A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_isom_parse_movie_boxes_internal function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_isom\_parse\_movie\_boxes\_internal(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_1.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] Read Box type 00000000 (0x00000000) at position 4494 has size 0 but is not at root/file level, skipping
    [iso file] Read Box "hinf" (start 4390) failed (End Of Stream / File) - skipping
    [iso file] Read Box "udta" (start 4178) failed (End Of Stream / File) - skipping
    [iso file] Read Box "trak" (start 2229) failed (End Of Stream / File) - skipping
    [iso file] Read Box "moov" (start 20) failed (End Of Stream / File) - skipping
    [1]    2155243 segmentation fault  ./MP4Box -lsr ./poc/poc_1
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x1
     RBX  0x5555555c72a0 ◂— 0x0
     RCX  0x7ffff764d1e7 (write+23) ◂— cmp    rax, -0x1000 /* 'H=' */
     RDX  0x0
     RDI  0x5555555c62a0 ◂— 0x0
     RSI  0x0
     R8   0x0
     R9   0x0
     R10  0x7ffff7e227df ◂— ') - skipping\n'
     R11  0x246
     R12  0x0
     R13  0x0
     R14  0x5555555c72a0 ◂— 0x0
     R15  0x3
     RBP  0x7fffffff83a0 ◂— 0x0
     RSP  0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
     RIP  0x7ffff7973829 (gf_isom_parse_movie_boxes_internal+249) ◂— mov    eax, dword ptr [rsi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7973829 <gf_isom_parse_movie_boxes_internal+249>     mov    eax, dword ptr [rsi]
       0x7ffff797382b <gf_isom_parse_movie_boxes_internal+251>     cmp    eax, 0x6d6f6f76
       0x7ffff7973830 <gf_isom_parse_movie_boxes_internal+256>     je     gf_isom_parse_movie_boxes_internal+1688                <gf_isom_parse_movie_boxes_internal+1688>
        ↓
       0x7ffff7973dc8 <gf_isom_parse_movie_boxes_internal+1688>    cmp    qword ptr [r14 + 0x48], 0
       0x7ffff7973dcd <gf_isom_parse_movie_boxes_internal+1693>    jne    gf_isom_parse_movie_boxes_internal+4630                <gf_isom_parse_movie_boxes_internal+4630>
        ↓
       0x7ffff7974946 <gf_isom_parse_movie_boxes_internal+4630>    mov    esi, 1
       0x7ffff797494b <gf_isom_parse_movie_boxes_internal+4635>    mov    edi, 2
       0x7ffff7974950 <gf_isom_parse_movie_boxes_internal+4640>    call   gf_log_tool_level_on@plt                <gf_log_tool_level_on@plt>
    
       0x7ffff7974955 <gf_isom_parse_movie_boxes_internal+4645>    test   eax, eax
       0x7ffff7974957 <gf_isom_parse_movie_boxes_internal+4647>    je     gf_isom_parse_movie_boxes_internal+4540                <gf_isom_parse_movie_boxes_internal+4540>
    
       0x7ffff7974959 <gf_isom_parse_movie_boxes_internal+4649>    mov    esi, 2
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff8310 —▸ 0x7fffffff8350 ◂— 0x0
    01:0008│     0x7fffffff8318 ◂— 0x0
    ... ↓        2 skipped
    04:0020│     0x7fffffff8330 —▸ 0x5555555c7500 ◂— 0x6d703431 /* '14pm' */
    05:0028│     0x7fffffff8338 ◂— 0x0
    06:0030│     0x7fffffff8340 ◂— 0x0
    07:0038│     0x7fffffff8348 ◂— 0x4
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7973829 gf_isom_parse_movie_boxes_internal+249
       f 1   0x7ffff7974f97 gf_isom_open_file+311
       f 2   0x55555557dc14 mp4boxMain+19444
       f 3   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7973829 in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7974f97 in gf_isom_open_file () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x000055555557dc14 in mp4boxMain ()
    #3  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #4  0x000055555556c45e in _start ()

CVE-2021-44921: Null Pointer Dereference in gf_isom_parse_movie_boxes_internal() · Issue #1964 · gpac/gpac

An infinite loop vulnerability exists in gpac 1.1.0 in the gf_log function, which causes a Denial of Service.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

An infinite loop was discovered in gf\_log().

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG G
    [poc_hang.zip](https://github.com/gpac/gpac/files/7691188/poc_hang.zip)
    PAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -info ./poc_hang
    

poc\_hang.zip

**Result**

    ...
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    [Core] exp-golomb read failed, not enough bits in bitstream !
    ...
    

**gdb**

    bt
    #0  0x00007ffff764d1e7 in __GI___libc_write (fd=2, buf=0x7ffffffebeb0, nbytes=62) at ../sysdeps/unix/sysv/linux/write.c:26
    #1  0x00007ffff75ce00d in _IO_new_file_write (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=0x7ffffffebeb0, n=62) at fileops.c:1176
    #2  0x00007ffff75ce928 in new_do_write (to_do=<optimized out>, data=0x7ffffffebeb0 "[Core] exp-golomb read failed, not enough bits in bitstream !\nn [0;31])\n", fp=0x7ffff77285c0 <_IO_2_1_stderr_>) at libioP.h:948
    #3  _IO_new_file_xsputn (n=62, data=<optimized out>, f=<optimized out>) at fileops.c:1255
    #4  _IO_new_file_xsputn (f=0x7ffff77285c0 <_IO_2_1_stderr_>, data=<optimized out>, n=62) at fileops.c:1197
    #5  0x00007ffff75b90d3 in buffered_vfprintf (s=s@entry=0x7ffff77285c0 <_IO_2_1_stderr_>, format=format@entry=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", args=args@entry=0x7ffffffee4a0, mode_flags=mode_flags@entry=2) at ../libio/libioP.h:948
    #6  0x00007ffff75b5ea4 in __vfprintf_internal (s=0x7ffff77285c0 <_IO_2_1_stderr_>, format=0x7ffff7e2cf98 "[Core] exp-golomb read failed, not enough bits in bitstream !\n", ap=0x7ffffffee4a0, mode_flags=2) at vfprintf-internal.c:1346
    #7  0x00007ffff77f8a21 in default_log_callback_color () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #8  0x00007ffff77f8cc9 in gf_log () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #9  0x00007ffff79f4c95 in avc_parse_hrd_parameters () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #10 0x00007ffff79f7c09 in gf_avc_read_sps_bs_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #11 0x00007ffff7a0b149 in gf_avc_read_sps () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #12 0x00007ffff792b724 in avcc_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #13 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #14 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #15 0x00007ffff793c2a3 in video_sample_entry_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #16 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #17 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #18 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #19 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #20 0x00007ffff793e083 in stbl_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #21 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #22 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #23 0x00007ffff793a3d0 in minf_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #24 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #25 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #26 0x00007ffff79394e9 in mdia_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #27 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #28 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #29 0x00007ffff794189a in trak_box_read () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #30 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #31 0x00007ffff796c531 in gf_isom_box_array_read_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #32 0x00007ffff796ac69 in gf_isom_box_parse_ex () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #33 0x00007ffff796b410 in gf_isom_parse_root_box () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #34 0x00007ffff79737ec in gf_isom_parse_movie_boxes_internal () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #35 0x00007ffff7974f67 in gf_isom_open_file () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #36 0x000055555557dc14 in mp4boxMain ()
    #37 0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1f8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe1e8) at ../csu/libc-start.c:308
    #38 0x000055555556c45e in _start ()

CVE-2021-44924: Infinite loop in gf_log() · Issue #1959 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_svg_get_attribute_name function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_svg\_get\_attribute\_name(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc\_4.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796312
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 796312
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    Scene loaded - dumping 1 systems streams
    [1]    3570050 segmentation fault  ./MP4Box -lsr ./poc/poc_4
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x0
     RBX  0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
     RCX  0x0
     RDX  0x7ffff7f7c428 (xml_elements+8) ◂— 0x300000422
     RDI  0x0
     RSI  0x0
     R8   0x0
     R9   0xa
     R10  0x7ffff7e45bd4 ◂— 0x6e696f7020002022 /* '" ' */
     R11  0x7fffffff6ee7 ◂— 0xbffcbef5d8160036 /* '6' */
     R12  0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
     R13  0x0
     R14  0x7ffff7e10cf4 ◂— 'textContent'
     R15  0x7ffff7df5e9b ◂— 0x663325002f2e2e00
     RBP  0x7fffffff7080 ◂— 0x344e /* 'N4' */
     RSP  0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
     RIP  0x7ffff78e16ac (gf_svg_get_attribute_name+28) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff78e16ac <gf_svg_get_attribute_name+28>    mov    rax, qword ptr [rdi]
       0x7ffff78e16af <gf_svg_get_attribute_name+31>    movzx  ecx, word ptr [rax]
       0x7ffff78e16b2 <gf_svg_get_attribute_name+34>    xor    eax, eax
       0x7ffff78e16b4 <gf_svg_get_attribute_name+36>    cmp    cx, 0x408
       0x7ffff78e16b9 <gf_svg_get_attribute_name+41>    jne    gf_svg_get_attribute_name+64
     <gf_svg_get_attribute_name+64>
        ↓
       0x7ffff78e16d0 <gf_svg_get_attribute_name+64>    cmp    dword ptr [rdx], ecx
       0x7ffff78e16d2 <gf_svg_get_attribute_name+66>    jne    gf_svg_get_attribute_name+48
     <gf_svg_get_attribute_name+48>
        ↓
       0x7ffff78e16c0 <gf_svg_get_attribute_name+48>    add    eax, 1
       0x7ffff78e16c3 <gf_svg_get_attribute_name+51>    add    rdx, 0x10
       0x7ffff78e16c7 <gf_svg_get_attribute_name+55>    cmp    eax, 0x4e
       0x7ffff78e16ca <gf_svg_get_attribute_name+58>    je     gf_svg_get_attribute_name+365
      <gf_svg_get_attribute_name+365>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6fe0 ◂— 0x25286574616c736e ('nslate(%')
    01:0008│     0x7fffffff6fe8 —▸ 0x5555555decb0 —▸ 0x5555555d4350 ◂— 0x0
    02:0010│     0x7fffffff6ff0 —▸ 0x7fffffff7080 ◂— 0x344e /* 'N4' */
    03:0018│     0x7fffffff6ff8 —▸ 0x5555555df180 —▸ 0x5555555d4350 ◂— 0x0
    04:0020│     0x7fffffff7000 —▸ 0x5555555df2e0 ◂— 0x0
    05:0028│     0x7fffffff7008 —▸ 0x7ffff7e10cf4 ◂— 'textContent'
    06:0030│     0x7fffffff7010 —▸ 0x7ffff7df5e9b ◂— 0x663325002f2e2e00
    07:0038│     0x7fffffff7018 —▸ 0x7ffff7abae7a (DumpLSRAddReplaceInsert+938) ◂— mov    r14, rax
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff78e16ac gf_svg_get_attribute_name+28
       f 1   0x7ffff7abae7a DumpLSRAddReplaceInsert+938
       f 2   0x7ffff7abb12b gf_sm_dump_command_list+219
       f 3   0x7ffff7ac254c gf_sm_dump+1116
       f 4   0x555555584418 dump_isom_scene+616
       f 5   0x55555557b42c mp4boxMain+9228
       f 6   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff78e16ac in gf_svg_get_attribute_name () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7abae7a in DumpLSRAddReplaceInsert () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7abb12b in gf_sm_dump_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7ac254c in gf_sm_dump () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x0000555555584418 in dump_isom_scene ()
    #5  0x000055555557b42c in mp4boxMain ()
    #6  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #7  0x000055555556c45e in _start ()

CVE-2021-44925: Null Pointer Dereference in gf_svg_get_attribute_name() · Issue #1967 · gpac/gpac

A null pointer dereference vulnerability exists in gpac 1.1.0 in the gf_dump_vrml_dyn_field.isra function, which causes a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_dump\_vrml\_dyn\_field.isra(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

poc4.zip

**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860238
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860238
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Scene loaded - dumping 1 systems streams
    [1]    414421 segmentation fault  ./MP4Box -lsr ./poc4
    

**gdb**

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff7ac0797 in gf_dump_vrml_dyn_field.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0xa
     RBX  0x0
     RCX  0x0
     RDX  0x7ffff72bf040 ◂— 0x7ffff72bf040
     RDI  0x7fffffff6af0 —▸ 0x7ffff75a21e0 (funlockfile) ◂— endbr64
     RSI  0x0
     R8   0xffffffff
     R9   0xa
     R10  0x7ffff7e37a2a ◂— 0x3e73252f3c00223d /* '="' */
     R11  0x7ffff7df0c38 ◂— 0x6e776f6e6b6e75 /* 'unknown' */
     R12  0x0
     R13  0x0
     R14  0x5555555ded60 —▸ 0x5555555d43b0 ◂— 0x0
     R15  0x1
     RBP  0x3c
     RSP  0x7fffffff7060 ◂— 0x3000000010
     RIP  0x7ffff7ac0797 (gf_dump_vrml_dyn_field.isra+631) ◂— mov    eax, dword ptr [r12]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff7ac0797 <gf_dump_vrml_dyn_field.isra+631>    mov    eax, dword ptr [r12]
       0x7ffff7ac079b <gf_dump_vrml_dyn_field.isra+635>    test   eax, eax
       0x7ffff7ac079d <gf_dump_vrml_dyn_field.isra+637>    je     gf_dump_vrml_dyn_field.isra+720
           <gf_dump_vrml_dyn_field.isra+720>
        ↓
       0x7ffff7ac07f0 <gf_dump_vrml_dyn_field.isra+720>    mov    eax, dword ptr [rsp + 0x70]
       0x7ffff7ac07f4 <gf_dump_vrml_dyn_field.isra+724>    mov    rdi, qword ptr [r14 + 0x10]
       0x7ffff7ac07f8 <gf_dump_vrml_dyn_field.isra+728>    test   eax, eax
       0x7ffff7ac07fa <gf_dump_vrml_dyn_field.isra+730>    jne    gf_dump_vrml_dyn_field.isra+292
           <gf_dump_vrml_dyn_field.isra+292>
        ↓
       0x7ffff7ac0644 <gf_dump_vrml_dyn_field.isra+292>    lea    rsi, [rip + 0x35ac0b]
       0x7ffff7ac064b <gf_dump_vrml_dyn_field.isra+299>    xor    eax, eax
       0x7ffff7ac064d <gf_dump_vrml_dyn_field.isra+301>    call   gf_fprintf@plt                <gf_fprintf@plt>
    
       0x7ffff7ac0652 <gf_dump_vrml_dyn_field.isra+306>    jmp    gf_dump_vrml_dyn_field.isra+391
           <gf_dump_vrml_dyn_field.isra+391>
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff7060 ◂— 0x3000000010
    01:0008│     0x7fffffff7068 —▸ 0x5555555df880 ◂— 0x31646c6569665f /* '_field1' */
    02:0010│     0x7fffffff7070 ◂— 0x0
    03:0018│     0x7fffffff7078 ◂— 0x38b85a8f00
    04:0020│     0x7fffffff7080 ◂— 0x0
    05:0028│     0x7fffffff7088 ◂— 0x7aa5d2dbb85a8f00
    06:0030│     0x7fffffff7090 ◂— 0x1
    07:0038│     0x7fffffff7098 —▸ 0x7ffff7e27f46 ◂— 0x65646f6d73006325 /* '%c' */
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff7ac0797 gf_dump_vrml_dyn_field.isra+631
       f 1   0x7ffff7ac15d1 DumpProtos+305
       f 2   0x7ffff7abb389 gf_sm_dump_command_list+857
       f 3   0x7ffff7ac24fc gf_sm_dump+1116
       f 4   0x555555584418 dump_isom_scene+616
       f 5   0x55555557b42c mp4boxMain+9228
       f 6   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff7ac0797 in gf_dump_vrml_dyn_field.isra () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #1  0x00007ffff7ac15d1 in DumpProtos () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #2  0x00007ffff7abb389 in gf_sm_dump_command_list () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #3  0x00007ffff7ac24fc in gf_sm_dump () from /root/fuckit/test/gpac-master/bin/gcc/libgpac.so.10
    #4  0x0000555555584418 in dump_isom_scene ()
    #5  0x000055555557b42c in mp4boxMain ()
    #6  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe198) at ../csu/libc-start.c:308
    #7  0x000055555556c45e in _start ()

CVE-2021-44923: Null Pointer Dereference in gf_dump_vrml_dyn_field.isra() · Issue #1962 · gpac/gpac

A Null Pointer Dereference vulnerability exists in gpac 1.1.0 in the gf_node_get_field function, which can cause a segmentation fault and application crash.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   I looked for a similar issue and couldn't find any.
*   I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

A null pointer dereference was discovered in gf\_node\_get\_field(). The vulnerability causes a segmentation fault and application crash.

**Version:**

    MP4Box - GPAC version 1.1.0-DEV-revUNKNOWN_REV
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration:
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D
    

**System information**  
Ubuntu 20.04 focal, AMD EPYC 7742 64-Core @ 16x 2.25GHz

**command:**

    ./MP4Box -lsr poc_5
    ./MP4Box -lsr poc_6
    

poc.zip

**Result**

poc\_5

    [iso file] Unknown box type dreFF in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type FFFFFF80 in parent hinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860062
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type dreFF in parent dinf
    [iso file] Missing dref box in dinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type FFFFFF80 in parent hinf
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 860062
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [1]    878696 segmentation fault  ./MP4Box -lsr ./poc/poc_5
    

poc\_6

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type pm00x in parent hinf
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861258
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type pm00x in parent hinf
    [iso file] Unknown box type 80rak in parent moov
    [iso file] Incomplete box mdat - start 11495 size 861258
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 LASeR Scene Parsing
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    [LASeR] memory overread - corrupted decoding
    ...
    Program received signal SIGSEGV, Segmentation fault.
    

**gdb**

poc\_5

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0x4
     RBX  0x5555555df130 —▸ 0x5555555d4330 ◂— 0x0
     RCX  0x5555555df310 ◂— 0x0
     RDX  0x7fffffff7050 ◂— 0x4
     RDI  0x0
     RSI  0x7fffffff7050 ◂— 0x4
     R8   0x4
     R9   0x0
     R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
     R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
     R12  0xfffffffe
     R13  0x5555555df290 ◂— 0x4
     R14  0x7fffffff7050 ◂— 0x4
     R15  0x5555555dcdc0 —▸ 0x5555555d26b0 ◂— 0x0
     RBP  0x80
     RSP  0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
     RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
       0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
       0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
       0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
        ↓
       0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
       0x7ffff784ad65 <gf_node_get_field+149>    ret
    
       0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
       0x7ffff784ad70 <dirty_children>           push   r14
       0x7ffff784ad72 <dirty_children+2>         push   r13
       0x7ffff784ad74 <dirty_children+4>         push   r12
       0x7ffff784ad76 <dirty_children+6>         push   rbp
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6fa8 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
    01:0008│     0x7fffffff6fb0 ◂— 0x0
    02:0010│     0x7fffffff6fb8 ◂— 0x300000000
    03:0018│     0x7fffffff6fc0 ◂— 0x0
    04:0020│     0x7fffffff6fc8 —▸ 0x5555555df0b0 —▸ 0x5555555df1d0 —▸ 0x5555555df130 —▸ 0x5555555d4330 ◂— ...
    05:0028│     0x7fffffff6fd0 ◂— 0x0
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784acf0 gf_node_get_field+32
       f 1   0x7ffff7b5784a lsr_read_command_list+1402
       f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
       f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
       f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
       f 5   0x5555555844a8 dump_isom_scene+760
       f 6   0x55555557b42c mp4boxMain+9228
       f 7   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00005555555844a8 in dump_isom_scene ()
    #6  0x000055555557b42c in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe188, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe178) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()
    

poc\_6

    Program received signal SIGSEGV, Segmentation fault.
    0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
    ────────────────────────────────────────────[ REGISTERS ]─────────────────────────────────────────────
     RAX  0xbb
     RBX  0x5555555df0f0 —▸ 0x5555555d4300 ◂— 0x0
     RCX  0x5555555df2d0 ◂— 0x0
     RDX  0x7fffffff7000 ◂— 0xbb
     RDI  0x0
     RSI  0x7fffffff7000 ◂— 0xbb
     R8   0xbb
     R9   0x0
     R10  0x7ffff775bb48 ◂— 'gf_node_get_field'
     R11  0x7ffff784acd0 (gf_node_get_field) ◂— endbr64
     R12  0xfffffffe
     R13  0x5555555df250 ◂— 0xbb
     R14  0x7fffffff7000 ◂— 0xbb
     R15  0x5555555dcd80 —▸ 0x5555555d2680 ◂— 0x0
     RBP  0x40
     RSP  0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
     RIP  0x7ffff784acf0 (gf_node_get_field+32) ◂— mov    rax, qword ptr [rdi]
    ──────────────────────────────────────────────[ DISASM ]──────────────────────────────────────────────
     ► 0x7ffff784acf0 <gf_node_get_field+32>     mov    rax, qword ptr [rdi]
       0x7ffff784acf3 <gf_node_get_field+35>     movzx  eax, word ptr [rax]
       0x7ffff784acf6 <gf_node_get_field+38>     test   ax, ax
       0x7ffff784acf9 <gf_node_get_field+41>     je     gf_node_get_field+144                <gf_node_get_field+144>
        ↓
       0x7ffff784ad60 <gf_node_get_field+144>    mov    eax, 0xffffffff
       0x7ffff784ad65 <gf_node_get_field+149>    ret
    
       0x7ffff784ad66                            nop    word ptr cs:[rax + rax]
       0x7ffff784ad70 <dirty_children>           push   r14
       0x7ffff784ad72 <dirty_children+2>         push   r13
       0x7ffff784ad74 <dirty_children+4>         push   r12
       0x7ffff784ad76 <dirty_children+6>         push   rbp
    ──────────────────────────────────────────────[ STACK ]───────────────────────────────────────────────
    00:0000│ rsp 0x7fffffff6f58 —▸ 0x7ffff7b5784a (lsr_read_command_list+1402) ◂— mov    eax, dword ptr [rsp + 0xa4]
    01:0008│     0x7fffffff6f60 ◂— 0x6469005453414c00
    02:0010│     0x7fffffff6f68 ◂— 0x900000000
    03:0018│     0x7fffffff6f70 ◂— 0x0
    04:0020│     0x7fffffff6f78 —▸ 0x5555555df070 —▸ 0x5555555df190 —▸ 0x5555555df0f0 —▸ 0x5555555d4300 ◂— ...
    05:0028│     0x7fffffff6f80 ◂— 0x0
    ... ↓        2 skipped
    ────────────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────────────
     ► f 0   0x7ffff784acf0 gf_node_get_field+32
       f 1   0x7ffff7b5784a lsr_read_command_list+1402
       f 2   0x7ffff7b59914 lsr_decode_laser_unit+708
       f 3   0x7ffff7b6204d gf_laser_decode_command_list+333
       f 4   0x7ffff7aa1eb1 gf_sm_load_run_isom+1505
       f 5   0x5555555844a8 dump_isom_scene+760
       f 6   0x55555557b42c mp4boxMain+9228
       f 7   0x7ffff75630b3 __libc_start_main+243
    ──────────────────────────────────────────────────────────────────────────────────────────────────────
    pwndbg> bt
    #0  0x00007ffff784acf0 in gf_node_get_field () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #1  0x00007ffff7b5784a in lsr_read_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #2  0x00007ffff7b59914 in lsr_decode_laser_unit () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #3  0x00007ffff7b6204d in gf_laser_decode_command_list () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #4  0x00007ffff7aa1eb1 in gf_sm_load_run_isom () from /root/fuckit/test/gpac1210/bin/gcc/libgpac.so.10
    #5  0x00005555555844a8 in dump_isom_scene ()
    #6  0x000055555557b42c in mp4boxMain ()
    #7  0x00007ffff75630b3 in __libc_start_main (main=0x55555556c420 <main>, argc=3, argv=0x7fffffffe138, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe128) at ../csu/libc-start.c:308
    #8  0x000055555556c45e in _start ()

CVE-2021-44918: Null Pointer Dereference in gf_node_get_field() · Issue #1968 · gpac/gpac

An infinite loop vulnerability exists in Gpac 1.0.1 in gf_get_bit_size.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
     MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -hint POC
    

**Result**

\*\*GDB information \*\*

    [----------------------------------registers-----------------------------------]
    RAX: 0x20000 
    RBX: 0x80 
    RCX: 0xe9b05a71 
    RDX: 0x1 
    RSI: 0x6a6a6ab8 
    RDI: 0x6a6a6ab8 
    RBP: 0x5555555e1630 --> 0x1 
    RSP: 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
    RIP: 0x7ffff7788927 (<gf_get_bit_size+23>:	cmp    eax,edi)
    R8 : 0x0 
    R9 : 0x20 (' ')
    R10: 0x7ffff76d955a ("gf_rtp_builder_init")
    R11: 0x2 
    R12: 0x59e 
    R13: 0x60 ('`')
    R14: 0x5555555e1750 --> 0x0 
    R15: 0x0
    EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff7788920 <gf_get_bit_size+16>:	add    ecx,0x1
       0x7ffff7788923 <gf_get_bit_size+19>:	mov    eax,edx
       0x7ffff7788925 <gf_get_bit_size+21>:	shl    eax,cl
    => 0x7ffff7788927 <gf_get_bit_size+23>:	cmp    eax,edi
       0x7ffff7788929 <gf_get_bit_size+25>:	jle    0x7ffff7788920 <gf_get_bit_size+16>
       0x7ffff778892b <gf_get_bit_size+27>:	mov    eax,ecx
       0x7ffff778892d <gf_get_bit_size+29>:	ret    
       0x7ffff778892e:	xchg   ax,ax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8078 --> 0x7ffff7875506 (<gf_rtp_builder_init+2342>:	mov    ebx,DWORD PTR [rbp+0x90])
    0008| 0x7fffffff8080 --> 0x24a 
    0016| 0x7fffffff8088 --> 0xfc7 
    0024| 0x7fffffff8090 --> 0x32ce10ac 
    0032| 0x7fffffff8098 --> 0x6a6a6ab800000020 
    0040| 0x7fffffff80a0 --> 0x2 
    0048| 0x7fffffff80a8 --> 0x62 ('b')
    0056| 0x7fffffff80b0 --> 0x5555555dfb90 --> 0x5555555da930 --> 0x0 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGINT
    0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    gdb-peda$ bt
    #0  0x00007ffff7788927 in gf_get_bit_size () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #1  0x00007ffff7875506 in gf_rtp_builder_init () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #2  0x00007ffff7a0ec5c in gf_hinter_track_new () from /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/libgpac.so.10
    #3  0x000055555557958b in HintFile ()
    #4  0x000055555557d257 in mp4boxMain ()
    #5  0x00007ffff74df0b3 in __libc_start_main (main=0x55555556d420 <main>, argc=0x3, argv=0x7fffffffe308, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe2f8)
        at ../csu/libc-start.c:308
    #6  0x000055555556d45e in _start ()
    gdb-peda$

CVE-2021-45297: infinite loop in gf_get_bit_size（） · Issue #1973 · gpac/gpac

A vulnerability exists in GPAC 1.0.1 due to an omission of security-relevant Information, which could cause a Denial of Service. The program terminates with signal SIGKILL.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
     MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -diso -out /dev/null POC
    

POC.zip  
**Result**

    [iso file] Unknown box type gods in parent moov
    [iso file] Box "avcC" (start 939) has 34 extra bytes
    [iso file] Unknown box type 0000 in parent sinf
    [iso file] Unknown box type u87l  in parent dref
    [iso file] Unknown box type 0001bl in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type sbgd in parent traf
    [5]    3129116 killed     ./../../../../sourceproject/momey/gpac/bin/gcc/MP4Box -diso -out /dev/null
    
    

GDB Information

    Starting program: /home/zxq/CVE_testing/sourceproject/momey/gpac/bin/gcc/MP4Box -diso id:000001,src:000022+000904,op:splice,rep:32
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    [iso file] Unknown box type gods in parent moov
    [iso file] Box "avcC" (start 939) has 34 extra bytes
    [iso file] Unknown box type 0000 in parent sinf
    [iso file] Unknown box type u87l  in parent dref
    [iso file] Unknown box type 0001bl in parent minf
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [iso file] Unknown box type sbgd in parent traf
    
    
    
    
    Program terminated with signal SIGKILL, Killed.
    The program no longer exists.

CVE-2021-45289: Program terminated with signal SIGKILL  · Issue #1972 · gpac/gpac

A Denial of Service vulnerability exists in Binaryen 103 due to an Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet.

**Version:**

**System information**  
Ubuntu 20.04.1 LTS, clang version 10.0.0-4ubuntu1

**command:**

POC2.zip

**Result**

    [28]    3932046 segmentation fault  ./wasm-dis 
    
    

**GDB information**

    
    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x2 
    RBX: 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    RCX: 0x0 
    RDX: 0x0 
    RSI: 0xffffffff 
    RDI: 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    RBP: 0x7fffffffcf40 --> 0x7fffffffd030 --> 0x7fffffffd0a0 --> 0x7fffffffd100 --> 0x7fffffffd1e0 --> 0x7fffffffd370 (--> ...)
    RSP: 0x7fffffffce90 --> 0x8 
    RIP: 0x7ffff7c1203c (<_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+76>:	mov    rax,QWORD PTR [rdx+0x38])
    R8 : 0x0 
    R9 : 0x0 
    R10: 0x7ffff74d633d ("_ZN4wasm17WasmBinaryBuilder16startControlFlowEPNS_10ExpressionE")
    R11: 0x7ffff7be2080 (<_ZN4wasm17WasmBinaryBuilder16startControlFlowEPNS_10ExpressionE>:	endbr64)
    R12: 0x17 
    R13: 0x55555559ec68 --> 0x1 
    R14: 0x7fffffffcf80 --> 0x7fffffffd038 --> 0x7ffff7c0ba5e (<_ZN4wasm17WasmBinaryBuilder18processExpressionsEv+110>:	mov    rsi,QWORD PTR [rbp-0x60])
    R15: 0x1
    EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x7ffff7c1202e <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+62>:	mov    rdx,QWORD PTR [rbx+0x148]
       0x7ffff7c12035 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+69>:	mov    rdi,rbx
       0x7ffff7c12038 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+72>:	mov    QWORD PTR [r13+0x8],rax
    => 0x7ffff7c1203c <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+76>:	mov    rax,QWORD PTR [rdx+0x38]
       0x7ffff7c12040 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+80>:	sub    rax,QWORD PTR [rdx+0x30]
       0x7ffff7c12044 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+84>:	sar    rax,0x3
       0x7ffff7c12048 <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+88>:	mov    r15,rax
       0x7ffff7c1204b <_ZN4wasm17WasmBinaryBuilder8visitLetEPNS_5BlockE+91>:	mov    QWORD PTR [rbp-0x88],rax
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffffce90 --> 0x8 
    0008| 0x7fffffffce98 --> 0x7fffffffcf10 --> 0x7fffffffcf80 --> 0x7fffffffd038 --> 0x7ffff7c0ba5e (<_ZN4wasm17WasmBinaryBuilder18processExpressionsEv+110>:	mov    rsi,QWORD PTR [rbp-0x60])
    0016| 0x7fffffffcea0 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    0024| 0x7fffffffcea8 --> 0x659c1cad59c48400 
    0032| 0x7fffffffceb0 --> 0x7fffffffd6c0 --> 0x55555558a7c0 --> 0x55555559ec50 --> 0xa ('\n')
    0040| 0x7fffffffceb8 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    0048| 0x7fffffffcec0 --> 0x7fffffffd390 --> 0x7fffffffd8c0 --> 0x0 
    0056| 0x7fffffffcec8 --> 0x7ffff76384e1 (<_ZN10MixedArena10allocSpaceEmm+65>:	mov    rbx,rax)
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    gdb-peda$ bt
    #0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #8  0x000055555555966c in main ()
    #9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
        at ../csu/libc-start.c:308
    #10 0x0000555555559d4e in _start ()
    gdb-peda$ bt
    #0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #8  0x000055555555966c in main ()
    #9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
        at ../csu/libc-start.c:308
    #10 0x0000555555559d4e in _start ()
    gdb-peda$ 
    #0  0x00007ffff7c1203c in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #1  0x00007ffff7c0a742 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #2  0x00007ffff7c0ba5e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #3  0x00007ffff7c0bd06 in wasm::WasmBinaryBuilder::readExpression() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #4  0x00007ffff7c0bec4 in wasm::WasmBinaryBuilder::readGlobals() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #5  0x00007ffff7c117d0 in wasm::WasmBinaryBuilder::read() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #6  0x00007ffff7c3d766 in wasm::ModuleReader::readBinaryData(std::vector<char, std::allocator<char> >&, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) ()
       from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #7  0x00007ffff7c3df6c in wasm::ModuleReader::readBinary(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, wasm::Module&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
    #8  0x000055555555966c in main ()
    #9  0x00007ffff6ec50b3 in __libc_start_main (main=0x555555558d40 <main>, argc=0x2, argv=0x7fffffffe248, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe238)
        at ../csu/libc-start.c:308
    #10 0x0000555555559d4e in _start ()

CVE-2021-45293: Invalid memory address dereference in wasm::WasmBinaryBuilder::visitLet(wasm::Block*) · Issue #4384 · WebAssembly/binaryen

The gf_isom_hint_rtp_read function in GPAC 1.0.1 allows attackers to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
     MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
     GPAC Filters: https://doi.org/10.1145/3339825.3394929
     GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -disox -ttxt -2 -dump-chap-ogg -dump-cover -drtp -bt -out /dev/null poc
    

poc.zip

**Result**

    [9]    3114513 segmentation fault
    

**GDB information**

    Program received signal SIGSEGV, Segmentation fault.
    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x400788 --> 0x0 
    RCX: 0xcffd67 (<__libc_write+23>:	cmp    rax,0xfffffffffffff000)
    RDX: 0x0 
    RSI: 0x0 
    RDI: 0x10f4580 --> 0x0 
    RBP: 0x7fffffff9340 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
    RSP: 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
    RIP: 0x60afe1 (<gf_isom_hint_rtp_read+414>:	mov    rax,QWORD PTR [rax+0x8])
    R8 : 0x0 
    R9 : 0x0 
    R10: 0x0 
    R11: 0x246 
    R12: 0xd07990 (<__libc_csu_fini>:	endbr64)
    R13: 0x0 
    R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>:	endbr64)
    R15: 0x0
    EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x60afd5 <gf_isom_hint_rtp_read+402>:	mov    rdi,rax
       0x60afd8 <gf_isom_hint_rtp_read+405>:	call   0x444624 <gf_list_add>
       0x60afdd <gf_isom_hint_rtp_read+410>:	mov    rax,QWORD PTR [rbp-0x18]
    => 0x60afe1 <gf_isom_hint_rtp_read+414>:	mov    rax,QWORD PTR [rax+0x8]
       0x60afe5 <gf_isom_hint_rtp_read+418>:	add    DWORD PTR [rbp-0x28],eax
       0x60afe8 <gf_isom_hint_rtp_read+421>:	mov    eax,DWORD PTR [rbp-0x28]
       0x60afeb <gf_isom_hint_rtp_read+424>:	cmp    eax,DWORD PTR [rbp-0x20]
       0x60afee <gf_isom_hint_rtp_read+427>:	jb     0x60afa2 <gf_isom_hint_rtp_read+351>
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff9300 --> 0x10eb8f0 --> 0x0 
    0008| 0x7fffffff9308 --> 0x10e9510 --> 0xf872747020 
    0016| 0x7fffffff9310 --> 0x1000000010050 
    0024| 0x7fffffff9318 --> 0x4 
    0032| 0x7fffffff9320 --> 0x10001 
    0040| 0x7fffffff9328 --> 0x0 
    0048| 0x7fffffff9330 --> 0x7fffffff9360 --> 0x7fffffff93c0 --> 0x7fffffff9450 --> 0x7fffffff98b0 --> 0x7fffffffe150 (--> ...)
    0056| 0x7fffffff9338 --> 0x5fb0ffd851107300 
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
    682				tempSize += (u32) a->size;
    gdb-peda$ bt
    #0  0x000000000060afe1 in gf_isom_hint_rtp_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:682
    #1  0x000000000060a32f in gf_isom_hint_pck_read (ptr=0x10e9510, bs=0x10eb8f0) at isomedia/hinting.c:329
    #2  0x0000000000609f4e in gf_isom_hint_sample_read (ptr=0x10efdc0, bs=0x10eb8f0, sampleSize=0x20) at isomedia/hinting.c:212
    #3  0x000000000058e156 in gf_isom_dump_hint_sample (the_file=0x10dd6c0, trackNumber=0x2, SampleNum=0xf8, trace=0x10e9f30) at isomedia/box_dump.c:2844
    #4  0x0000000000419dc3 in dump_isom_rtp (file=0x10dd6c0, inName=0x7fffffffe602 "/dev/null", is_final_name=GF_TRUE) at filedump.c:860
    #5  0x00000000004156b0 in mp4boxMain (argc=0xb, argv=0x7fffffffe2a8) at main.c:6090
    #6  0x000000000041719b in main (argc=0xb, argv=0x7fffffffe2a8) at main.c:6496
    #7  0x0000000000d07120 in __libc_start_main ()
    #8  0x000000000040211e in _start ()

CVE-2021-45292: A segmentation fault in  gf_isom_hint_rtp_read () , isomedia/hinting.c:682 · Issue #1958 · gpac/gpac

The gf_dump_setup function in GPAC 1.0.1 allows malicoius users to cause a denial of service (Invalid memory address dereference) via a crafted file in the MP4Box command.

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

*   \[Yes \] I looked for a similar issue and couldn't find any.
*   \[ Yes\] I tried with the latest version of GPAC. Installers available at http://gpac.io/downloads/gpac-nightly-builds/
*   \[ Yes\] I give enough information for contributors to reproduce my issue (meaningful title, github labels, platform and compiler, command-line ...). I can share files anonymously with this dropbox: https://www.mediafire.com/filedrop/filedrop\_hosted.php?drop=eec9e058a9486fe4e99c33021481d9e1826ca9dbc242a6cfaab0fe95da5e5d95

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

**Version:**

    ./MP4Box -version
    MP4Box - GPAC version 1.1.0-DEV-rev1527-g6fcf9819e-master
    (c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    	MINI build (encoders, decoders, audio and video output disabled)
    
    Please cite our work in your research:
    	GPAC Filters: https://doi.org/10.1145/3339825.3394929
    	GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --static-mp4box --prefix=/home/zxq/CVE_testing/sourceproject/gpac/cmakebuild --enable-debug
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D 
    

**System information**  
Ubuntu 20.04.1 LTS, gcc version 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)

**command:**

    ./bin/gcc/MP4Box -lsr POC
    

POC.zip  
**Result**

    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [ODF] Error reading descriptor (tag 4 size 0): Invalid MPEG-4 Descriptor
    [iso file] Incomplete box mdat - start 11495 size 128
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] extra box maxr found in hinf, deleting
    [iso file] extra box maxr found in hinf, deleting
    [ODF] Error reading descriptor (tag 4 size 0): Invalid MPEG-4 Descriptor
    [iso file] Incomplete box mdat - start 11495 size 128
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [MP4 Loading] Unable to fetch sample 1 from track ID 8 - aborting track import
    Scene loaded - dumping 1 systems streams
    [1]    1233733 segmentation fault 
    

**gdb information:**

    [----------------------------------registers-----------------------------------]
    RAX: 0x0 
    RBX: 0x400788 --> 0x0 
    RCX: 0x0 
    RDX: 0x0 
    RSI: 0x0 
    RDI: 0x10f40f0 --> 0x10f4590 --> 0x10f4460 --> 0x70003 
    RBP: 0x7fffffff87b0 --> 0x7fffffff8850 --> 0x7fffffff9950 --> 0x7fffffffe1f0 --> 0x7fffffffe210 --> 0xd078f0 (<__libc_csu_init>:	endbr64)
    RSP: 0x7fffffff8750 --> 0x10f4090 --> 0x10002 
    RIP: 0x6d9986 (<gf_dump_setup+365>:	movzx  eax,BYTE PTR [rax+0x8])
    R8 : 0xe3d1d3 (" Scene Dump -->\n")
    R9 : 0x12 
    R10: 0xfffffffb 
    R11: 0xe3d1c2 --> 0x565300526553414c ('LASeR')
    R12: 0xd07990 (<__libc_csu_fini>:	endbr64)
    R13: 0x0 
    R14: 0x10a3018 --> 0xd7e490 (<__memmove_avx_unaligned_erms>:	endbr64)
    R15: 0x0
    EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
    [-------------------------------------code-------------------------------------]
       0x6d997a <gf_dump_setup+353>:	mov    QWORD PTR [rbp-0x38],rax
       0x6d997e <gf_dump_setup+357>:	mov    rax,QWORD PTR [rbp-0x38]
       0x6d9982 <gf_dump_setup+361>:	mov    rax,QWORD PTR [rax+0x18]
    => 0x6d9986 <gf_dump_setup+365>:	movzx  eax,BYTE PTR [rax+0x8]
       0x6d998a <gf_dump_setup+369>:	cmp    al,0x3
       0x6d998c <gf_dump_setup+371>:	jne    0x6d99ff <gf_dump_setup+486>
       0x6d998e <gf_dump_setup+373>:	mov    rax,QWORD PTR [rbp-0x38]
       0x6d9992 <gf_dump_setup+377>:	mov    rax,QWORD PTR [rax+0x18]
    [------------------------------------stack-------------------------------------]
    0000| 0x7fffffff8750 --> 0x10f4090 --> 0x10002 
    0008| 0x7fffffff8758 --> 0x10f47d0 --> 0x10e99f0 --> 0x0 
    0016| 0x7fffffff8760 --> 0x500400788 
    0024| 0x7fffffff8768 --> 0x200000000 
    0032| 0x7fffffff8770 --> 0x10f4090 --> 0x10002 
    0040| 0x7fffffff8778 --> 0x10f4460 --> 0x70003 
    0048| 0x7fffffff8780 --> 0x7fffffff87b0 --> 0x7fffffff8850 --> 0x7fffffff9950 --> 0x7fffffffe1f0 --> 0x7fffffffe210 (--> ...)
    0056| 0x7fffffff8788 --> 0x444a92 (<gf_list_enum+61>:	mov    QWORD PTR [rbp-0x8],rax)
    [------------------------------------------------------------------------------]
    Legend: code, data, rodata, value
    Stopped reason: SIGSEGV
    gf_dump_setup (sdump=0x10f47d0, root_od=0x10f4090) at scene_manager/scene_dump.c:243
    243					if (esd->decoderConfig->streamType != GF_STREAM_SCENE) continue;

Tag

#ubuntu