:0018│     0x7fffffff7238 ◂— 0x0
    04:0020│     0x7fffffff7240 —▸ 0x5555555df030 —▸ 0x5555555df580 ◂— 0x0
    05:0028│     0x7fffffff7248 ◂— 0x0
    06:0030│     0x7fffffff7250 ◂— 0x0
    07:0038│     0x7fffffff7258 —▸ 0x5555555df150 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ab7dcc dump_od_to_saf.isra+204
       f 1   0x7ffff7ac27dd gf_sm_dump+1853
       f 2   0x555555584418 dump_isom_scene+616
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ab7dcc in dump_od_to_saf.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac27dd in gf_sm_dump () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x0000555555584418 in dump_isom_scene ()
    #3  0x000055555557b42c in mp4boxMain ()
    #4  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #5  0x000055555556c45e in _start ()

CVE-2021-44920: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1957 · gpac/gpac

A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_alloc function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_sg\_vrml\_mf\_alloc(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc5.zip

**Result**

    ./MP4Box -lsr ./poc5
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861206
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861206
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1371476 segmentation fault  ./MP4Box -lsr ./poc5
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x9f03c
     RCX  0x10
     RDX  0x7ffff7e078a0 (CSWTCH.120) ◂— 0xc080c0804080404
     RDI  0x32
     RSI  0x32
     R8   0x0
     R9   0x0
     R10  0x7ffff775bdeb ◂— 'gf_sg_vrml_mf_alloc'
     R11  0x7ffff78a0f30 (gf_sg_vrml_mf_alloc) ◂— endbr64
     R12  0x0
     R13  0x8
     R14  0x0
     R15  0x7fffffff6d60 ◂— 0x30646c6569665f /* '_field0' */
     RBP  0x32
     RSP  0x7fffffff6bf0 ◂— 0x9f03c
     RIP  0x7ffff78a0f7d (gf_sg_vrml_mf_alloc+77) ◂— cmp    dword ptr [r12], ebx
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff78a0f7d <gf_sg_vrml_mf_alloc+77>     cmp    dword ptr [r12], ebx
       0x7ffff78a0f81 <gf_sg_vrml_mf_alloc+81>     je     gf_sg_vrml_mf_alloc+125                <gf_sg_vrml_mf_alloc+125>
        ↓
       0x7ffff78a0fad <gf_sg_vrml_mf_alloc+125>    add    rsp, 8
       0x7ffff78a0fb1 <gf_sg_vrml_mf_alloc+129>    pop    rbx
       0x7ffff78a0fb2 <gf_sg_vrml_mf_alloc+130>    pop    rbp
       0x7ffff78a0fb3 <gf_sg_vrml_mf_alloc+131>    pop    r12
       0x7ffff78a0fb5 <gf_sg_vrml_mf_alloc+133>    pop    r13
       0x7ffff78a0fb7 <gf_sg_vrml_mf_alloc+135>    ret
    
       0x7ffff78a0fb8 <gf_sg_vrml_mf_alloc+136>    nop    dword ptr [rax + rax]
       0x7ffff78a0fc0 <gf_sg_vrml_mf_alloc+144>    mov    edx, ebx
       0x7ffff78a0fc2 <gf_sg_vrml_mf_alloc+146>    imul   r13, rdx
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6bf0 ◂— 0x9f03c
    01:0008│     0x7fffffff6bf8 —▸ 0x7fffffff6d30 ◂— 0x3200000000
    02:0010│     0x7fffffff6c00 —▸ 0x5555555ded70 ◂— 0x0
    03:0018│     0x7fffffff6c08 ◂— 0x555df8c0
    04:0020│     0x7fffffff6c10 —▸ 0x5555555d2730 ◂— 0x0
    05:0028│     0x7fffffff6c18 —▸ 0x7ffff790f44d (BD_DecMFFieldVec+589) ◂— mov    r14d, eax
    06:0030│     0x7fffffff6c20 ◂— 0x0
    07:0038│     0x7fffffff6c28 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78a0f7d gf_sg_vrml_mf_alloc+77
       f 1   0x7ffff790f44d BD_DecMFFieldVec+589
       f 2   0x7ffff7906205 gf_bifs_dec_proto_list+1333
       f 3   0x7ffff7906549 BD_DecSceneReplace+73
       f 4   0x7ffff7914e2e BM_SceneReplace+110
       f 5   0x7ffff7914ff3 BM_ParseCommand+179
       f 6   0x7ffff7915323 gf_bifs_decode_command_list+163
       f 7   0x7ffff7aa1da2 gf_sm_load_run_isom+1218
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff790f44d in BD_DecMFFieldVec () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7906205 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-44919: Null Pointer Dereference in gf_sg_vrml_mf_alloc() · Issue #1963 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_sg_vrml_mf_append function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_sg\_vrml\_mf\_append().

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc2.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type e`ds in parent mp4s
    [iso file] Incomplete box mdat - start 11495 size 861283
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type e`ds in parent mp4s
    [iso file] Incomplete box mdat - start 11495 size 861283
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    2696339 segmentation fault  ./MP4Box -bt ./submit/poc2
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x7fffffff6c10 ◂— 0x3800000000
     RCX  0x7fffffff6ce0 ◂— 0x2c00000000
     RDX  0x7fffffff6c18 ◂— 0x0
     RDI  0x0
     RSI  0x2c
     R8   0x5555555df8d0 —▸ 0x5555555df840 ◂— 0x2c00
     R9   0x7
     R10  0x7ffff775be46 ◂— 'gf_sg_vrml_mf_append'
     R11  0x7ffff78a1070 (gf_sg_vrml_mf_append) ◂— endbr64
     R12  0x7fffffff6ce0 ◂— 0x2c00000000
     R13  0x5555555d5f80 ◂— 0x0
     R14  0x0
     R15  0x0
     RBP  0x5555555ded90 ◂— 0x0
     RSP  0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test   eax, eax
     RIP  0x7ffff78a1074 (gf_sg_vrml_mf_append+4) ◂— mov    eax, dword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff78a1070 <gf_sg_vrml_mf_append>          endbr64
     ► 0x7ffff78a1074 <gf_sg_vrml_mf_append+4>        mov    eax, dword ptr [rdi]
       0x7ffff78a1076 <gf_sg_vrml_mf_append+6>        lea    ecx, [rax + 2]
       0x7ffff78a1079 <gf_sg_vrml_mf_append+9>        jmp    gf_sg_vrml_mf_insert@plt                <gf_sg_vrml_mf_insert@plt>
        ↓
       0x7ffff77e66a0 <gf_sg_vrml_mf_insert@plt>      endbr64
       0x7ffff77e66a4 <gf_sg_vrml_mf_insert@plt+4>    bnd jmp qword ptr [rip + 0x7ba34d]   <0x7ffff77dd3f0>
        ↓
       0x7ffff77dd3f0                                 endbr64
       0x7ffff77dd3f4                                 push   0x73c
       0x7ffff77dd3f9                                 bnd jmp 0x7ffff77d6020               <0x7ffff77d6020>
        ↓
       0x7ffff77d6020                                 push   qword ptr [rip + 0x7c6fe2]    <0x7ffff7f9d008>
       0x7ffff77d6026                                 bnd jmp qword ptr [rip + 0x7c6fe3]   <0x7ffff7fe7bb0>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test   eax, eax
    01:0008│     0x7fffffff6bd0 ◂— 0x0
    02:0010│     0x7fffffff6bd8 ◂— 0x0
    03:0018│     0x7fffffff6be0 ◂— 0x50 /* 'P' */
    04:0020│     0x7fffffff6be8 ◂— 0x0
    05:0028│     0x7fffffff6bf0 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
    06:0030│     0x7fffffff6bf8 —▸ 0x7fffffff6c08 ◂— 0x0
    07:0038│     0x7fffffff6c00 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78a1074 gf_sg_vrml_mf_append+4
       f 1   0x7ffff790efa4 BD_DecMFFieldList+212
       f 2   0x7ffff7906006 gf_bifs_dec_proto_list+822
       f 3   0x7ffff7906549 BD_DecSceneReplace+73
       f 4   0x7ffff7914e2e BM_SceneReplace+110
       f 5   0x7ffff7914ff3 BM_ParseCommand+179
       f 6   0x7ffff7915323 gf_bifs_decode_command_list+163
       f 7   0x7ffff7aa1da2 gf_sm_load_run_isom+1218
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff790efa4 in BD_DecMFFieldList () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7906006 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe158, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe148) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-44927: Null Pointer Dereference in gf_sg_vrml_mf_append() · Issue #1960 · gpac/gpac

A null pointer dereference vulnerability exists in the gpac in the gf_node_get_tag function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_node\_get\_tag(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc3.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861218
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861218
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    3453407 segmentation fault  ./MP4Box -lsr
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x0
     RDX  0x5555555d2730 ◂— 0x0
     RDI  0x0
     RSI  0x5555555df860 ◂— 0x0
     R8   0x0
     R9   0x7
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x5555555ded60 ◂— 0x0
     R13  0x5555555df860 ◂— 0x0
     R14  0x0
     R15  0x7fffffff6d60 ◂— 0x31646c6569665f /* '_field1' */
     RBP  0x5555555d2730 ◂— 0x0
     RSP  0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp    eax, 0x51
     RIP  0x7ffff7849794 (gf_node_get_tag+4) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff7849790 <gf_node_get_tag>       endbr64
     ► 0x7ffff7849794 <gf_node_get_tag+4>     mov    rax, qword ptr [rdi]
       0x7ffff7849797 <gf_node_get_tag+7>     movzx  eax, word ptr [rax]
       0x7ffff784979a <gf_node_get_tag+10>    ret
    
       0x7ffff784979b                         nop    dword ptr [rax + rax]
       0x7ffff78497a0 <gf_node_get_id>        endbr64
       0x7ffff78497a4 <gf_node_get_id+4>      mov    rax, qword ptr [rdi]
       0x7ffff78497a7 <gf_node_get_id+7>      xor    r8d, r8d
       0x7ffff78497aa <gf_node_get_id+10>     mov    edx, dword ptr [rax + 4]
       0x7ffff78497ad <gf_node_get_id+13>     test   edx, edx
       0x7ffff78497af <gf_node_get_id+15>     jns    gf_node_get_id+66                <gf_node_get_id+66>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp    eax, 0x51
    01:0008│     0x7fffffff6bf0 ◂— 0x0
    ... ↓        2 skipped
    04:0020│     0x7fffffff6c08 ◂— 0x770000007c /* '|' */
    05:0028│     0x7fffffff6c10 ◂— 0x5b0000006e /* 'n' */
    06:0030│     0x7fffffff6c18 ◂— 0x770000007c /* '|' */
    07:0038│     0x7fffffff6c20 ◂— 0x5b0000006e /* 'n' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7849794 gf_node_get_tag+4
       f 1   0x7ffff7919836 SFScript_Parse+54
       f 2   0x7ffff790e9cb gf_bifs_dec_sf_field+1195
       f 3   0x7ffff7905f44 gf_bifs_dec_proto_list+628
       f 4   0x7ffff7906549 BD_DecSceneReplace+73
       f 5   0x7ffff7914e2e BM_SceneReplace+110
       f 6   0x7ffff7914ff3 BM_ParseCommand+179
       f 7   0x7ffff7915323 gf_bifs_decode_command_list+163
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7919836 in SFScript_Parse () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff790e9cb in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7905f44 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #9  0x00005555555844a8 in dump_isom_scene ()
    #10 0x000055555557b42c in mp4boxMain ()
    #11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #12 0x000055555556c45e in _start ()

CVE-2021-44926: Null Pointer Dereference in gf_node_get_tag() · Issue #1961 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_isom\_parse\_movie\_boxes\_internal(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_1.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] Read Box type 00000000 (0x00000000) at position 4494 has size 0 but is not at root/file level, skipping
    [iso file] Read Box "hinf" (start 4390) failed (End Of Stream / File) - skipping
    [iso file] Read Box "udta" (start 4178) failed (End Of Stream / File) - skipping
    [iso file] Read Box "trak" (start 2229) failed (End Of Stream / File) - skipping
    [iso file] Read Box "moov" (start 20) failed (End Of Stream / File) - skipping
    [1]    2155243 segmentation fault  ./MP4Box -lsr ./poc/poc_1
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x5555555c72a0 ◂— 0x0
     RCX  0x7ffff764d1e7 (write+23) ◂— cmp    rax, -0x1000 /* 'H=' */
     RDX  0x0
     RDI  0x5555555c62a0 ◂— 0x0
     RSI  0x0
     R8   0x0
     R9   0x0
     R10  0x7ffff7e227df ◂— ') - skipping\n'
     R11  0x246
     R12  0x0
     R13  0x0
     R14  0x5555555c72a0 ◂— 0x0
     R15  0x3
     RBP  0x7fffffff83a0 ◂— 0x0
     RSP  0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
     RIP  0x7ffff7973829 (gf_isom_parse_movie_boxes_internal+249) ◂— mov    eax, dword ptr [rsi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7973829 <gf_isom_parse_movie_boxes_internal+249>     mov    eax, dword ptr [rsi]
       0x7ffff797382b <gf_isom_parse_movie_boxes_internal+251>     cmp    eax, 0x6d6f6f76
       0x7ffff7973830 <gf_isom_parse_movie_boxes_internal+256>     je     gf_isom_parse_movie_boxes_internal+1688                <gf_isom_parse_movie_boxes_internal+1688>
        ↓
       0x7ffff7973dc8 <gf_isom_parse_movie_boxes_internal+1688>    cmp    qword ptr [r14 + 0x48], 0
       0x7ffff7973dcd <gf_isom_parse_movie_boxes_internal+1693>    jne    gf_isom_parse_movie_boxes_internal+4630                <gf_isom_parse_movie_boxes_internal+4630>
        ↓
       0x7ffff7974946 <gf_isom_parse_movie_boxes_internal+4630>    mov    esi, 1
       0x7ffff797494b <gf_isom_parse_movie_boxes_internal+4635>    mov    edi, 2
       0x7ffff7974950 <gf_isom_parse_movie_boxes_internal+4640>    call   gf_log_tool_level_on@plt                <gf_log_tool_level_on@plt>
    
       0x7ffff7974955 <gf_isom_parse_movie_boxes_internal+4645>    test   eax, eax
       0x7ffff7974957 <gf_isom_parse_movie_boxes_internal+4647>    je     gf_isom_parse_movie_boxes_internal+4540                <gf_isom_parse_movie_boxes_internal+4540>
    
       0x7ffff7974959 <gf_isom_parse_movie_boxes_internal+4649>    mov    esi, 2
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
    01:0008│     0x7fffffff8318 ◂— 0x0
    ... ↓        2 skipped
    04:0020│     0x7fffffff8330 —▸ 0x5555555c7500 ◂— 0x6d703431 /* '14pm' */
    05:0028│     0x7fffffff8338 ◂— 0x0
    06:0030│     0x7fffffff8340 ◂— 0x0
    07:0038│     0x7fffffff8348 ◂— 0x4
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7973829 gf_isom_parse_movie_boxes_internal+249
       f 1   0x7ffff7974f97 gf_isom_open_file+311
       f 2   0x55555557dc14 mp4boxMain+19444
       f 3   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7974f97 in gf_isom_open_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x000055555557dc14 in mp4boxMain ()
    #3  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #4  0x000055555556c45e in _start ()

CVE-2021-44921: Null Pointer Dereference in gf_isom_parse_movie_boxes_internal() · Issue #1964 · gpac/gpac

An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log function, which causes a Denial of Service.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An infinite loop was discovered in gf\_log().

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG G
    [poc_hang.zip](https://github.com/gpac/gpac/files/7691188/poc_hang.zip)
    PAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -info ./poc_hang
    

poc\_hang.zip

**Result**

    ...
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    ...
    

**gdb**

    bt
    #0  0x00007ffff764d1e7 in __GI___libc_write (fd=2, buf=0x7ffffffebeb0, nbytes=62) at ../sysdeps/unix/sysv/linux/write.c:26
    #1  0x00007ffff75ce00d in _IO_new_file_write (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=0x7ffffffebeb0, n=62) at fileops.c:1176
    #2  0x00007ffff75ce928 in new_do_write (to_do=<optimized out>, data=0x7ffffffebeb0 "[Core] exp-golomb read failed, not enough bits in bitstream !\nn [0;31])\n", fp=0x7ffff77285c0 <_IO_2_1_stderr_>) at libioP.h:948
    #3  _IO_new_file_xsputn (n=62, data=<optimized out>, f=<optimized out>) at fileops.c:1255
    #4  _IO_new_file_xsputn (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=<optimized out>, n=62) at fileops.c:1197
    #5  0x00007ffff75b90d3 in buffered_vfprintf (s=s@entry=0x7ffff77285c0 <_IO_2_1_stderr_>, format=format@entry=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", args=args@entry=0x7ffffffee4a0, mode_flags=mode_flags@entry=2) at ../libio/libioP.h:948
    #6  0x00007ffff75b5ea4 in __vfprintf_internal (s=0x7ffff77285c0 <_IO_2_1_stderr_>, format=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", ap=0x7ffffffee4a0, mode_flags=2) at vfprintf-internal.c:1346
    #7  0x00007ffff77f8a21 in default_log_callback_color () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00007ffff77f8cc9 in gf_log () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #9  0x00007ffff79f4c95 in avc_parse_hrd_parameters () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #10 0x00007ffff79f7c09 in gf_avc_read_sps_bs_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #11 0x00007ffff7a0b149 in gf_avc_read_sps () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #12 0x00007ffff792b724 in avcc_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #13 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #14 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #15 0x00007ffff793c2a3 in video_sample_entry_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #16 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #17 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #18 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #19 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #20 0x00007ffff793e083 in stbl_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #21 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #22 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #23 0x00007ffff793a3d0 in minf_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #24 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #25 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #26 0x00007ffff79394e9 in mdia_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #27 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #28 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #29 0x00007ffff794189a in trak_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #30 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #31 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #32 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #33 0x00007ffff796b410 in gf_isom_parse_root_box () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #34 0x00007ffff79737ec in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #35 0x00007ffff7974f67 in gf_isom_open_file () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #36 0x000055555557dc14 in mp4boxMain ()
    #37 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at ../csu/libc-start.c:308
    #38 0x000055555556c45e in _start ()

CVE-2021-44924: Infinite loop in gf_log() · Issue #1959 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_svg_get_attribute_name function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_svg\_get\_attribute\_name(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_4.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796312
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796312
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    Scene loaded - dumping 1 systems streams
    [1]    3570050 segmentation fault  ./MP4Box -lsr ./poc/poc_4
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
     RCX  0x0
     RDX  0x7ffff7f7c428 (xml_elements+8) ◂— 0x300000422
     RDI  0x0
     RSI  0x0
     R8   0x0
     R9   0xa
     R10  0x7ffff7e45bd4 ◂— 0x6e696f7020002022 /* '" ' */
     R11  0x7fffffff6ee7 ◂— 0xbffcbef5d8160036 /* '6' */
     R12  0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
     R13  0x0
     R14  0x7ffff7e10cf4 ◂— 'textContent'
     R15  0x7ffff7df5e9b ◂— 0x663325002f2e2e00
     RBP  0x7fffffff7080 ◂— 0x344e /* 'N4' */
     RSP  0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
     RIP  0x7ffff78e16ac (gf_svg_get_attribute_name+28) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff78e16ac <gf_svg_get_attribute_name+28>    mov    rax, qword ptr [rdi]
       0x7ffff78e16af <gf_svg_get_attribute_name+31>    movzx  ecx, word ptr [rax]
       0x7ffff78e16b2 <gf_svg_get_attribute_name+34>    xor    eax, eax
       0x7ffff78e16b4 <gf_svg_get_attribute_name+36>    cmp    cx, 0x408
       0x7ffff78e16b9 <gf_svg_get_attribute_name+41>    jne    gf_svg_get_attribute_name+64
     <gf_svg_get_attribute_name+64>
        ↓
       0x7ffff78e16d0 <gf_svg_get_attribute_name+64>    cmp    dword ptr [rdx], ecx
       0x7ffff78e16d2 <gf_svg_get_attribute_name+66>    jne    gf_svg_get_attribute_name+48
     <gf_svg_get_attribute_name+48>
        ↓
       0x7ffff78e16c0 <gf_svg_get_attribute_name+48>    add    eax, 1
       0x7ffff78e16c3 <gf_svg_get_attribute_name+51>    add    rdx, 0x10
       0x7ffff78e16c7 <gf_svg_get_attribute_name+55>    cmp    eax, 0x4e
       0x7ffff78e16ca <gf_svg_get_attribute_name+58>    je     gf_svg_get_attribute_name+365
      <gf_svg_get_attribute_name+365>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
    01:0008│     0x7fffffff6fe8 —▸ 0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
    02:0010│     0x7fffffff6ff0 —▸ 0x7fffffff7080 ◂— 0x344e /* 'N4' */
    03:0018│     0x7fffffff6ff8 —▸ 0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
    04:0020│     0x7fffffff7000 —▸ 0x5555555df2e0 ◂— 0x0
    05:0028│     0x7fffffff7008 —▸ 0x7ffff7e10cf4 ◂— 'textContent'
    06:0030│     0x7fffffff7010 —▸ 0x7ffff7df5e9b ◂— 0x663325002f2e2e00
    07:0038│     0x7fffffff7018 —▸ 0x7ffff7abae7a (DumpLSRAddReplaceInsert+938) ◂— mov    r14, rax
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78e16ac gf_svg_get_attribute_name+28
       f 1   0x7ffff7abae7a DumpLSRAddReplaceInsert+938
       f 2   0x7ffff7abb12b gf_sm_dump_command_list+219
       f 3   0x7ffff7ac254c gf_sm_dump+1116
       f 4   0x555555584418 dump_isom_scene+616
       f 5   0x55555557b42c mp4boxMain+9228
       f 6   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7abae7a in DumpLSRAddReplaceInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7abb12b in gf_sm_dump_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7ac254c in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x0000555555584418 in dump_isom_scene ()
    #5  0x000055555557b42c in mp4boxMain ()
    #6  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #7  0x000055555556c45e in _start ()

CVE-2021-44925: Null Pointer Dereference in gf_svg_get_attribute_name() · Issue #1967 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_dump_vrml_dyn_field.isra function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_dump\_vrml\_dyn\_field.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc4.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860238
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860238
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 1 systems streams
    [1]    414421 segmentation fault  ./MP4Box -lsr ./poc4
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ac0797 in gf_dump_vrml_dyn_field.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0xa
     RBX  0x0
     RCX  0x0
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x7fffffff6af0 —▸ 0x7ffff75a21e0 (funlockfile) ◂— endbr64
     RSI  0x0
     R8   0xffffffff
     R9   0xa
     R10  0x7ffff7e37a2a ◂— 0x3e73252f3c00223d /* '="' */
     R11  0x7ffff7df0c38 ◂— 0x6e776f6e6b6e75 /* 'unknown' */
     R12  0x0
     R13  0x0
     R14  0x5555555ded60 —▸ 0x5555555d43b0 ◂— 0x0
     R15  0x1
     RBP  0x3c
     RSP  0x7fffffff7060 ◂— 0x3000000010
     RIP  0x7ffff7ac0797 (gf_dump_vrml_dyn_field.isra+631) ◂— mov    eax, dword ptr [r12]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ac0797 <gf_dump_vrml_dyn_field.isra+631>    mov    eax, dword ptr [r12]
       0x7ffff7ac079b <gf_dump_vrml_dyn_field.isra+635>    test   eax, eax
       0x7ffff7ac079d <gf_dump_vrml_dyn_field.isra+637>    je     gf_dump_vrml_dyn_field.isra+720
           <gf_dump_vrml_dyn_field.isra+720>
        ↓
       0x7ffff7ac07f0 <gf_dump_vrml_dyn_field.isra+720>    mov    eax, dword ptr [rsp + 0x70]
       0x7ffff7ac07f4 <gf_dump_vrml_dyn_field.isra+724>    mov    rdi, qword ptr [r14 + 0x10]
       0x7ffff7ac07f8 <gf_dump_vrml_dyn_field.isra+728>    test   eax, eax
       0x7ffff7ac07fa <gf_dump_vrml_dyn_field.isra+730>    jne    gf_dump_vrml_dyn_field.isra+292
           <gf_dump_vrml_dyn_field.isra+292>
        ↓
       0x7ffff7ac0644 <gf_dump_vrml_dyn_field.isra+292>    lea    rsi, [rip + 0x35ac0b]
       0x7ffff7ac064b <gf_dump_vrml_dyn_field.isra+299>    xor    eax, eax
       0x7ffff7ac064d <gf_dump_vrml_dyn_field.isra+301>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ac0652 <gf_dump_vrml_dyn_field.isra+306>    jmp    gf_dump_vrml_dyn_field.isra+391
           <gf_dump_vrml_dyn_field.isra+391>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7060 ◂— 0x3000000010
    01:0008│     0x7fffffff7068 —▸ 0x5555555df880 ◂— 0x31646c6569665f /* '_field1' */
    02:0010│     0x7fffffff7070 ◂— 0x0
    03:0018│     0x7fffffff7078 ◂— 0x38b85a8f00
    04:0020│     0x7fffffff7080 ◂— 0x0
    05:0028│     0x7fffffff7088 ◂— 0x7aa5d2dbb85a8f00
    06:0030│     0x7fffffff7090 ◂— 0x1
    07:0038│     0x7fffffff7098 —▸ 0x7ffff7e27f46 ◂— 0x65646f6d73006325 /* '%c' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ac0797 gf_dump_vrml_dyn_field.isra+631
       f 1   0x7ffff7ac15d1 DumpProtos+305
       f 2   0x7ffff7abb389 gf_sm_dump_command_list+857
       f 3   0x7ffff7ac24fc gf_sm_dump+1116
       f 4   0x555555584418 dump_isom_scene+616
       f 5   0x55555557b42c mp4boxMain+9228
       f 6   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ac0797 in gf_dump_vrml_dyn_field.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac15d1 in DumpProtos () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7abb389 in gf_sm_dump_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7ac24fc in gf_sm_dump () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x0000555555584418 in dump_isom_scene ()
    #5  0x000055555557b42c in mp4boxMain ()
    #6  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #7  0x000055555556c45e in _start ()

Tag

#ubuntu