An invalid memory address dereference vulnerability exists in gpac 1.1.0 via the svg_node_start function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in svg\_node\_start(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_2.zip

**Result**

    [Parser] LASeR Scene Parsing: ./poc/poc_2.xsr
    [1]    75845 segmentation fault  ./MP4Box -lsr ./poc/poc_2.xsr
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555c7750 ◂— 0x0
     RCX  0x0
     RDX  0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     RDI  0x7ffff7e447c9 ◂— 'Unable to parse chunk: %s'
     RSI  0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R8   0x7fffffff5c3c ◂— 0x0
     R9   0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R10  0x0
     R11  0x0
     R12  0x5555555ce2b0 —▸ 0x5555555ce0e3 ◂— 0x7572742200706172 /* 'rap' */
     R13  0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
     R14  0x1
     R15  0x0
     RBP  0x5555555cf390 —▸ 0x7fffffff7310 ◂— 0x7
     RSP  0x7fffffff5bb0 ◂— 0x0
     RIP  0x7ffff7aa5f97 (svg_node_start+3095) ◂— mov    rdi, qword ptr [rax + 0x20]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7aa5f97 <svg_node_start+3095>    mov    rdi, qword ptr [rax + 0x20]
       0x7ffff7aa5f9b <svg_node_start+3099>    call   gf_list_count@plt                <gf_list_count@plt>
    
       0x7ffff7aa5fa0 <svg_node_start+3104>    test   eax, eax
       0x7ffff7aa5fa2 <svg_node_start+3106>    sete   r15b
       0x7ffff7aa5fa6 <svg_node_start+3110>    test   r14d, r14d
       0x7ffff7aa5fa9 <svg_node_start+3113>    jne    svg_node_start+6240                <svg_node_start+6240>
    
       0x7ffff7aa5faf <svg_node_start+3119>    xor    esi, esi
       0x7ffff7aa5fb1 <svg_node_start+3121>    nop    dword ptr [rax]
       0x7ffff7aa5fb8 <svg_node_start+3128>    mov    rdi, qword ptr [rbp + 0x50]
       0x7ffff7aa5fbc <svg_node_start+3132>    mov    edx, r15d
       0x7ffff7aa5fbf <svg_node_start+3135>    pxor   xmm0, xmm0
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff5bb0 ◂— 0x0
    01:0008│     0x7fffffff5bb8 —▸ 0x5555555ce0d9 ◂— 'sceneUnit'
    02:0010│     0x7fffffff5bc0 ◂— 0x0
    03:0018│     0x7fffffff5bc8 ◂— 0x0
    04:0020│     0x7fffffff5bd0 —▸ 0x5555555ce0d5 ◂— 0x6e65637300666173 /* 'saf' */
    05:0028│     0x7fffffff5bd8 ◂— 0x0
    06:0030│     0x7fffffff5be0 ◂— 0x0
    07:0038│     0x7fffffff5be8 ◂— 0x3000000020 /* ' ' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7aa5f97 svg_node_start+3095
       f 1   0x7ffff781fbc5 xml_sax_node_start+453
       f 2   0x7ffff7820e6c xml_sax_parse+3596
       f 3   0x7ffff78213d6 gf_xml_sax_parse_intern+950
       f 4   0x7ffff7821595 gf_xml_sax_parse+165
       f 5   0x7ffff7821633 xml_sax_read_file.part+115
       f 6   0x7ffff7821927 gf_xml_sax_parse_file+295
       f 7   0x7ffff7aa42da load_svg_run+58
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7aa5f97 in svg_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff781fbc5 in xml_sax_node_start () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7820e6c in xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff78213d6 in gf_xml_sax_parse_intern () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7821595 in gf_xml_sax_parse () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff7821633 in xml_sax_read_file.part () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff7821927 in gf_xml_sax_parse_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa42da in load_svg_run () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-45267: Invalid memory address dereference in svg_node_start() · Issue #1965 · gpac/gpac

An invalid free vulnerability exists in gpac 1.1.0 via the gf_sg_command_del function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid free was discovered in gf\_sg\_command\_del(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -bt ./poc/poc_17
    

poc\_17.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type prl  in parent dref
    [iso file] Incomplete box mdat - start 11495 size 860323
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Unknown box type prl  in parent dref
    [iso file] Incomplete box mdat - start 11495 size 860323
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [MP4 Loading] decoding sample 1 from track ID 8 failed
    free(): invalid pointer
    [1]    3334251 abort      ./MP4Box -bt ./poc/poc_17
    

**gdb**

    free(): invalid pointer
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
     RDI  0x2
     RSI  0x7fffffff6f20 ◂— 0x0
     R8   0x0
     R9   0x7fffffff6f20 ◂— 0x0
     R10  0x8
     R11  0x246
     R12  0x7fffffff7190 ◂— 0x0
     R13  0x10
     R14  0x7ffff7ffb000 ◂— 0x6565726600001000
     R15  0x1
     RBP  0x7fffffff7270 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
     RSP  0x7fffffff6f20 ◂— 0x0
     RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6f20 ◂— 0x0
    01:0008│            0x7fffffff6f28 —▸ 0x7ffff77534c8 ◂— 0xe001200003748 /* 'H7' */
    02:0010│            0x7fffffff6f30 —▸ 0x7fffffff72f0 —▸ 0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│            0x7fffffff6f38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff6f40 ◂— 0x0
    05:0028│            0x7fffffff6f48 ◂— 0x0
    06:0030│            0x7fffffff6f50 —▸ 0x5555555df390 —▸ 0x5555555df3f0 —▸ 0x5555555df0f0 ◂— 0x0
    07:0038│            0x7fffffff6f58 ◂— 0x0
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d5cac _int_free+748
       f 5   0x7ffff784f461 gf_sg_command_del+353
       f 6   0x7ffff7a88203 gf_sm_del+195
       f 7   0x555555584423 dump_isom_scene+627
    ─────────────────────────────────────────────────────────────────────────────────────────
    

`break gf_svg_delete_attribute_value`

    pwndbg>
    0x00007ffff784f45c in gf_sg_command_del () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x5555555df310 ◂— 0x0
    *RDX  0x5555555d4370 ◂— 0x0
     RDI  0x0
     RSI  0x5555555df300 ◂— 0x0
     R8   0x2
     R9   0xfffffff6
     R10  0x7ffff775ba72 ◂— 'gf_node_unregister_children'
     R11  0x7ffff784a6d0 (gf_node_unregister_children) ◂— endbr64
     R12  0x5555555df2e0 ◂— 0x0
     R13  0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
     R14  0x5555555d4370 ◂— 0x0
     R15  0x0
     RBP  0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
     RSP  0x7fffffff7310 ◂— 0x1
    *RIP  0x7ffff784f45c (gf_sg_command_del+348) ◂— call   0x7ffff78c7fb0
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
       0x7ffff784f449 <gf_sg_command_del+329>    mov    rsi, qword ptr [r12 + 8]
       0x7ffff784f44e <gf_sg_command_del+334>    test   rsi, rsi
       0x7ffff784f451 <gf_sg_command_del+337>    je     gf_sg_command_del+255
    <gf_sg_command_del+255>
    
       0x7ffff784f453 <gf_sg_command_del+339>    mov    edi, dword ptr [r12 + 4]
       0x7ffff784f458 <gf_sg_command_del+344>    mov    rdx, qword ptr [rbp]
     ► 0x7ffff784f45c <gf_sg_command_del+348>    call   gf_svg_delete_attribute_value                <gf_svg_delete_attribute_value>
            rdi: 0x0
            rsi: 0x5555555df300 ◂— 0x0
            rdx: 0x5555555d4370 ◂— 0x0
            rcx: 0x5555555df310 ◂— 0x0
    
       0x7ffff784f461 <gf_sg_command_del+353>    jmp    gf_sg_command_del+255
    <gf_sg_command_del+255>
    
       0x7ffff784f463 <gf_sg_command_del+355>    nop    dword ptr [rax + rax]
       0x7ffff784f468 <gf_sg_command_del+360>    mov    rdi, qword ptr [r12 + 8]
       0x7ffff784f46d <gf_sg_command_del+365>    test   rdi, rdi
       0x7ffff784f470 <gf_sg_command_del+368>    je     gf_sg_command_del+384
    <gf_sg_command_del+384>
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7310 ◂— 0x1
    01:0008│     0x7fffffff7318 ◂— 0x5cf4ff747866de00
    02:0010│     0x7fffffff7320 —▸ 0x7fffffff7340 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│     0x7fffffff7328 —▸ 0x5555555defe0 ◂— 0x8
    04:0020│     0x7fffffff7330 —▸ 0x5555555df130 ◂— 0x0
    05:0028│     0x7fffffff7338 —▸ 0x7ffff7a88203 (gf_sm_del+195) ◂— jmp    0x7ffff7a881c8
    06:0030│     0x7fffffff7340 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    07:0038│     0x7fffffff7348 ◂— 0x5cf4ff747866de00
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff784f45c gf_sg_command_del+348
       f 1   0x7ffff7a88203 gf_sm_del+195
       f 2   0x555555584423 dump_isom_scene+627
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ─────────────────────────────────────────────────────────────────────────────────────────
    pwndbg>
    free(): invalid pointer
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ───────────────────────────────[ REGISTERS ]────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
    *RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    *RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff6f20 ◂— 0x0
    *R8   0x0
    *R9   0x7fffffff6f20 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x7fffffff7190 ◂— 0x0
    *R13  0x10
    *R14  0x7ffff7ffb000 ◂— 0x6565726600001000
    *R15  0x1
    *RBP  0x7fffffff7270 —▸ 0x5555555df1e0 —▸ 0x5555555d4370 ◂— 0x0
    *RSP  0x7fffffff6f20 ◂— 0x0
    *RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ───────────────────────────────────────[ DISASM ]────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ────────────────────────────────────────[ STACK ]────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6f20 ◂— 0x0
    01:0008│            0x7fffffff6f28 —▸ 0x7ffff77534c8 ◂— 0xe001200003748 /* 'H7' */
    02:0010│            0x7fffffff6f30 —▸ 0x7fffffff72f0 —▸ 0x5555555d47a0 —▸ 0x5555555d4370 ◂— 0x0
    03:0018│            0x7fffffff6f38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff6f40 ◂— 0x0
    05:0028│            0x7fffffff6f48 ◂— 0x0
    06:0030│            0x7fffffff6f50 —▸ 0x5555555df390 —▸ 0x5555555df3f0 —▸ 0x5555555df0f0 ◂— 0x0
    07:0038│            0x7fffffff6f58 ◂— 0x0
    ──────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d5cac _int_free+748
       f 5   0x7ffff784f461 gf_sg_command_del+353
       f 6   0x7ffff7a88203 gf_sm_del+195
       f 7   0x555555584423 dump_isom_scene+627

CVE-2021-45262: Invalid free in gf_sg_command_del() · Issue #1980 · gpac/gpac

An invalid free vulnerability exists in gpac 1.1.0 via the gf_svg_delete_attribute_value function, which causes a segmentation fault and application crash.

CVE-2021-45263: Invalid free in gf_svg_delete_attribute_value() · Issue #1975 · gpac/gpac

An Invalid pointer reference vulnerability exists in gpac 1.1.0 via the gf_svg_node_del function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An Invalid free was discovered in gf\_svg\_node\_del(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-rev1555-g339e7a736-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --prefix=/root/fuck_bin/gpac/test
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

gf\_svg\_node\_del-gf\_node\_unregister.zip

**Result**

    ┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45]
    └─[$] <> ../../test/lib/MP4Box -bt lsr_read_anim_values_ex.part-lsr_read_animateTransform/id:000439,sig:11,src:004575+004803,op:splice,rep:2
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853091
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [1]    3777658 segmentation fault  ../../test/lib/MP4Box -bt
    ┌─[root@aidai-virtual-machine] - [~/fuck_bin/gpac/results/fuckbt2] - [二 12月 14, 10:45]
    └─[$] <> /root/fuck_bin/gpac/test/lib/MP4Box -bt gf_svg_node_del-gf_node_unregister/id:000409,sig:11,src:004547,op:havoc,rep:8
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853069
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 853069
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] samerect coded in bitstream but no rect defined !
    double free or corruption (out)
    [1]    3786815 abort      /root/fuck_bin/gpac/test/lib/MP4Box -bt
    

**gdb**

    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
     RDI  0x2
     RSI  0x7fffffff6a30 ◂— 0x0
     R8   0x0
     R9   0x7fffffff6a30 ◂— 0x0
     R10  0x8
     R11  0x246
     R12  0x7fffffff6ca0 ◂— 0x0
     R13  0x10
     R14  0x7ffff7ffb000 ◂— 0x62756f6400001000
     R15  0x1
     RBP  0x7fffffff6d80 —▸ 0x7ffff7727b80 (main_arena) ◂— 0x0
     RSP  0x7fffffff6a30 ◂— 0x0
     RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff6a30 ◂— 0x0
    01:0008│            0x7fffffff6a38 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    02:0010│            0x7fffffff6a40 ◂— 0x2
    03:0018│            0x7fffffff6a48 —▸ 0x5555555e06e0 —▸ 0x5555555e0698 ◂— 0x0
    04:0020│            0x7fffffff6a50 ◂— 0x18
    05:0028│            0x7fffffff6a58 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
    06:0030│            0x7fffffff6a60 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
    07:0038│            0x7fffffff6a68 —▸ 0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff75d447c
       f 4   0x7ffff75d6120 _int_free+1888
       f 5   0x7ffff7b51c85 lsr_read_id+629
       f 6   0x7ffff7b5e91b lsr_read_path+283
       f 7   0x7ffff7b61822 lsr_read_update_content_model+770
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7561859 in __GI_abort () at abort.c:79
    #2  0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f6285 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff75d447c in malloc_printerr (str=str@entry=0x7ffff76f8670 "double free or corruption (out)") at malloc.c:5347
    #4  0x00007ffff75d6120 in _int_free (av=0x7ffff7727b80 <main_arena>, p=0x5555555e06e0, have_lock=<optimized out>) at malloc.c:4314
    #5  0x00007ffff7b51c85 in lsr_read_id () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #6  0x00007ffff7b5e91b in lsr_read_path () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #7  0x00007ffff7b61822 in lsr_read_update_content_model () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #8  0x00007ffff7b59fc3 in lsr_read_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #9  0x00007ffff7b5ab74 in lsr_decode_laser_unit () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #10 0x00007ffff7b6239d in gf_laser_decode_command_list () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #11 0x00007ffff7aa3061 in gf_sm_load_run_isom () from /root/fuck_bin/gpac/test/lib/libgpac.so.10
    #12 0x00005555555844a8 in dump_isom_scene ()
    #13 0x000055555557b42c in mp4boxMain ()
    #14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1e8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1d8) at ../csu/libc-start.c:308
    #15 0x000055555556c45e in _start ()
    

    Breakpoint 4, __GI___libc_free (mem=0x5555555e06f0) at malloc.c:3087
    3087    in malloc.c
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]───────────────────────────────────────────── RAX  0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
     RBX  0x5555555dc120 —▸ 0x5555555d1a00 ◂— 0x0
    *RCX  0x27
    *RDX  0xa
    *RDI  0x5555555e06f0 —▸ 0x5555555e2758 ◂— 0x0
    *RSI  0xfffffff7
     R8   0x1999999999999999
     R9   0x0
     R10  0x7ffff76daac0 (_nl_C_LC_CTYPE_toupper+512) ◂— 0x100000000
     R11  0x7ffff76db3c0 (_nl_C_LC_CTYPE_class+256) ◂— 0x2000200020002
     R12  0x1
    *R13  0x3
     R14  0x0
    *R15  0x7fffffff6a50 ◂— 0x18
     RBP  0x0
     RSP  0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov    qword ptr [r15 + 8], 0
     RIP  0x7ffff75d9850 (free) ◂— endbr64
    ──────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────── ► 0x7ffff75d9850 <free>       endbr64
       0x7ffff75d9854 <free+4>     sub    rsp, 0x18
       0x7ffff75d9858 <free+8>     mov    rax, qword ptr [rip + 0x14d699]
       0x7ffff75d985f <free+15>    mov    rax, qword ptr [rax]
       0x7ffff75d9862 <free+18>    test   rax, rax
       0x7ffff75d9865 <free+21>    jne    free+152                <free+152>
    
       0x7ffff75d986b <free+27>    test   rdi, rdi
       0x7ffff75d986e <free+30>    je     free+144                <free+144>
    
       0x7ffff75d9870 <free+32>    mov    rax, qword ptr [rdi - 8]
       0x7ffff75d9874 <free+36>    lea    rsi, [rdi - 0x10]
       0x7ffff75d9878 <free+40>    test   al, 2
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────00:0000│ rsp 0x7fffffff6e18 —▸ 0x7ffff7b51c85 (lsr_read_id+629) ◂— mov    qword ptr [r15 + 8], 0
    01:0008│     0x7fffffff6e20 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
    02:0010│     0x7fffffff6e28 ◂— 0x426
    03:0018│     0x7fffffff6e30 —▸ 0x5555555e37b0 —▸ 0x5555555e37d0 ◂— 0x8000000300000426
    04:0020│     0x7fffffff6e38 —▸ 0x7ffff784a61e (gf_node_setup+30) ◂— mov    qword ptr [rbx], rax
    05:0028│     0x7fffffff6e40 ◂— 0x426
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]───────────────────────────────────────────── ► f 0   0x7ffff75d9850 free
       f 1   0x7ffff7b51c85 lsr_read_id+629
       f 2   0x7ffff7b5e91b lsr_read_path+283
       f 3   0x7ffff7b61822 lsr_read_update_content_model+770
       f 4   0x7ffff7b59fc3 lsr_read_command_list+6819
       f 5   0x7ffff7b5ab74 lsr_decode_laser_unit+708
       f 6   0x7ffff7b6239d gf_laser_decode_command_list+333
       f 7   0x7ffff7aa3061 gf_sm_load_run_isom+1505
    ──────────────────────────────────────────────────────────────────────────────────────────────────────pwndbg> bin
    tcachebins
    0x20 [  1]: 0x5555555e1690 ◂— 0x0
    0x50 [  1]: 0x5555555e2ad0 ◂— 0x0
    0xb0 [  1]: 0x5555555dc540 ◂— 0x0
    0xc0 [  4]: 0x5555555d1d20 —▸ 0x5555555d2060 —▸ 0x5555555d2270 —▸ 0x5555555dc3c0 ◂— 0x0
    0x140 [  1]: 0x5555555d1b80 ◂— 0x0
    0x1c0 [  1]: 0x5555555d17a0 ◂— 0x0
    0x210 [  1]: 0x5555555dd8b0 ◂— 0x0
    0x410 [  1]: 0x5555555cee30 ◂— 0x0
    fastbins
    0x20: 0x0
    0x30: 0x0
    0x40: 0x0
    0x50: 0x0
    0x60: 0x0
    0x70: 0x0
    0x80: 0x0
    unsortedbin
    all: 0x0
    smallbins
    empty
    largebins
    empty
    pwndbg> c
    Continuing.
    double free or corruption (out)
    pwndbg> x/10gx 0x5555555e06f0-0x20
    0x5555555e06d0: 0x0000000000000000      0x0000000000000061
    0x5555555e06e0: 0x00005555555e0698      0x00007fffffff6a50
    0x5555555e06f0: 0x00005555555e2758      0x00005555555e2758
    0x5555555e0700: 0x0000000000000000      0x0000000000000000
    0x5555555e0710: 0x0000000000000000      0x0000000000000000

CVE-2021-45259: Invalid free in gf_svg_node_del() · Issue #1986 · gpac/gpac

A stack overflow vulnerability exists in gpac 1.1.0 via the gf_bifs_dec_proto_list function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A stack overflow was discovered in gf\_bifs\_dec\_proto\_list(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_8.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type stbk in parent minf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 832544
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type stbk in parent minf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 832544
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    *** stack smashing detected ***: terminated
    [1]    3737450 abort      ./MP4Box -lsr ./poc/poc_8
    

**gdb**

    *** stack smashing detected ***: terminated
    
    Program received signal SIGABRT, Aborted.
    __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
    *RBX  0x7ffff72bf040 ◂— 0x7ffff72bf040
    *RCX  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
     RDX  0x0
    *RDI  0x2
    *RSI  0x7fffffff68a0 ◂— 0x0
    *R8   0x0
    *R9   0x7fffffff68a0 ◂— 0x0
    *R10  0x8
    *R11  0x246
    *R12  0x7fffffff6b20 ◂— 0x0
    *R13  0x20
    *R14  0x7ffff7ffb000 ◂— 0x202a2a2a00001000
    *R15  0x1
    *RBP  0x7fffffff6c20 —▸ 0x7ffff76f607c ◂— '*** %s ***: terminated\n'
    *RSP  0x7fffffff68a0 ◂— 0x0
    *RIP  0x7ffff758218b (raise+203) ◂— mov    rax, qword ptr [rsp + 0x108]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff758218b <raise+203>    mov    rax, qword ptr [rsp + 0x108]
       0x7ffff7582193 <raise+211>    xor    rax, qword ptr fs:[0x28]
       0x7ffff758219c <raise+220>    jne    raise+260                <raise+260>
        ↓
       0x7ffff75821c4 <raise+260>    call   __stack_chk_fail                <__stack_chk_fail>
    
       0x7ffff75821c9                nop    dword ptr [rax]
       0x7ffff75821d0 <killpg>       endbr64
       0x7ffff75821d4 <killpg+4>     test   edi, edi
       0x7ffff75821d6 <killpg+6>     js     killpg+16                <killpg+16>
    
       0x7ffff75821d8 <killpg+8>     neg    edi
       0x7ffff75821da <killpg+10>    jmp    kill                <kill>
    
       0x7ffff75821df <killpg+15>    nop
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsi r9 rsp 0x7fffffff68a0 ◂— 0x0
    01:0008│            0x7fffffff68a8 —▸ 0x7ffff7546278 ◂— 0x10001200005bb2
    02:0010│            0x7fffffff68b0 —▸ 0x7fffffff6c40 —▸ 0x5555555df3b0 ◂— 0x6b6
    03:0018│            0x7fffffff68b8 —▸ 0x7ffff7fe7c2e ◂— mov    r11, rax
    04:0020│            0x7fffffff68c0 ◂— 0xcd2709f17adf5bb6
    05:0028│            0x7fffffff68c8 ◂— 0x0
    06:0030│            0x7fffffff68d0 ◂— 0x7
    07:0038│            0x7fffffff68d8 ◂— 0x1
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff758218b raise+203
       f 1   0x7ffff7561859 abort+299
       f 2   0x7ffff75cc3ee __libc_message+670
       f 3   0x7ffff766eb4a __fortify_fail+42
       f 4   0x7ffff766eb16
       f 5   0x7ffff79064bc gf_bifs_dec_proto_list+2012
       f 6 0xb6b6b6b6b6b6b6b6
       f 7 0xb6b6b6b6b6b6b6b6
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
    #1  0x00007ffff7561859 in __GI_abort () at abort.c:79
    #2  0x00007ffff75cc3ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff76f607c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
    #3  0x00007ffff766eb4a in __GI___fortify_fail (msg=msg@entry=0x7ffff76f6064 "stack smashing detected") at fortify_fail.c:26
    #4  0x00007ffff766eb16 in __stack_chk_fail () at stack_chk_fail.c:24
    #5  0x00007ffff79064bc in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0xb6b6b6b6b6b6b6b6 in ?? ()
    #7  0xb6b6b6b6b6b6b6b6 in ?? ()
    #8  0xb6b6b6b6b6b6b6b6 in ?? ()
    #9  0xb6b6b6b6b6b6b6b6 in ?? ()
    #10 0xb6b6b6b6b6b6b6b6 in ?? ()
    #11 0xb6b6b6b6b6b6b6b6 in ?? ()
    #12 0xb6b6b6b6b6b6b6b6 in ?? ()
    #13 0xb6b6b6b6b6b6b6b6 in ?? ()
    #14 0xb6b6b6b6b6b6b6b6 in ?? ()
    #15 0xb6b6b6b6b6b6b6b6 in ?? ()
    #16 0xb6b6b6b6b6b6b6b6 in ?? ()
    #17 0xb6b6b6b6b6b6b6b6 in ?? ()
    #18 0xb6b6b6b6b6b6b6b6 in ?? ()
    #19 0xb6b6b6b6b6b6b6b6 in ?? ()
    #20 0xb6b6b6b6b6b6b6b6 in ?? ()
    #21 0xb6b6b6b6b6b6b6b6 in ?? ()
    #22 0xb6b6b6b6b6b6b6b6 in ?? ()
    #23 0xb6b6b6b6b6b6b6b6 in ?? ()
    #24 0xb6b6b6b6b6b6b6b6 in ?? ()
    #25 0xb6b6b6b6b6b6b6b6 in ?? ()
    #26 0xb6b6b6b6b6b6b6b6 in ?? ()
    #27 0xb6b6b6b6b6b6b6b6 in ?? ()
    #28 0xb6b6b6b6b6b6b6b6 in ?? ()
    #29 0xb6b6b6b6b6b6b6b6 in ?? ()
    #30 0xb6b6b6b6b6b6b6b6 in ?? ()
    #31 0xb6b6b6b6b6b6b6b6 in ?? ()
    #32 0xb6b6b6b6b6b6b6b6 in ?? ()
    #33 0xb6b6b6b6b6b6b6b6 in ?? ()
    #34 0xb6b6b6b6b6b6b6b6 in ?? ()
    #35 0xb6b6b6b6b6b6b6b6 in ?? ()
    #36 0xb6b6b6b6b6b6b6b6 in ?? ()
    #37 0xb6b6b6b6b6b6b6b6 in ?? ()
    #38 0xb6b6b6b6b6b6b6b6 in ?? ()
    #39 0xb6b6b6b6b6b6b6b6 in ?? ()
    #40 0xb6b6b6b6b6b6b6b6 in ?? ()
    #41 0xb6b6b6b6b6b6b6b6 in ?? ()
    #42 0xb6b6b6b6b6b6b6b6 in ?? ()
    #43 0xb6b6b6b6b6b6b6b6 in ?? ()
    #44 0xb6b6b6b6b6b6b6b6 in ?? ()
    #45 0xb6b6b6b6b6b6b6b6 in ?? ()
    #46 0xb6b6b6b6b6b6b6b6 in ?? ()
    #47 0xb6b6b6b6b6b6b6b6 in ?? ()
    #48 0xb6b6b6b6b6b6b6b6 in ?? ()
    #49 0xb6b6b6b6b6b6b6b6 in ?? ()
    #50 0xb6b6b6b6b6b6b6b6 in ?? ()
    #51 0xb6b6b6b6b6b6b6b6 in ?? ()
    #52 0xb6b6b6b6b6b6b6b6 in ?? ()
    #53 0xb6b6b6b6b6b6b6b6 in ?? ()
    #54 0xb6b6b6b6b6b6b6b6 in ?? ()
    #55 0xb6b6b6b6b6b6b6b6 in ?? ()
    #56 0xb6b6b6b6b6b6b6b6 in ?? ()
    #57 0xb6b6b6b6b6b6b6b6 in ?? ()
    #58 0xb6b6b6b6b6b6b6b6 in ?? ()
    #59 0xb6b6b6b6b6b6b6b6 in ?? ()
    #60 0xb6b6b6b6b6b6b6b6 in ?? ()
    #61 0xb6b6b6b6b6b6b6b6 in ?? ()
    #62 0xb6b6b6b6b6b6b6b6 in ?? ()
    #63 0xb6b6b6b6b6b6b6b6 in ?? ()
    #64 0xb6b6b6b6b6b6b6b6 in ?? ()
    #65 0xb6b6b6b6b6b6b6b6 in ?? ()
    #66 0xb6b6b6b6b6b6b6b6 in ?? ()
    #67 0xb6b6b6b6b6b6b6b6 in ?? ()
    #68 0xb6b6b6b6b6b6b6b6 in ?? ()
    #69 0xb6b6b6b6b6b6b6b6 in ?? ()
    #70 0xb6b6b6b6b6b6b6b6 in ?? ()
    #71 0xb6b6b6b6b6b6b6b6 in ?? ()
    #72 0xb6b6b6b6b6b6b6b6 in ?? ()
    #73 0xb6b6b6b6b6b6b6b6 in ?? ()
    #74 0xb6b6b6b6b6b6b6b6 in ?? ()
    #75 0xb6b6b6b6b6b6b6b6 in ?? ()
    #76 0xb6b6b6b6b6b6b6b6 in ?? ()
    #77 0xb6b6b6b6b6b6b6b6 in ?? ()
    #78 0xb6b6b6b6b6b6b6b6 in ?? ()
    #79 0xb6b6b6b6b6b6b6b6 in ?? ()
    #80 0xb6b6b6b6b6b6b6b6 in ?? ()
    #81 0xb6b6b6b6b6b6b6b6 in ?? ()
    #82 0xb6b6b6b6b6b6b6b6 in ?? ()
    #83 0xb6b6b6b6b6b6b6b6 in ?? ()
    #84 0xb6b6b6b6b6b6b6b6 in ?? ()
    #85 0xb6b6b6b6b6b6b6b6 in ?? ()
    #86 0xb6b6b6b6b6b6b6b6 in ?? ()
    #87 0xb6b6b6b6b6b6b6b6 in ?? ()
    #88 0xb6b6b6b6b6b6b6b6 in ?? ()
    #89 0xb6b6b6b6b6b6b6b6 in ?? ()
    #90 0xb6b6b6b6b6b6b6b6 in ?? ()
    #91 0xb6b6b6b6b6b6b6b6 in ?? ()
    #92 0xb6b6b6b6b6b6b6b6 in ?? ()
    #93 0xb6b6b6b6b6b6b6b6 in ?? ()
    #94 0xb6b6b6b6b6b6b6b6 in ?? ()
    #95 0xb6b6b6b6b6b6b6b6 in ?? ()
    #96 0xb6b6b6b6b6b6b6b6 in ?? ()
    #97 0xb6b6b6b6b6b6b6b6 in ?? ()
    #98 0x000080b6b6b6b6b6 in ?? ()
    #99 0x0000000000000002 in ?? ()
    #100 0x0000000000000044 in ?? ()
    #101 0x0000000000000008 in ?? ()
    #102 0x00005555555c7e60 in ?? ()
    #103 0x00005555555cf500 in ?? ()
    #104 0x0000000000000000 in ?? ()
    

`break gf_bifs_dec_proto_list`

    Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────[ REGISTERS ]───────────────────────────────────
     RAX  0x1
     RBX  0x5555555d23b0 ◂— 0x0
     RCX  0x710
     RDX  0x5555555df2f0 ◂— 0x0
     RDI  0x5555555de660 ◂— 0x0
     RSI  0x5555555d23b0 ◂— 0x0
     R8   0x0
     R9   0x0
     R10  0x7ffff775bc80 ◂— 'gf_sg_command_new'
     R11  0x7ffff7727be0 (main_arena+96) —▸ 0x5555555df320 ◂— 0x0
     R12  0x5555555df2f0 ◂— 0x0
     R13  0x5555555df1d0 ◂— 0x0
     R14  0x5555555d42a0 ◂— 0x0
     R15  0x0
     RBP  0x5555555de660 ◂— 0x0
     RSP  0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov    r12d, eax
     RIP  0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
    ────────────────────────────────────[ DISASM ]────────────────────────────────────
     ► 0x7ffff7905ce0 <gf_bifs_dec_proto_list>       endbr64
       0x7ffff7905ce4 <gf_bifs_dec_proto_list+4>     push   r15
       0x7ffff7905ce6 <gf_bifs_dec_proto_list+6>     push   r14
       0x7ffff7905ce8 <gf_bifs_dec_proto_list+8>     push   r13
       0x7ffff7905cea <gf_bifs_dec_proto_list+10>    mov    r13, rsi
       0x7ffff7905ced <gf_bifs_dec_proto_list+13>    mov    esi, 1
       0x7ffff7905cf2 <gf_bifs_dec_proto_list+18>    push   r12
       0x7ffff7905cf4 <gf_bifs_dec_proto_list+20>    push   rbp
       0x7ffff7905cf5 <gf_bifs_dec_proto_list+21>    push   rbx
       0x7ffff7905cf6 <gf_bifs_dec_proto_list+22>    sub    rsp, 0x488
       0x7ffff7905cfd <gf_bifs_dec_proto_list+29>    mov    rax, qword ptr [rdi + 0x50]
    ────────────────────────────────────[ STACK ]─────────────────────────────────────
    00:0000│ rsp 0x7fffffff7168 —▸ 0x7ffff7906559 (BD_DecSceneReplace+73) ◂— mov    r12d, eax
    01:0008│     0x7fffffff7170 —▸ 0x5555555de660 ◂— 0x0
    02:0010│     0x7fffffff7178 —▸ 0x5555555df250 —▸ 0x5555555d4030 ◂— 0x0
    03:0018│     0x7fffffff7180 —▸ 0x5555555d23b0 ◂— 0x0
    04:0020│     0x7fffffff7188 —▸ 0x5555555df1d0 ◂— 0x0
    05:0028│     0x7fffffff7190 —▸ 0x5555555d42a0 ◂— 0x0
    06:0030│     0x7fffffff7198 —▸ 0x7ffff7914e5e (BM_SceneReplace+110) ◂— mov    rsi,
     rbp
    07:0038│     0x7fffffff71a0 —▸ 0x5555555dea00 —▸ 0x5555555df1f0 —▸ 0x5555555df1a0 ◂— 0x0
    ──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
     ► f 0   0x7ffff7905ce0 gf_bifs_dec_proto_list
       f 1   0x7ffff7906559 BD_DecSceneReplace+73
       f 2   0x7ffff7914e5e BM_SceneReplace+110
       f 3   0x7ffff7915023 BM_ParseCommand+179
       f 4   0x7ffff7915353 gf_bifs_decode_command_list+163
       f 5   0x7ffff7aa1d91 gf_sm_load_run_isom+1217
       f 6   0x5555555844a8 dump_isom_scene+760
       f 7   0x55555557b42c mp4boxMain+9228
    ──────────────────────────────────────────────────────────────────────────────────
    pwndbg> c
    Continuing.
    
    Breakpoint 1, 0x00007ffff7905ce0 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ──────────────────────────────────[ REGISTERS ]───────────────────────────────────
    *RAX  0x0
    *RBX  0x5555555df330 ◂— 0x6b6
    *RCX  0x5555555dfdf0 ◂— 0x0
    *RDX  0x0
     RDI  0x5555555de660 ◂— 0xfffffffd
     RSI  0x5555555d23b0 ◂— 0x0
    *R8   0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    *R9   0x7c
    *R10  0x7ffff775bf0a ◂— 'gf_sg_proto_get_graph'
    *R11  0x7ffff788b850 (gf_sg_proto_get_graph) ◂— endbr64
    *R12  0x5555555de660 ◂— 0xfffffffd
    *R13  0x5555555d23b0 ◂— 0x0
     R14  0x5555555d42a0 ◂— 0x0
    *R15  0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
    *RBP  0x6b6
    *RSP  0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov    dword ptr [rsp + 0x14], eax
     RIP  0x7ffff7905ce0 (gf_bifs_dec_proto_list) ◂— endbr64
    ────────────────────────────────────[ DISASM ]────────────────────────────────────
     ► 0x7ffff7905ce0 <gf_bifs_dec_proto_list>       endbr64
       0x7ffff7905ce4 <gf_bifs_dec_proto_list+4>     push   r15
       0x7ffff7905ce6 <gf_bifs_dec_proto_list+6>     push   r14
       0x7ffff7905ce8 <gf_bifs_dec_proto_list+8>     push   r13
       0x7ffff7905cea <gf_bifs_dec_proto_list+10>    mov    r13, rsi
       0x7ffff7905ced <gf_bifs_dec_proto_list+13>    mov    esi, 1
       0x7ffff7905cf2 <gf_bifs_dec_proto_list+18>    push   r12
       0x7ffff7905cf4 <gf_bifs_dec_proto_list+20>    push   rbp
       0x7ffff7905cf5 <gf_bifs_dec_proto_list+21>    push   rbx
       0x7ffff7905cf6 <gf_bifs_dec_proto_list+22>    sub    rsp, 0x488
       0x7ffff7905cfd <gf_bifs_dec_proto_list+29>    mov    rax, qword ptr [rdi + 0x50]
    ────────────────────────────────────[ STACK ]─────────────────────────────────────
    00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
        dword ptr [rsp + 0x14], eax
    01:0008│     0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
    02:0010│     0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
    03:0018│     0x7fffffff6cc0 ◂— 0xffff6d50
    04:0020│     0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
    05:0028│     0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    06:0030│     0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
    07:0038│     0x7fffffff6ce0 ◂— 0x0
    ──────────────────────────────────[ BACKTRACE ]───────────────────────────────────
     ► f 0   0x7ffff7905ce0 gf_bifs_dec_proto_list
       f 1   0x7ffff79062d7 gf_bifs_dec_proto_list+1527
       f 2 0xb6b6b6b6b6b6b6b6
       f 3 0xb6b6b6b6b6b6b6b6
       f 4 0xb6b6b6b6b6b6b6b6
       f 5 0xb6b6b6b6b6b6b6b6
       f 6 0xb6b6b6b6b6b6b6b6
       f 7 0xb6b6b6b6b6b6b6b6
    ──────────────────────────────────────────────────────────────────────────────────
    pwndbg> stack 200
    00:0000│ rsp 0x7fffffff6ca8 —▸ 0x7ffff79062d7 (gf_bifs_dec_proto_list+1527) ◂— mov
        dword ptr [rsp + 0x14], eax
    01:0008│     0x7fffffff6cb0 —▸ 0x7ffff775bc80 ◂— 'gf_sg_command_new'
    02:0010│     0x7fffffff6cb8 —▸ 0x5555555df330 ◂— 0x6b6
    03:0018│     0x7fffffff6cc0 ◂— 0xffff6d50
    04:0020│     0x7fffffff6cc8 —▸ 0x5555555de660 ◂— 0xfffffffd
    05:0028│     0x7fffffff6cd0 —▸ 0x5555555df2f0 —▸ 0x5555555dfda0 —▸ 0x5555555df330 ◂— 0x6b6
    06:0030│     0x7fffffff6cd8 —▸ 0x5555555d4030 ◂— 0x0
    07:0038│     0x7fffffff6ce0 ◂— 0x0
    ... ↓        2 skipped
    0a:0050│     0x7fffffff6cf8 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
    0b:0058│     0x7fffffff6d00 —▸ 0x7fffffff6d90 ◂— 0xb6b6b6b6b6b6b6b6
    0c:0060│     0x7fffffff6d08 ◂— 0x0
    0d:0068│     0x7fffffff6d10 —▸ 0x7ffff7fc7000 —▸ 0x7ffff7743000 ◂— 0x10102464c457f
    0e:0070│     0x7fffffff6d18 —▸ 0x7ffff7fc7368 —▸ 0x7ffff7ffe450 —▸ 0x7ffff73131e0 —▸ 0x7ffff7ffe190 ◂— ...
    0f:0078│     0x7fffffff6d20 ◂— 0x0
    10:0080│     0x7fffffff6d28 ◂— 0x0
    11:0088│     0x7fffffff6d30 ◂— 0x1
    12:0090│     0x7fffffff6d38 ◂— 0x7fff00000001
    13:0098│ r15 0x7fffffff6d40 ◂— 0xb6b6b6b6b6b6b6b6
    ... ↓        180 skipped
    pwndbg>

CVE-2021-45258: Stack Overflow in gf_bifs_dec_proto_list() · Issue #1970 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the BD_CheckSFTimeOffset function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in BD\_CheckSFTimeOffset(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_7.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796203
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796203
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1900424 segmentation fault  ./MP4Box -lsr ./poc/poc_7
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    199     ../sysdeps/x86_64/multiarch/strcmp-sse42.S: No such file or directory.
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 ◂— 0x0
    *RCX  0x17
    *RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
    *RDI  0x0
    *RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
    *R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
    *R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
    *R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
    *RBP  0x7fffffff6740 ◂— 0x200000002
    *RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    *RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
       0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
       0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
       0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
       0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
     ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
       0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
       0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
       0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
       0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
       0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    07:0038│     0x7fffffff66c0 ◂— 0x11cb
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
       f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
       f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 5   0x7ffff790e158 gf_bifs_dec_node+936
       f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 7   0x7ffff7906559 BD_DecSceneReplace+73
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    #1  0x00007ffff790dc51 in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff790ed35 in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff790f4c0 in BD_DecMFFieldVec () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff790fa3f in gf_bifs_dec_node_mask () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00007ffff790e158 in gf_bifs_dec_node () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #6  0x00007ffff79062f8 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #7  0x00007ffff7906559 in BD_DecSceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #8  0x00007ffff7914e5e in BM_SceneReplace () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #9  0x00007ffff7915023 in BM_ParseCommand () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #10 0x00007ffff7915353 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #11 0x00007ffff7aa1d91 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #12 0x00005555555844a8 in dump_isom_scene ()
    #13 0x000055555557b42c in mp4boxMain ()
    #14 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #15 0x000055555556c45e in _start ()
    

`break BD_CheckSFTimeOffset`

    0x00007ffff790dc4c in BD_CheckSFTimeOffset () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x67
     RBX  0x5555555decb0 ◂— 0x0
     RCX  0x0
     RDX  0x7fffffff6740 ◂— 0x200000002
    *RDI  0x0
     RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
     RBP  0x7fffffff6740 ◂— 0x200000002
     RSP  0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    *RIP  0x7ffff790dc4c (BD_CheckSFTimeOffset+44) ◂— call   0x7ffff77e0db0
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff790dc39 <BD_CheckSFTimeOffset+25>    cmp    eax, 1
       0x7ffff790dc3c <BD_CheckSFTimeOffset+28>    je     BD_CheckSFTimeOffset+144                <BD_CheckSFTimeOffset+144>
    
       0x7ffff790dc3e <BD_CheckSFTimeOffset+30>    mov    r12, qword ptr [rbp + 0x10]
       0x7ffff790dc42 <BD_CheckSFTimeOffset+34>    lea    rsi, [rip + 0x4ef68e]
       0x7ffff790dc49 <BD_CheckSFTimeOffset+41>    mov    rdi, r12
     ► 0x7ffff790dc4c <BD_CheckSFTimeOffset+44>    call   strcasecmp@plt                <strcasecmp@plt>
            s1: 0x0
            s2: 0x7ffff7dfd2d7 ◂— 'startTime'
    
       0x7ffff790dc51 <BD_CheckSFTimeOffset+49>    test   eax, eax
       0x7ffff790dc53 <BD_CheckSFTimeOffset+51>    jne    BD_CheckSFTimeOffset+112                <BD_CheckSFTimeOffset+112>
    
       0x7ffff790dc55 <BD_CheckSFTimeOffset+53>    mov    edx, dword ptr [rbx + 0x6c]
       0x7ffff790dc58 <BD_CheckSFTimeOffset+56>    test   edx, edx
       0x7ffff790dc5a <BD_CheckSFTimeOffset+58>    jne    BD_CheckSFTimeOffset+80                <BD_CheckSFTimeOffset+80>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    01:0008│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    02:0010│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    03:0018│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    04:0020│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    05:0028│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    06:0030│     0x7fffffff66c0 ◂— 0x11cb
    07:0038│     0x7fffffff66c8 —▸ 0x7fffffff67d0 ◂— 0x2200000002
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff790dc4c BD_CheckSFTimeOffset+44
       f 1   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 2   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 3   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 4   0x7ffff790e158 gf_bifs_dec_node+936
       f 5   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 6   0x7ffff7906559 BD_DecSceneReplace+73
       f 7   0x7ffff7914e5e BM_SceneReplace+110
    

    Program received signal SIGSEGV, Segmentation fault.
    __strcasecmp_l_avx () at ../sysdeps/x86_64/multiarch/strcmp-sse42.S:199
    199     in ../sysdeps/x86_64/multiarch/strcmp-sse42.S
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 ◂— 0x0
     RCX  0x17
     RDX  0x7ffff77284a0 (_nl_global_locale) —▸ 0x7ffff77246c0 (_nl_C_LC_CTYPE) —▸ 0x7ffff76f4fc6 (_nl_C_name) ◂— 0x636d656d5f5f0043 /* 'C' */
     RDI  0x0
     RSI  0x7ffff7dfd2d7 ◂— 'startTime'
     R8   0x0
     R9   0x0
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x0
     R13  0x5555555dfe70 —▸ 0x5555555dfed0 ◂— 0x100000067 /* 'g' */
     R14  0x5555555dff50 ◂— 0x21e8e8512be35500
     R15  0x0
     RBP  0x7fffffff6740 ◂— 0x200000002
     RSP  0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
     RIP  0x7ffff76c4089 (__strcasecmp_l_avx+69) ◂— vmovdqu xmm1, xmmword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff76c4077 <__strcasecmp_l_avx+51>    vmovdqa xmm6, xmmword ptr [rip + 0x378f1]
       0x7ffff76c407f <__strcasecmp_l_avx+59>    cmp    ecx, 0x30
       0x7ffff76c4082 <__strcasecmp_l_avx+62>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
       0x7ffff76c4084 <__strcasecmp_l_avx+64>    cmp    eax, 0x30
       0x7ffff76c4087 <__strcasecmp_l_avx+67>    ja     __strcasecmp_l_avx+172                <__strcasecmp_l_avx+172>
    
     ► 0x7ffff76c4089 <__strcasecmp_l_avx+69>    vmovdqu xmm1, xmmword ptr [rdi]
       0x7ffff76c408d <__strcasecmp_l_avx+73>    vmovdqu xmm2, xmmword ptr [rsi]
       0x7ffff76c4091 <__strcasecmp_l_avx+77>    vpcmpgtb xmm7, xmm1, xmm4
       0x7ffff76c4095 <__strcasecmp_l_avx+81>    vpcmpgtb xmm8, xmm1, xmm5
       0x7ffff76c4099 <__strcasecmp_l_avx+85>    vpcmpgtb xmm9, xmm2, xmm4
       0x7ffff76c409d <__strcasecmp_l_avx+89>    vpcmpgtb xmm10, xmm2, xmm5
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6688 —▸ 0x7ffff790dc51 (BD_CheckSFTimeOffset+49) ◂— test   eax, eax
    01:0008│     0x7fffffff6690 —▸ 0x5555555decb0 ◂— 0x0
    02:0010│     0x7fffffff6698 —▸ 0x5555555d26d0 ◂— 0x0
    03:0018│     0x7fffffff66a0 —▸ 0x7fffffff6740 ◂— 0x200000002
    04:0020│     0x7fffffff66a8 —▸ 0x7ffff790ed35 (gf_bifs_dec_sf_field+2053) ◂— mov    eax, dword ptr [rbx]
    05:0028│     0x7fffffff66b0 —▸ 0x5555555dfe90 ◂— 0x11cb
    06:0030│     0x7fffffff66b8 ◂— 0x22 /* '"' */
    07:0038│     0x7fffffff66c0 ◂— 0x11cb
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff76c4089 __strcasecmp_l_avx+69
       f 1   0x7ffff790dc51 BD_CheckSFTimeOffset+49
       f 2   0x7ffff790ed35 gf_bifs_dec_sf_field+2053
       f 3   0x7ffff790f4c0 BD_DecMFFieldVec+656
       f 4   0x7ffff790fa3f gf_bifs_dec_node_mask+287
       f 5   0x7ffff790e158 gf_bifs_dec_node+936
       f 6   0x7ffff79062f8 gf_bifs_dec_proto_list+1560
       f 7   0x7ffff7906559 BD_DecSceneReplace+73

CVE-2021-44922: Null Pointer Dereference in BD_CheckSFTimeOffset() · Issue #1969 · gpac/gpac

An invalid memory address dereference vulnerability exists in gpac 1.1.0 in the dump_od_to_saf.isra function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An invalid memory address dereference was discovered in dump\_od\_to\_saf.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc.zip  
**Result**

    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "lpod" (start 11062) has 1 extra bytes
    [iso file] Box "REFT" is larger than container box
    [iso file] Box "tref" size 28 (start 11054) invalid (read 261)
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type stbU in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Box "lpod" (start 11062) has 1 extra bytes
    [iso file] Box "REFT" is larger than container box
    [iso file] Box "tref" size 28 (start 11054) invalid (read 261)
    [iso file] Incomplete box mdat - start 11495 size 861261
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 2 systems streams
    [1]    3146070 segmentation fault  ./MP4Box -lsr ./submit/poc1
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ab7dcc in dump_od_to_saf.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x61
     RBX  0x5555555df200 ◂— 0x1
     RCX  0x5555555df330 ◂— 0x8001000f
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x5555555dfe10 ◂— 0xfbad2c84
     RSI  0x7ffff7e46910 ◂— ' streamType="%d" objectTypeIndication="%d" timeStampResolution="%d"'
     R8   0x3e8
     R9   0x27
     R10  0x7ffff7e4690b ◂— 0x7473200000000022 /* '"' */
     R11  0x7fffffff70e3 ◂— 0xcba6003936373233 /* '32769' */
     R12  0x5555555decc0 —▸ 0x5555555dfe10 ◂— 0xfbad2c84
     R13  0x0
     R14  0x5555555df150 ◂— 0x0
     R15  0x0
     RBP  0x0
     RSP  0x7fffffff7220 —▸ 0x5555555df330 ◂— 0x8001000f
     RIP  0x7ffff7ab7dcc (dump_od_to_saf.isra+204) ◂— movzx  edx, byte ptr [rax + 8]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ab7dcc <dump_od_to_saf.isra+204>    movzx  edx, byte ptr [rax + 8]
       0x7ffff7ab7dd0 <dump_od_to_saf.isra+208>    mov    ecx, dword ptr [rax + 4]
       0x7ffff7ab7dd3 <dump_od_to_saf.isra+211>    xor    eax, eax
       0x7ffff7ab7dd5 <dump_od_to_saf.isra+213>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ab7dda <dump_od_to_saf.isra+218>    mov    rdx, qword ptr [r14]
       0x7ffff7ab7ddd <dump_od_to_saf.isra+221>    test   rdx, rdx
       0x7ffff7ab7de0 <dump_od_to_saf.isra+224>    jne    dump_od_to_saf.isra+392                <dump_od_to_saf.isra+392>
    
       0x7ffff7ab7de6 <dump_od_to_saf.isra+230>    mov    rdi, qword ptr [r12]
       0x7ffff7ab7dea <dump_od_to_saf.isra+234>    test   r15, r15
       0x7ffff7ab7ded <dump_od_to_saf.isra+237>    je     dump_od_to_saf.isra+266                <dump_od_to_saf.isra+266>
    
       0x7ffff7ab7def <dump_od_to_saf.isra+239>    mov    rdx, qword ptr [r15 + 8]
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7220 —▸ 0x5555555df330 ◂— 0x8001000f
    01:0008│     0x7fffffff7228 ◂— 0x100000002
    02:0010│     0x7fffffff7230 —▸ 0x5555555df030 —▸ 0x5555555df580 ◂— 0x0
    03:0018│     0x7fffffff7238 ◂— 0x0
    04:0020│     0x7fffffff7240 —▸ 0x5555555df030 —▸ 0x5555555df580 ◂— 0x0
    05:0028│     0x7fffffff7248 ◂— 0x0
    06:0030│     0x7fffffff7250 ◂— 0x0
    07:0038│     0x7fffffff7258 —▸ 0x5555555df150 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ab7dcc dump_od_to_saf.isra+204
       f 1   0x7ffff7ac27dd gf_sm_dump+1853
       f 2   0x555555584418 dump_isom_scene+616
       f 3   0x55555557b42c mp4boxMain+9228
       f 4   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ab7dcc in dump_od_to_saf.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac27dd in gf_sm_dump () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x0000555555584418 in dump_isom_scene ()
    #3  0x000055555557b42c in mp4boxMain ()
    #4  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #5  0x000055555556c45e in _start ()

CVE-2021-44920: Invalid memory address dereference in dump_od_to_saf.isra() · Issue #1957 · gpac/gpac

A Null Pointer Dereference vulnerability exists in the gf_sg_vrml_mf_alloc function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_sg\_vrml\_mf\_alloc(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc5.zip

**Result**

    ./MP4Box -lsr ./poc5
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861206
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861206
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    1371476 segmentation fault  ./MP4Box -lsr ./poc5
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x9f03c
     RCX  0x10
     RDX  0x7ffff7e078a0 (CSWTCH.120) ◂— 0xc080c0804080404
     RDI  0x32
     RSI  0x32
     R8   0x0
     R9   0x0
     R10  0x7ffff775bdeb ◂— 'gf_sg_vrml_mf_alloc'
     R11  0x7ffff78a0f30 (gf_sg_vrml_mf_alloc) ◂— endbr64
     R12  0x0
     R13  0x8
     R14  0x0
     R15  0x7fffffff6d60 ◂— 0x30646c6569665f /* '_field0' */
     RBP  0x32
     RSP  0x7fffffff6bf0 ◂— 0x9f03c
     RIP  0x7ffff78a0f7d (gf_sg_vrml_mf_alloc+77) ◂— cmp    dword ptr [r12], ebx
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff78a0f7d <gf_sg_vrml_mf_alloc+77>     cmp    dword ptr [r12], ebx
       0x7ffff78a0f81 <gf_sg_vrml_mf_alloc+81>     je     gf_sg_vrml_mf_alloc+125                <gf_sg_vrml_mf_alloc+125>
        ↓
       0x7ffff78a0fad <gf_sg_vrml_mf_alloc+125>    add    rsp, 8
       0x7ffff78a0fb1 <gf_sg_vrml_mf_alloc+129>    pop    rbx
       0x7ffff78a0fb2 <gf_sg_vrml_mf_alloc+130>    pop    rbp
       0x7ffff78a0fb3 <gf_sg_vrml_mf_alloc+131>    pop    r12
       0x7ffff78a0fb5 <gf_sg_vrml_mf_alloc+133>    pop    r13
       0x7ffff78a0fb7 <gf_sg_vrml_mf_alloc+135>    ret
    
       0x7ffff78a0fb8 <gf_sg_vrml_mf_alloc+136>    nop    dword ptr [rax + rax]
       0x7ffff78a0fc0 <gf_sg_vrml_mf_alloc+144>    mov    edx, ebx
       0x7ffff78a0fc2 <gf_sg_vrml_mf_alloc+146>    imul   r13, rdx
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6bf0 ◂— 0x9f03c
    01:0008│     0x7fffffff6bf8 —▸ 0x7fffffff6d30 ◂— 0x3200000000
    02:0010│     0x7fffffff6c00 —▸ 0x5555555ded70 ◂— 0x0
    03:0018│     0x7fffffff6c08 ◂— 0x555df8c0
    04:0020│     0x7fffffff6c10 —▸ 0x5555555d2730 ◂— 0x0
    05:0028│     0x7fffffff6c18 —▸ 0x7ffff790f44d (BD_DecMFFieldVec+589) ◂— mov    r14d, eax
    06:0030│     0x7fffffff6c20 ◂— 0x0
    07:0038│     0x7fffffff6c28 ◂— 0x0
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78a0f7d gf_sg_vrml_mf_alloc+77
       f 1   0x7ffff790f44d BD_DecMFFieldVec+589
       f 2   0x7ffff7906205 gf_bifs_dec_proto_list+1333
       f 3   0x7ffff7906549 BD_DecSceneReplace+73
       f 4   0x7ffff7914e2e BM_SceneReplace+110
       f 5   0x7ffff7914ff3 BM_ParseCommand+179
       f 6   0x7ffff7915323 gf_bifs_decode_command_list+163
       f 7   0x7ffff7aa1da2 gf_sm_load_run_isom+1218
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a0f7d in gf_sg_vrml_mf_alloc () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff790f44d in BD_DecMFFieldVec () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7906205 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-44919: Null Pointer Dereference in gf_sg_vrml_mf_alloc() · Issue #1963 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_sg_vrml_mf_append function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_sg\_vrml\_mf\_append().

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc2.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type e`ds in parent mp4s
    [iso file] Incomplete box mdat - start 11495 size 861283
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type e`ds in parent mp4s
    [iso file] Incomplete box mdat - start 11495 size 861283
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    2696339 segmentation fault  ./MP4Box -bt ./submit/poc2
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x7fffffff6c10 ◂— 0x3800000000
     RCX  0x7fffffff6ce0 ◂— 0x2c00000000
     RDX  0x7fffffff6c18 ◂— 0x0
     RDI  0x0
     RSI  0x2c
     R8   0x5555555df8d0 —▸ 0x5555555df840 ◂— 0x2c00
     R9   0x7
     R10  0x7ffff775be46 ◂— 'gf_sg_vrml_mf_append'
     R11  0x7ffff78a1070 (gf_sg_vrml_mf_append) ◂— endbr64
     R12  0x7fffffff6ce0 ◂— 0x2c00000000
     R13  0x5555555d5f80 ◂— 0x0
     R14  0x0
     R15  0x0
     RBP  0x5555555ded90 ◂— 0x0
     RSP  0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test   eax, eax
     RIP  0x7ffff78a1074 (gf_sg_vrml_mf_append+4) ◂— mov    eax, dword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff78a1070 <gf_sg_vrml_mf_append>          endbr64
     ► 0x7ffff78a1074 <gf_sg_vrml_mf_append+4>        mov    eax, dword ptr [rdi]
       0x7ffff78a1076 <gf_sg_vrml_mf_append+6>        lea    ecx, [rax + 2]
       0x7ffff78a1079 <gf_sg_vrml_mf_append+9>        jmp    gf_sg_vrml_mf_insert@plt                <gf_sg_vrml_mf_insert@plt>
        ↓
       0x7ffff77e66a0 <gf_sg_vrml_mf_insert@plt>      endbr64
       0x7ffff77e66a4 <gf_sg_vrml_mf_insert@plt+4>    bnd jmp qword ptr [rip + 0x7ba34d]   <0x7ffff77dd3f0>
        ↓
       0x7ffff77dd3f0                                 endbr64
       0x7ffff77dd3f4                                 push   0x73c
       0x7ffff77dd3f9                                 bnd jmp 0x7ffff77d6020               <0x7ffff77d6020>
        ↓
       0x7ffff77d6020                                 push   qword ptr [rip + 0x7c6fe2]    <0x7ffff7f9d008>
       0x7ffff77d6026                                 bnd jmp qword ptr [rip + 0x7c6fe3]   <0x7ffff7fe7bb0>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6bc8 —▸ 0x7ffff790efa4 (BD_DecMFFieldList+212) ◂— test   eax, eax
    01:0008│     0x7fffffff6bd0 ◂— 0x0
    02:0010│     0x7fffffff6bd8 ◂— 0x0
    03:0018│     0x7fffffff6be0 ◂— 0x50 /* 'P' */
    04:0020│     0x7fffffff6be8 ◂— 0x0
    05:0028│     0x7fffffff6bf0 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
    06:0030│     0x7fffffff6bf8 —▸ 0x7fffffff6c08 ◂— 0x0
    07:0038│     0x7fffffff6c00 —▸ 0x7fffffff6d10 ◂— 0x30646c6569665f /* '_field0' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78a1074 gf_sg_vrml_mf_append+4
       f 1   0x7ffff790efa4 BD_DecMFFieldList+212
       f 2   0x7ffff7906006 gf_bifs_dec_proto_list+822
       f 3   0x7ffff7906549 BD_DecSceneReplace+73
       f 4   0x7ffff7914e2e BM_SceneReplace+110
       f 5   0x7ffff7914ff3 BM_ParseCommand+179
       f 6   0x7ffff7915323 gf_bifs_decode_command_list+163
       f 7   0x7ffff7aa1da2 gf_sm_load_run_isom+1218
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78a1074 in gf_sg_vrml_mf_append () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff790efa4 in BD_DecMFFieldList () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7906006 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00005555555844a8 in dump_isom_scene ()
    #9  0x000055555557b42c in mp4boxMain ()
    #10 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe158, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe148) at ../csu/libc-start.c:308
    #11 0x000055555556c45e in _start ()

CVE-2021-44927: Null Pointer Dereference in gf_sg_vrml_mf_append() · Issue #1960 · gpac/gpac

A null pointer dereference vulnerability exists in the gpac in the gf_node_get_tag function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_node\_get\_tag(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc3.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861218
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861218
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [1]    3453407 segmentation fault  ./MP4Box -lsr
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x0
     RCX  0x0
     RDX  0x5555555d2730 ◂— 0x0
     RDI  0x0
     RSI  0x5555555df860 ◂— 0x0
     R8   0x0
     R9   0x7
     R10  0x7ffff775b844 ◂— 'gf_node_get_tag'
     R11  0x7ffff7849790 (gf_node_get_tag) ◂— endbr64
     R12  0x5555555ded60 ◂— 0x0
     R13  0x5555555df860 ◂— 0x0
     R14  0x0
     R15  0x7fffffff6d60 ◂— 0x31646c6569665f /* '_field1' */
     RBP  0x5555555d2730 ◂— 0x0
     RSP  0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp    eax, 0x51
     RIP  0x7ffff7849794 (gf_node_get_tag+4) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
       0x7ffff7849790 <gf_node_get_tag>       endbr64
     ► 0x7ffff7849794 <gf_node_get_tag+4>     mov    rax, qword ptr [rdi]
       0x7ffff7849797 <gf_node_get_tag+7>     movzx  eax, word ptr [rax]
       0x7ffff784979a <gf_node_get_tag+10>    ret
    
       0x7ffff784979b                         nop    dword ptr [rax + rax]
       0x7ffff78497a0 <gf_node_get_id>        endbr64
       0x7ffff78497a4 <gf_node_get_id+4>      mov    rax, qword ptr [rdi]
       0x7ffff78497a7 <gf_node_get_id+7>      xor    r8d, r8d
       0x7ffff78497aa <gf_node_get_id+10>     mov    edx, dword ptr [rax + 4]
       0x7ffff78497ad <gf_node_get_id+13>     test   edx, edx
       0x7ffff78497af <gf_node_get_id+15>     jns    gf_node_get_id+66                <gf_node_get_id+66>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6be8 —▸ 0x7ffff7919836 (SFScript_Parse+54) ◂— cmp    eax, 0x51
    01:0008│     0x7fffffff6bf0 ◂— 0x0
    ... ↓        2 skipped
    04:0020│     0x7fffffff6c08 ◂— 0x770000007c /* '|' */
    05:0028│     0x7fffffff6c10 ◂— 0x5b0000006e /* 'n' */
    06:0030│     0x7fffffff6c18 ◂— 0x770000007c /* '|' */
    07:0038│     0x7fffffff6c20 ◂— 0x5b0000006e /* 'n' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7849794 gf_node_get_tag+4
       f 1   0x7ffff7919836 SFScript_Parse+54
       f 2   0x7ffff790e9cb gf_bifs_dec_sf_field+1195
       f 3   0x7ffff7905f44 gf_bifs_dec_proto_list+628
       f 4   0x7ffff7906549 BD_DecSceneReplace+73
       f 5   0x7ffff7914e2e BM_SceneReplace+110
       f 6   0x7ffff7914ff3 BM_ParseCommand+179
       f 7   0x7ffff7915323 gf_bifs_decode_command_list+163
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7849794 in gf_node_get_tag () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7919836 in SFScript_Parse () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff790e9cb in gf_bifs_dec_sf_field () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7905f44 in gf_bifs_dec_proto_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x00007ffff7906549 in BD_DecSceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #5  0x00007ffff7914e2e in BM_SceneReplace () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #6  0x00007ffff7914ff3 in BM_ParseCommand () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #7  0x00007ffff7915323 in gf_bifs_decode_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00007ffff7aa1da2 in gf_sm_load_run_isom () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #9  0x00005555555844a8 in dump_isom_scene ()
    #10 0x000055555557b42c in mp4boxMain ()
    #11 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #12 0x000055555556c45e in _start ()

Tag

#ubuntu