A NULL pointer dereference in AcseConnection_parseMessage at src/mms/iso_acse/acse.c of libiec61850 v1.5.0 can lead to a segmentation fault or application crash.

**NULL Pointer Dereference in AcseConnection\_parseMessage****Description**

A NULL Pointer Dereference was discovered in AcseConnection\_parseMessage at src/mms/iso\_acse/acse.c:429. The vulnerability causes a segmentation fault and application crash.

**version**

8eeb6f0

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**Proof of Concept**

**poc**

    base64 poc
    AwAAFgLwgA0NAQDBATGBAgABogIAAA==
    

**command:**

    ./server_example_basic_io
    nc 0.0.0.0 102 < poc
    

**Result**

    ./server_example_basic_io
    Using libIEC61850 version 1.5.0
    Connection opened
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==4028537==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55de6e46db68 bp 0x7fac36efcaa0 sp 0x7fac36efc9f0 T3)
    ==4028537==The signal is caused by a READ memory access.
    ==4028537==Hint: address points to the zero page.
        #0 0x55de6e46db67 in AcseConnection_parseMessage src/mms/iso_acse/acse.c:429
        #1 0x55de6e41960b in IsoConnection_handleTcpConnection src/mms/iso_server/iso_connection.c:233
        #2 0x55de6e41ac5d in handleTcpConnection src/mms/iso_server/iso_connection.c:472
        #3 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
        #4 0x7fac3b5bb292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV src/mms/iso_acse/acse.c:429 in AcseConnection_parseMessage
    Thread T3 created by T1 here:
        #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
        #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
        #2 0x55de6e41b4f7 in IsoConnection_start src/mms/iso_server/iso_connection.c:581
        #3 0x55de6e417bf1 in handleIsoConnections src/mms/iso_server/iso_server.c:520
        #4 0x55de6e417c99 in isoServerThread src/mms/iso_server/iso_server.c:554
        #5 0x7fac3b7e3608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
    
    Thread T1 created by T0 here:
        #0 0x7fac3b837805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
        #1 0x55de6e3b19dc in Thread_start hal/thread/linux/thread_linux.c:89
        #2 0x55de6e4182d2 in IsoServer_startListening src/mms/iso_server/iso_server.c:682
        #3 0x55de6e3b9b50 in MmsServer_startListening src/mms/iso_mms/server/mms_server.c:606
        #4 0x55de6e3adae9 in IedServer_start src/iec61850/server/impl/ied_server.c:692
        #5 0x55de6e39537e in main /root/disk2/fuzzing/libiec61850/test/libiec61850/examples/server_example_basic_io/server_example_basic_io.c:146
        #6 0x7fac3b4c00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    
    ==4028537==ABORTING
    

**gdb**

    Using libIEC61850 version 1.5.0
    [New Thread 0x7ffff3bff700 (LWP 4048010)]
    [New Thread 0x7ffff33fe700 (LWP 4048011)]
    Connection opened
    [New Thread 0x7ffff2bfd700 (LWP 4048307)]
    
    Thread 4 "server_example_" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7ffff2bfd700 (LWP 4048307)]
    0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at src/mms/iso_acse/acse.c:429
    429         uint8_t messageType = buffer[bufPos++];
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffff2bfca20 ◂— 0x41b58ab3
     RCX  0x0
     RDX  0x0
     RDI  0x7ffff2bfca80 —▸ 0x7ffff2bfce60 ◂— 0x0
     RSI  0x0
     R8   0x0
     R9   0x32
     R10  0x40
     R11  0x0
     R12  0xffffe57f944 ◂— 0x0
     R13  0x7ffff2bfca20 ◂— 0x41b58ab3
     R14  0x7ffff2bfcb40 ◂— 0x41b58ab3
     R15  0x7ffff2bfcf80 ◂— 0x0
     RBP  0x7ffff2bfcaa0 —▸ 0x7ffff2bfce80 —▸ 0x7ffff2bfceb0 ◂— 0x0
     RSP  0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
     RIP  0x555555661b68 (AcseConnection_parseMessage+383) ◂— movzx  eax, byte ptr [rcx]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x555555661b68 <AcseConnection_parseMessage+383>    movzx  eax, byte ptr [rcx]
       0x555555661b6b <AcseConnection_parseMessage+386>    mov    byte ptr [rbp - 0x95], al
       0x555555661b71 <AcseConnection_parseMessage+392>    mov    ecx, dword ptr [rbp - 0x90]
       0x555555661b77 <AcseConnection_parseMessage+398>    mov    edx, dword ptr [rbp - 0x8c]
       0x555555661b7d <AcseConnection_parseMessage+404>    lea    rsi, [rdi - 0x40]
       0x555555661b81 <AcseConnection_parseMessage+408>    mov    rax, qword ptr [rbp - 0x88]
       0x555555661b88 <AcseConnection_parseMessage+415>    mov    rdi, rax
       0x555555661b8b <AcseConnection_parseMessage+418>    call   BerDecoder_decodeLength                <BerDecoder_decodeLength>
    
       0x555555661b90 <AcseConnection_parseMessage+423>    mov    dword ptr [rbp - 0x8c], eax
       0x555555661b96 <AcseConnection_parseMessage+429>    cmp    dword ptr [rbp - 0x8c], 0
       0x555555661b9d <AcseConnection_parseMessage+436>    jns    AcseConnection_parseMessage+448
           <AcseConnection_parseMessage+448>
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /root/disk2/fuzzing/libiec61850/test/libiec61850/src/mms/iso_acse/acse.c
       424
       425     int messageSize = message->size;
       426
       427     int bufPos = 0;
       428
     ► 429     uint8_t messageType = buffer[bufPos++];
       430
       431     int len;
       432
       433     bufPos = BerDecoder_decodeLength(buffer, &len, bufPos, messageSize);
       434
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp     0x7ffff2bfc9f0 —▸ 0x6060000030a8 ◂— 0x0
    01:0008│         0x7ffff2bfc9f8 —▸ 0x608000004020 ◂— 0x0
    02:0010│         0x7ffff2bfca00 —▸ 0x7ffff2bfcb40 ◂— 0x41b58ab3
    03:0018│         0x7ffff2bfca08 —▸ 0xa2310146 ◂— 0x0
    04:0020│         0x7ffff2bfca10 —▸ 0x100000000 ◂— 0x0
    05:0028│         0x7ffff2bfca18 ◂— 0x0
    06:0030│ rbx r13 0x7ffff2bfca20 ◂— 0x41b58ab3
    07:0038│         0x7ffff2bfca28 —▸ 0x5555556d71d8 ◂— '1 32 4 7 len:431'
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x555555661b68 AcseConnection_parseMessage+383
       f 1   0x55555560d60c IsoConnection_handleTcpConnection+1422
       f 2   0x55555560ec5e handleTcpConnection+43
       f 3   0x7ffff7564609 start_thread+217
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x0000555555661b68 in AcseConnection_parseMessage (self=0x608000004020, message=0x6060000030a8) at
     src/mms/iso_acse/acse.c:429
    #1  0x000055555560d60c in IsoConnection_handleTcpConnection (self=0x61100000ff40, isSingleThread=false) at src/mms/iso_server/iso_connection.c:233
    #2  0x000055555560ec5e in handleTcpConnection (parameter=0x61100000ff40) at src/mms/iso_server/iso_connection.c:472
    #3  0x00007ffff7564609 in start_thread (arg=<optimized out>) at pthread_create.c:477
    #4  0x00007ffff733c293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

CVE-2021-45769: NULL Pointer Dereference in AcseConnection_parseMessage · Issue #368 · mz-automation/libiec61850

GPAC 1.1.0 was discovered to contain an invalid memory address dereference via the function lsr_read_id(). This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in lsr\_read\_id(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

**POCs**  
lsr\_read\_id.zip

    tree
    .
    ├── lsr_read_id-lsr_read_a
    │   └── id_000661,sig_11,src_005751,op_havoc,rep_4
    ├── lsr_read_id-lsr_read_animate
    │   ├── id_000623,sig_11,src_005500+003857,op_splice,rep_2
    │   ├── id_000669,sig_11,src_005818,op_havoc,rep_8
    │   └── id_000707,sig_11,src_006355,op_havoc,rep_8
    ├── lsr_read_id-lsr_read_audio.isra
    │   └── id_000539,sig_11,src_004864,op_havoc,rep_8
    ├── lsr_read_id-lsr_read_ellipse
    │   ├── id_000540,sig_11,src_004864,op_havoc,rep_8
    │   └── id_000681,sig_06,src_005943,op_havoc,rep_2
    ├── lsr_read_id-lsr_read_linearGradient
    │   └── id_000407,sig_11,src_004547,op_havoc,rep_2
    ├── lsr_read_id-lsr_read_polygon
    │   ├── id_000424,sig_11,src_004557,op_havoc,rep_4
    │   └── id_000533,sig_06,src_004856+005154,op_splice,rep_4
    ├── lsr_read_id-lsr_read_rect
    │   └── id_000653,sig_06,src_005718+005529,op_splice,rep_2
    └── lsr_read_id-lsr_read_scene_content_model
        ├── id_000457,sig_11,src_004611,op_havoc,rep_2
        └── id_000687,sig_11,src_006098,op_havoc,rep_4
    
    8 directories, 13 files
    

**Result**

The result is omitted here.

**gdb**

The gdb result is omitted here.

CVE-2021-45767: Invalid memory address dereference in lsr_read_id() · Issue #1982 · gpac/gpac

A NULL pointer dereference in CS104_IPAddress_setFromString at src/iec60870/cs104/cs104_slave.c of lib60870 commit 0d5e76e can lead to a segmentation fault or application crash.

**NULL Pointer Dereference in CS104\_IPAddress\_setFromString****Description**

A NULL Pointer Dereference was discovered in CS104\_IPAddress\_setFromString at src/iec60870/cs104/cs104\_slave.c:785. The vulnerability causes a segmentation fault and application crash.

If the ipAddrStr is NULL, strchr() will crash. Should there be a check?

**version**

0d5e76e

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**gdb**

    LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so" ./cs104_redundancy_server
    New connection request from (null)
    [1]    128322 segmentation fault  LD_PRELOAD="/root/tools/preeny-master/build/lib/libdesock.so"
    

    pwndbg>
    0x0000555555568557      785         if (strchr(ipAddrStr, '.') != NULL) {
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x7ffff7e9739b (getpeername+11) ◂— cmp    rax, -0xfff
     RDX  0x0
    *RDI  0x0
     RSI  0x2e
     R8   0x0
     R9   0x23
     R10  0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
     R11  0x246
     R12  0x7fffffffde9e ◂— 0x5555555a60600000
     R13  0x7fffffffde9f ◂— 0x5555555a606000
     R14  0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
     R15  0x7ffff7d6afc0 ◂— 0x0
     RBP  0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
     RSP  0x7ffff7d6adc0 ◂— 0x0
    *RIP  0x555555568557 (CS104_IPAddress_setFromString+32) ◂— call   0x5555555574e0
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x555555568543 <CS104_IPAddress_setFromString+12>    mov    qword ptr [rbp - 0x18], rdi
       0x555555568547 <CS104_IPAddress_setFromString+16>    mov    qword ptr [rbp - 0x20], rsi
       0x55555556854b <CS104_IPAddress_setFromString+20>    mov    rax, qword ptr [rbp - 0x20]
       0x55555556854f <CS104_IPAddress_setFromString+24>    mov    esi, 0x2e
       0x555555568554 <CS104_IPAddress_setFromString+29>    mov    rdi, rax
     ► 0x555555568557 <CS104_IPAddress_setFromString+32>    call   strchr@plt                <strchr@plt>
            s: 0x0
            c: 0x2e
    
       0x55555556855c <CS104_IPAddress_setFromString+37>    test   rax, rax
       0x55555556855f <CS104_IPAddress_setFromString+40>    je     CS104_IPAddress_setFromString+165                <CS104_IPAddress_setFromString+165>
    
       0x555555568561 <CS104_IPAddress_setFromString+42>    mov    rax, qword ptr [rbp - 0x18]
       0x555555568565 <CS104_IPAddress_setFromString+46>    mov    dword ptr [rax + 0x10], 0
       0x55555556856c <CS104_IPAddress_setFromString+53>    mov    dword ptr [rbp - 0xc], 0
    ──────────────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────────────
    In file: /root/disk2/fuzzing/lib60870/test/lib60870/lib60870-C/src/iec60870/cs104/cs104_slave.c
       780 };
       781
       782 static void
       783 CS104_IPAddress_setFromString(CS104_IPAddress self, const char* ipAddrStr)
       784 {
     ► 785     if (strchr(ipAddrStr, '.') != NULL) {
       786         /* parse IPv4 string */
       787         self->type = IP_ADDRESS_TYPE_IPV4;
       788
       789         int i;
       790
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7ffff7d6adc0 ◂— 0x0
    01:0008│     0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    02:0010│     0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
    03:0018│     0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
    04:0020│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    05:0028│     0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov    qword ptr [rbp - 0x40], 0
    06:0030│     0x7ffff7d6adf0 ◂— 0x0
    07:0038│     0x7ffff7d6adf8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x555555568557 CS104_IPAddress_setFromString+32
       f 1   0x55555556c0c1 getMatchingRedundancyGroup+54
       f 2   0x55555556c64f serverThread+523
       f 3   0x7ffff7f6f609 start_thread+217
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> c
    Continuing.
    
    Thread 2 "cs104_redundanc" received signal SIGSEGV, Segmentation fault.
    __strchr_avx2 () at ../sysdeps/x86_64/multiarch/strchr-avx2.S:57
    57      ../sysdeps/x86_64/multiarch/strchr-avx2.S: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x0
    *RCX  0x0
     RDX  0x0
     RDI  0x0
     RSI  0x2e
     R8   0x0
     R9   0x23
     R10  0x55555557110e ◂— 0x63656e6e6f43000a /* '\n' */
     R11  0x246
     R12  0x7fffffffde9e ◂— 0x5555555a60600000
     R13  0x7fffffffde9f ◂— 0x5555555a606000
     R14  0x7fffffffdea0 —▸ 0x5555555a6060 ◂— 0x0
     R15  0x7ffff7d6afc0 ◂— 0x0
     RBP  0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    *RSP  0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test   rax, rax
    *RIP  0x7ffff7eff08c (__strchr_avx2+28) ◂— vmovdqu ymm8, ymmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7eff08c <__strchr_avx2+28>     vmovdqu ymm8, ymmword ptr [rdi]
       0x7ffff7eff090 <__strchr_avx2+32>     vpcmpeqb ymm1, ymm0, ymm8
       0x7ffff7eff095 <__strchr_avx2+37>     vpcmpeqb ymm2, ymm9, ymm8
       0x7ffff7eff09a <__strchr_avx2+42>     vpor   ymm1, ymm2, ymm1
       0x7ffff7eff09e <__strchr_avx2+46>     vpmovmskb eax, ymm1
       0x7ffff7eff0a2 <__strchr_avx2+50>     test   eax, eax
       0x7ffff7eff0a4 <__strchr_avx2+52>     jne    __strchr_avx2+400                <__strchr_avx2+400>
        ↓
       0x7ffff7eff200 <__strchr_avx2+400>    tzcnt  eax, eax
       0x7ffff7eff204 <__strchr_avx2+404>    xor    edx, edx
       0x7ffff7eff206 <__strchr_avx2+406>    lea    rax, [rdi + rax]
       0x7ffff7eff20a <__strchr_avx2+410>    cmp    sil, byte ptr [rax]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7ffff7d6adb8 —▸ 0x55555556855c (CS104_IPAddress_setFromString+37) ◂— test   rax, rax
    01:0008│     0x7ffff7d6adc0 ◂— 0x0
    02:0010│     0x7ffff7d6adc8 —▸ 0x7ffff7d6ae20 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    03:0018│     0x7ffff7d6add0 —▸ 0x7ffff0000ef0 ◂— 0x4
    04:0020│     0x7ffff7d6add8 —▸ 0x55555557d2d0 —▸ 0x5555555579ed (interrogationHandler) ◂— endbr64
    05:0028│ rbp 0x7ffff7d6ade0 —▸ 0x7ffff7d6ae40 —▸ 0x7ffff7d6aef0 ◂— 0x0
    06:0030│     0x7ffff7d6ade8 —▸ 0x55555556c0c1 (getMatchingRedundancyGroup+54) ◂— mov    qword ptr [rbp - 0x40], 0
    07:0038│     0x7ffff7d6adf0 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7eff08c __strchr_avx2+28
       f 1   0x55555556855c CS104_IPAddress_setFromString+37
       f 2   0x55555556c0c1 getMatchingRedundancyGroup+54
       f 3   0x55555556c64f serverThread+523
       f 4   0x7ffff7f6f609 start_thread+217
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-45773: NULL Pointer Dereference in CS104_IPAddress_setFromString · Issue #100 · mz-automation/lib60870

GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function shift_chunk_offsets.isra().

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in shift\_chunk\_offsets.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_9.zip

**Result**

    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Box "trak" is larger than container box
    [iso file] Box "moov" size 256 (start 20) invalid (read 2209)
    [iso file] Unknown top-level box type 079Fmd
    Saving ./poc/poc_9: In-place rewrite
    [1]    2265002 segmentation fault  ./MP4Box -hint ./poc/poc_9
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7981ba3 in shift_chunk_offsets.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]──────────────────────────────── RAX  0x5555555cc6e0 ◂— 0x6d696e66 /* 'fnim' */
     RBX  0x5555555ccfe0 ◂— 0x7374626c /* 'lbts' */
     RCX  0x0
     RDX  0x5555555cf160 ◂— 0x6d646961 /* 'aidm' */
     RDI  0x28
     RSI  0x34
     R8   0x14
     R9   0x0
     R10  0x7ffff775d6fa ◂— 'gf_isom_box_size'
     R11  0x7ffff796bce0 (gf_isom_box_size) ◂— endbr64
     R12  0x5555555c72a0 ◂— 0xffffffec
     R13  0x14
     R14  0x1
     R15  0x7fffffff7e80 ◂— 0x0
     RBP  0x0
     RSP  0x7fffffff7e00 ◂— 0xf7747c68
     RIP  0x7ffff7981ba3 (shift_chunk_offsets.isra+19) ◂— mov    esi, dword ptr [rsi]
    ─────────────────────────────────[ DISASM ]───────────────────────────────── ► 0x7ffff7981ba3 <shift_chunk_offsets.isra+19>     mov    esi, dword ptr [rsi]
       0x7ffff7981ba5 <shift_chunk_offsets.isra+21>     mov    qword ptr [rsp + 8], rdi
       0x7ffff7981baa <shift_chunk_offsets.isra+26>     mov    qword ptr [rsp + 0x10], rdx
       0x7ffff7981baf <shift_chunk_offsets.isra+31>     mov    dword ptr [rsp + 0x2c], r9d
       0x7ffff7981bb4 <shift_chunk_offsets.isra+36>     test   esi, esi
       0x7ffff7981bb6 <shift_chunk_offsets.isra+38>     je     shift_chunk_offsets.isra+175                <shift_chunk_offsets.isra+175>
        ↓
       0x7ffff7981c3f <shift_chunk_offsets.isra+175>    add    rsp, 0x38
       0x7ffff7981c43 <shift_chunk_offsets.isra+179>    xor    eax, eax
       0x7ffff7981c45 <shift_chunk_offsets.isra+181>    pop    rbx
       0x7ffff7981c46 <shift_chunk_offsets.isra+182>    pop    rbp
       0x7ffff7981c47 <shift_chunk_offsets.isra+183>    pop    r12
    ─────────────────────────────────[ STACK ]──────────────────────────────────00:0000│ rsp 0x7fffffff7e00 ◂— 0xf7747c68
    01:0008│     0x7fffffff7e08 ◂— 0x0
    02:0010│     0x7fffffff7e10 ◂— 0x999
    03:0018│     0x7fffffff7e18 ◂— 0x34 /* '4' */
    04:0020│     0x7fffffff7e20 —▸ 0x7ffff7fc7368 —▸ 0x7ffff7ffe450 —▸ 0x7ffff73131e0 —▸ 0x7ffff7ffe190 ◂— ...
    05:0028│     0x7fffffff7e28 —▸ 0x7fffffff7f68 —▸ 0x7ffff7751b48 ◂— 0xe0012000053a2
    06:0030│     0x7fffffff7e30 —▸ 0x7ffff775d6fa ◂— 'gf_isom_box_size'
    07:0038│     0x7fffffff7e38 —▸ 0x5555555ccfe0 ◂— 0x7374626c /* 'lbts' */
    ───────────────────────────────[ BACKTRACE ]──────────────────────────────── ► f 0   0x7ffff7981ba3 shift_chunk_offsets.isra+19
       f 1   0x7ffff7981fd0 inplace_shift_moov_meta_offsets+224
       f 2   0x7ffff7982a5c inplace_shift_mdat+732
       f 3   0x7ffff7986c29 WriteToFile+2713
       f 4   0x7ffff7978042 gf_isom_write+370
       f 5   0x7ffff79780c8 gf_isom_close+24
       f 6   0x55555557ad12 mp4boxMain+7410
       f 7   0x7ffff75630b3 __libc_start_main+243
    ────────────────────────────────────────────────────────────────────────────pwndbg> bt
    #0  0x00007ffff7981ba3 in shift_chunk_offsets.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7981fd0 in inplace_shift_moov_meta_offsets () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7982a5c in inplace_shift_mdat () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7986c29 in WriteToFile () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7978042 in gf_isom_write () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff79780c8 in gf_isom_close () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x000055555557ad12 in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe218, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe208) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()

CVE-2021-45764: Invalid memory address dereference in shift_chunk_offsets.isra() · Issue #1971 · gpac/gpac

ROPium v3.1 was discovered to contain an invalid memory address dereference via the find() function.

An issue was discovered in ROPium 3.1. An invalid memory address dereference was discovered in find(). The vulnerability causes a segmentation fault and application crash.

POC

    aidai@ubuntu:~/Desktop$ ropium
    
    ROPium - v3.1
    
    (ropium)> find                                                                  
    
    	[!] You must load a binary before finding ropchains
    
    (ropium)> load -a X64 aidai                                                     
    
    	[!] Skipped: aidai (file doesn't exist)
    
    (ropium)> find                                                                  
    Segmentation fault (core dumped)
    

    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ─────────────────────────────────[ REGISTERS ]──────────────────────────────────
     RAX  0x7
     RBX  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
     RCX  0x0
     RDX  0x9
     RDI  0x1e26bf0 —▸ 0x1e105b0 —▸ 0x7f58fe11a900 —▸ 0x7f58fde45b90 ◂— mov    rax, qword ptr [rip + 0x2d50f9]
     RSI  0x0
     R8   0x2
     R9   0x0
     R10  0x100
     R11  0x7ffdeddde370 —▸ 0x7ffdeddde380 —▸ 0x1ecbee0 ◂— add    byte ptr [rax], al
     R12  0x1c509e0 ◂— add    byte ptr [rax], al
     R13  0x7ffdeddde640 ◂— 0x0
     R14  0x9
     R15  0x1c50a10 ◂— add    dword ptr [rax], eax
     RBP  0x1c509e0 ◂— add    byte ptr [rax], al
     RSP  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
     RIP  0x7f58fdeb5c40 ◂— mov    ecx, dword ptr [rsi]
    ───────────────────────────────────[ DISASM ]───────────────────────────────────
     ► 0x7f58fdeb5c40    mov    ecx, dword ptr [rsi]
       0x7f58fdeb5c42    mov    eax, 1
       0x7f58fdeb5c47    cmp    ecx, 0x13
       0x7f58fdeb5c4a    je     0x7f58fdeb5c53
        ↓
       0x7f58fdeb5c53    ret    
     
       0x7f58fdeb5c55    nop    dword ptr [rax]
       0x7f58fdeb5c58    sub    edx, 7
       0x7f58fdeb5c5b    cmp    edx, 1
       0x7f58fdeb5c5e    setbe  al
       0x7f58fdeb5c61    ret    
     
       0x7f58fdeb5c62    nop    dword ptr [rax]
    ───────────────────────────────────[ STACK ]────────────────────────────────────
    00:0000│ rsp  0x7ffdeddde608 —▸ 0x7f58fdec0145 ◂— test   al, al
    01:0008│      0x7ffdeddde610 —▸ 0x7f58fa641950 ◂— or     dword ptr [rax], eax /* '\t' */
    02:0010│      0x7ffdeddde618 ◂— 0x2fa629d68
    03:0018│      0x7ffdeddde620 ◂— 0x0
    ... ↓
    06:0030│      0x7ffdeddde638 ◂— 0x56056b
    07:0038│ r13  0x7ffdeddde640 ◂— 0x0
    ─────────────────────────────────[ BACKTRACE ]──────────────────────────────────
     ► f 0     7f58fdeb5c40
       f 1     7f58fdec0145
       f 2     7f58fa641950
       f 3        2fa629d68
       f 4                0
    ────────────────────────────────────────────────────────────────────────────────

CVE-2021-45761: Invalid memory address dereference in find() · Issue #32 · Boyan-MILANOV/ropium

GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_sg_vrml_mf_reset(). This vulnerability allows attackers to cause a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in gf\_sg\_vrml\_mf\_reset(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_14.zip

**Result**

    ./MP4Box -lsr ./poc/poc_14
    [iso file] Box "stco" (start 2057) has 6144 extra bytes
    [iso file] Box "stco" is larger than container box
    [iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
    [iso file] Unknown box type 00040000 in parent dref
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 859244
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Box "stco" (start 2057) has 6144 extra bytes
    [iso file] Box "stco" is larger than container box
    [iso file] Box "stbl" size 1814 (start 415) invalid (read 7894)
    [iso file] Unknown box type 00040000 in parent dref
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 859244
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    250723 segmentation fault  ./MP4Box -lsr ./poc/poc_14
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x7fffffff6160 ◂— 0x3f00000004
     RDX  0x8
     RDI  0x0
     RSI  0x3f
     R8   0x0
     R9   0x0
     R10  0x7ffff775c1f5 ◂— 'gf_sg_script_field_get_info'
     R11  0x7ffff788f770 (gf_sg_script_field_get_info) ◂— endbr64
     R12  0x7fffffff6160 ◂— 0x3f00000004
     R13  0x5555555deb80 ◂— 0x0
     R14  0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
     R15  0x1d61
     RBP  0x5555555d5d60 ◂— 0x0
     RSP  0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov    r15d, eax
     RIP  0x7ffff78a0d66 (gf_sg_vrml_mf_reset+6) ◂— cmp    qword ptr [rdi + 8], 0
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff78a0d66 <gf_sg_vrml_mf_reset+6>      cmp    qword ptr [rdi + 8], 0
       0x7ffff78a0d6b <gf_sg_vrml_mf_reset+11>     je     gf_sg_vrml_mf_reset+144
        <gf_sg_vrml_mf_reset+144>
        ↓
       0x7ffff78a0df0 <gf_sg_vrml_mf_reset+144>    ret
    
       0x7ffff78a0df1 <gf_sg_vrml_mf_reset+145>    nop    dword ptr [rax]
       0x7ffff78a0df8 <gf_sg_vrml_mf_reset+152>    mov    eax, dword ptr [rbp]
       0x7ffff78a0dfb <gf_sg_vrml_mf_reset+155>    mov    r13, qword ptr [rbp + 8]
       0x7ffff78a0dff <gf_sg_vrml_mf_reset+159>    test   eax, eax
       0x7ffff78a0e01 <gf_sg_vrml_mf_reset+161>    je     gf_sg_vrml_mf_reset+198
        <gf_sg_vrml_mf_reset+198>
        ↓
       0x7ffff78a0e26 <gf_sg_vrml_mf_reset+198>    mov    rdi, r13
       0x7ffff78a0e29 <gf_sg_vrml_mf_reset+201>    call   gf_free@plt                <gf_free@plt>
    
       0x7ffff78a0e2e <gf_sg_vrml_mf_reset+206>    jmp    gf_sg_vrml_mf_reset+100
        <gf_sg_vrml_mf_reset+100>
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6118 —▸ 0x7ffff790fbe2 (gf_bifs_dec_field+130) ◂— mov    r15d, eax
    01:0008│     0x7fffffff6120 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
    02:0010│     0x7fffffff6128 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
    03:0018│     0x7fffffff6130 ◂— 0x0
    04:0020│     0x7fffffff6138 —▸ 0x5555555e0210 ◂— 0x3f00000000
    05:0028│     0x7fffffff6140 —▸ 0x7fffffff6160 ◂— 0x3f00000004
    06:0030│     0x7fffffff6148 —▸ 0x7fffffff65b0 —▸ 0x5555555dfbb0 —▸ 0x5555555dfbe0 ◂— 0x100000051 /* 'Q' */
    07:0038│     0x7fffffff6150 ◂— 0x1d61
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff78a0d66 gf_sg_vrml_mf_reset+6
       f 1   0x7ffff790fbe2 gf_bifs_dec_field+130
       f 2   0x7ffff7916f02 ParseScriptField+274
       f 3   0x7ffff7919c50 SFScript_Parse+1056
       f 4   0x7ffff790eb3c gf_bifs_dec_sf_field+1548
       f 5   0x7ffff790eff2 BD_DecMFFieldList+242
       f 6   0x7ffff790fac5 gf_bifs_dec_node_mask+421
       f 7   0x7ffff790e158 gf_bifs_dec_node+936
    ─────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a0d66 in gf_sg_vrml_mf_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff790fbe2 in gf_bifs_dec_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7916f02 in ParseScriptField () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7919c50 in SFScript_Parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff790eb3c in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff790eff2 in BD_DecMFFieldList () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff790fac5 in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff790f3b4 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff790f7f7 in gf_bifs_dec_node_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00007ffff790e066 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #11 0x00007ffff7906580 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #12 0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #13 0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #14 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #15 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #16 0x00005555555844a8 in dump_isom_scene ()
    #17 0x000055555557b42c in mp4boxMain ()
    #18 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe208, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1f8) at ../csu/libc-start.c:308
    #19 0x000055555556c45e in _start ()

CVE-2021-45762: Invalid memory address dereference in gf_sg_vrml_mf_reset() · Issue #1978 · gpac/gpac

GPAC v1.1.0 was discovered to contain an invalid call in the function gf_node_changed(). This vulnerability can lead to a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid call was discovered in gf\_node\_changed(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -bt ./poc/poc_11
    

poc\_11.zip

**Result**

    ./MP4Box -bt ./poc/poc_10
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type traI in parent moov
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type traI in parent moov
    [iso file] Box "stss" (start 9939) has 32 extra bytes
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample description box !
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1142870 segmentation fault  ./MP4Box -bt ./poc/poc_10
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000000001 in ?? ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
     RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
     RIP  0x1
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
    Invalid address 0x1
    
    
    
    
    
    
    
    
    
    
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    01:0008│     0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    07:0038│     0x7fffffff6ac0 ◂— 0x2
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0              0x1
       f 1   0x7ffff784a1ca gf_node_changed+218
       f 2   0x7ffff784b675 gf_sg_reset+805
       f 3   0x7ffff784ba47 gf_sg_del+55
       f 4   0x7ffff788b7f8 gf_sg_proto_del+424
       f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 6   0x7ffff7913a11 BM_ParseInsert+769
       f 7   0x7ffff7914fe1 BM_ParseCommand+113
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x0000000000000001 in ?? ()
    #1  0x00007ffff784a1ca in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff784b675 in gf_sg_reset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff784ba47 in gf_sg_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff788b7f8 in gf_sg_proto_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff7905f88 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff7913a11 in BM_ParseInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7914fe1 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00005555555844a8 in dump_isom_scene ()
    #11 0x000055555557b42c in mp4boxMain ()
    #12 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1a8) at ../csu/libc-start.c:308
    #13 0x000055555556c45e in _start ()
    

`break gf_node_changed`

    pwndbg>
    0x00007ffff784a1c8 in gf_node_changed () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
    *RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RSP  0x7fffffff6a90 ◂— 0x0
    *RIP  0x7ffff784a1c8 (gf_node_changed+216) ◂— call   rax
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff784a1b6 <gf_node_changed+198>    je     gf_node_changed+223                <gf_node_changed+223>
    
       0x7ffff784a1b8 <gf_node_changed+200>    mov    rdi, qword ptr [r12 + 0x28]
       0x7ffff784a1bd <gf_node_changed+205>    mov    rcx, rbx
       0x7ffff784a1c0 <gf_node_changed+208>    mov    rdx, rbp
       0x7ffff784a1c3 <gf_node_changed+211>    mov    esi, 1
     ► 0x7ffff784a1c8 <gf_node_changed+216>    call   rax                           <1>
    
       0x7ffff784a1ca <gf_node_changed+218>    test   rbx, rbx
       0x7ffff784a1cd <gf_node_changed+221>    je     gf_node_changed+233                <gf_node_changed+233>
    
       0x7ffff784a1cf <gf_node_changed+223>    mov    eax, dword ptr [rbx]
       0x7ffff784a1d1 <gf_node_changed+225>    sub    eax, 0x63
       0x7ffff784a1d4 <gf_node_changed+228>    and    eax, 0xfffffffd
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    04:0020│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    05:0028│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ac0 ◂— 0x2
    07:0038│     0x7fffffff6ac8 ◂— 0x8000000000000006
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784a1c8 gf_node_changed+216
       f 1   0x7ffff784b675 gf_sg_reset+805
       f 2   0x7ffff784ba47 gf_sg_del+55
       f 3   0x7ffff788b7f8 gf_sg_proto_del+424
       f 4   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 5   0x7ffff7913a11 BM_ParseInsert+769
       f 6   0x7ffff7914fe1 BM_ParseCommand+113
       f 7   0x7ffff7915353 gf_bifs_decode_command_list+163
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>
    
    Program received signal SIGSEGV, Segmentation fault.
    0x0000000000000001 in ?? ()
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x7fffffff6bc0 ◂— 0x0
     RCX  0x7fffffff6bc0 ◂— 0x0
     RDX  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     RDI  0x0
     RSI  0x1
     R8   0x0
     R9   0x0
     R10  0x7ffff775ba62 ◂— 'gf_node_changed'
     R11  0x7ffff784a0f0 (gf_node_changed) ◂— endbr64
     R12  0x5555555c6010 ◂— 0x200000002
     R13  0x5555555e5100 ◂— 0x0
     R14  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
     R15  0x7fffffff6bc0 ◂— 0x0
     RBP  0x5555555e6230 —▸ 0x5555555e6270 ◂— 0x0
    *RSP  0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    *RIP  0x1
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
    Invalid address 0x1
    
    
    
    
    
    
    
    
    
    
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6a88 —▸ 0x7ffff784a1ca (gf_node_changed+218) ◂— test   rbx, rbx
    01:0008│     0x7fffffff6a90 ◂— 0x0
    ... ↓        3 skipped
    05:0028│     0x7fffffff6ab0 ◂— 0x7374636f /* 'octs' */
    06:0030│     0x7fffffff6ab8 —▸ 0x5555555e4fd0 ◂— 0x7374636f /* 'octs' */
    07:0038│     0x7fffffff6ac0 ◂— 0x2
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0              0x1
       f 1   0x7ffff784a1ca gf_node_changed+218
       f 2   0x7ffff784b675 gf_sg_reset+805
       f 3   0x7ffff784ba47 gf_sg_del+55
       f 4   0x7ffff788b7f8 gf_sg_proto_del+424
       f 5   0x7ffff7905f88 gf_bifs_dec_proto_list+680
       f 6   0x7ffff7913a11 BM_ParseInsert+769
       f 7   0x7ffff7914fe1 BM_ParseCommand+113
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>

CVE-2021-45763: Invalid call in gf_node_changed() · Issue #1974 · gpac/gpac

GPAC v1.1.0 was discovered to contain an invalid memory address dereference via the function gf_list_last(). This vulnerability allows attackers to cause a Denial of Service (DoS).

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in dump\_od\_to\_saf.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_3.zip

**Result**

    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    [ODF] Not enough bytes (38) to read descriptor (size=59)
    [ODF] Error reading descriptor (tag 4 size 49): Invalid MPEG-4 Descriptor
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Incomplete box mdat - start 11495 size 861263
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 2 systems streams
    [1]    1390552 segmentation fault  ./MP4Box -lsr ./poc/poc_3
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555df630 —▸ 0x5555555df601 ◂— 0x2100000000000000
     RCX  0x0
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x5555555e0400 ◂— 0xfbad2c84
     RSI  0x5555555df440 ◂— 0x7
     R8   0x0
     R9   0x23
     R10  0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
     R11  0x7fffffff70c7 ◂— 0x4d0552ab398a0031 /* '1' */
     R12  0x0
     R13  0x5555555df4d0 ◂— 0x0
     R14  0x5555555df070 —▸ 0x5555555e0400 ◂— 0xfbad2c84
     R15  0x5555555dfcb0 ◂— 0x700010003
     RBP  0x1
     RSP  0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
     RIP  0x7ffff7ab7e3b (dump_od_to_saf.isra+299) ◂— movzx  edx, byte ptr [rax + 8]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ab7e3b <dump_od_to_saf.isra+299>    movzx  edx, byte ptr [rax + 8]
       0x7ffff7ab7e3f <dump_od_to_saf.isra+303>    mov    ecx, dword ptr [rax + 4]
       0x7ffff7ab7e42 <dump_od_to_saf.isra+306>    xor    eax, eax
       0x7ffff7ab7e44 <dump_od_to_saf.isra+308>    mov    r8d, dword ptr [rsi + 0x18]
       0x7ffff7ab7e48 <dump_od_to_saf.isra+312>    lea    rsi, [rip + 0x38eac1]
       0x7ffff7ab7e4f <dump_od_to_saf.isra+319>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ab7e54 <dump_od_to_saf.isra+324>    mov    rdx, qword ptr [r13]
       0x7ffff7ab7e58 <dump_od_to_saf.isra+328>    mov    r9, qword ptr [rsp]
       0x7ffff7ab7e5c <dump_od_to_saf.isra+332>    test   rdx, rdx
       0x7ffff7ab7e5f <dump_od_to_saf.isra+335>    jne    dump_od_to_saf.isra+464                <dump_od_to_saf.isra+464>
    
       0x7ffff7ab7e61 <dump_od_to_saf.isra+337>    mov    rdi, qword ptr [r14]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7200 —▸ 0x5555555df8a0 ◂— 0xc0
    01:0008│     0x7fffffff7208 ◂— 0x100000002
    02:0010│     0x7fffffff7210 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    03:0018│     0x7fffffff7218 ◂— 0x0
    04:0020│     0x7fffffff7220 —▸ 0x5555555dfa50 —▸ 0x5555555dfde0 ◂— 0x0
    05:0028│     0x7fffffff7228 ◂— 0x0
    06:0030│     0x7fffffff7230 ◂— 0x0
    07:0038│     0x7fffffff7238 —▸ 0x5555555df4d0 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ab7e3b dump_od_to_saf.isra+299
       f 1   0x7ffff7ac282d gf_sm_dump+1853
       f 2   0x555555584418 dump_isom_scene+616
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ab7e3b in dump_od_to_saf.isra () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac282d in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x0000555555584418 in dump_isom_scene ()
    #3  0x000055555557b42c in mp4boxMain ()
    #4  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #5  0x000055555556c45e in _start ()

CVE-2021-45760: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1966 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free vulnerability in the gf_text_get_utf8_line function in load_text.c, which allows attackers to cause a denial of service, even code execution and escalation of privileges.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a buffer overflow in gf\_text\_get\_utf8\_line, in commit 592ba26 that results in system abort (core dumped).

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

This is the output of the program:

    *** stack smashing detected ***: <unknown> terminated
    Aborted (core dumped)
    

Here is the trace reported by gdb (the stack is smashed):

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f70a92 in __fortify_fail ()
    #4  0x0000000001f70a3e in __stack_chk_fail ()
    #5  0x000000000127f3ad in gf_text_get_utf8_line (szLine=<optimized out>, lineSize=<optimized out>, txt_in=<optimized out>, unicode_type=0x0) at /mnt/data/playground/gpac/src/filters/load_text.c:337
    #6  0xc2657485c3a5c37e in ?? ()
    #7  0xbcc3739fc3314583 in ?? ()
    #8  0x0748654e86c3aac3 in ?? ()
    ....
    #14 0x609ec3a0c3a7c26e in ?? ()
    #15 0x11bdcd643758a5c3 in ?? ()
    #16 0x00000000009ac35e in gf_isom_load_extra_boxes (movie=0xc53f89c4114aacc2, moov_boxes=<optimized out>, moov_boxes_size=<optimized out>, udta_only=(unknown: 2747429506)) at /mnt/data/playground/gpac/src/isomedia/isom_write.c:615
    #17 0x0000000000000000 in ?? ()

CVE-2021-40574: System abort (Core dumped) caused by buffer overflow using MP4Box in gf_text_get_utf8_line · Issue #1897 · gpac/gpac

The binary MP4Box in Gpac 1.0.1 has a double-free bug in the av1dmx_finalize function in reframe_av1.c, which allows attackers to cause a denial of service.

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...).

Hi, there.

There is a segmentation fault in av1dmx\_finalize, reframe\_av1.c:1075 in commit 592ba26 caused by double free issue.

Here is my environment, compiler info and gpac version:

    Distributor ID:	Ubuntu
    Description:	Ubuntu 16.04.6 LTS
    Release:	16.04
    Codename:	xenial
    gcc: 5.4.0
    
    MP4Box - GPAC version 1.1.0-DEV-rev1170-g592ba26-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-bin --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D
    

To reproduce, run

POC:  
poc.zip  
(unzip first)

Here is the trace reported by gdb:

    Stopped reason: SIGABRT
    gef➤  bt
    #0  0x0000000001f15d08 in raise ()
    #1  0x0000000001f15f3a in abort ()
    #2  0x0000000001f24ed6 in __libc_message ()
    #3  0x0000000001f2da76 in _int_free ()
    #4  0x0000000001f31af7 in free ()
    #5  0x000000000053de4d in gf_free (ptr=<optimized out>) at /mnt/data/playground/gpac/src/utils/alloc.c:165
    #6  0x00000000013e3d4d in av1dmx_finalize (filter=<optimized out>) at /mnt/data/playground/gpac/src/filters/reframe_av1.c:1075
    #7  0x0000000000f9949c in gf_fs_del (fsess=fsess@entry=0x248c220) at /mnt/data/playground/gpac/src/filter_core/filter_session.c:646
    #8  0x0000000000c1a86a in gf_media_import (importer=importer@entry=0x7fffffff5bf0) at /mnt/data/playground/gpac/src/media_tools/media_import.c:1242
    #9  0x0000000000497345 in convert_file_info (inName=0x7fffffffe159 "tmp", trackID=0x0) at /mnt/data/playground/gpac/applications/mp4box/fileimport.c:128
    #10 0x0000000000456aaa in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at /mnt/data/playground/gpac/applications/mp4box/main.c:5925
    #11 0x0000000001f06bb6 in generic_start_main ()
    #12 0x0000000001f071a5 in __libc_start_main ()
    #13 0x000000000041c4e9 in _start ()

Tag

#ubuntu