search

gpac / gpac

GPAC Ultramedia OSS for Video Streaming & Next-Gen Multimedia Transcoding, Packaging & Delivery
https://gpac.io
GNU Lesser General Public License v2.1
2.76k stars 532 forks source link

Untrusted pointer dereference in insert_node_def() #2021

Closed HaN4Le closed 2 years ago

HaN4Le commented 2 years ago

Thanks for reporting your issue. Please make sure these boxes are checked before submitting your issue - thank you!

Detailed guidelines: http://gpac.io/2013/07/16/how-to-file-a-bug-properly/

Version:

/home/hankle/Testing/source/gpac/bin/gcc/MP4Box -version                                                                                                        
MP4Box - GPAC version 1.1.0-DEV-rev1574-g8b22f0912-master
(c) 2000-2021 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
        MINI build (encoders, decoders, audio and video output disabled)

Please cite our work in your research:
        GPAC Filters: https://doi.org/10.1145/3339825.3394929
        GPAC: https://doi.org/10.1145/1291233.1291452

GPAC Configuration: --static-mp4box --enable-debug --prefix=/home/hankle/Testing/source/gpac/cmakebuild
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_FREETYPE GPAC_HAS_JPEG GPAC_HAS_PNG  GPAC_DISABLE_3D

command:

/home/hankle/Testing/source/gpac/bin/gcc/MP4Box -bt poc

POC poc.zip

Result:

segmentation fault

bt

Program received signal SIGSEGV, Segmentation fault.
insert_node_def (sg=0x10de210, def=0x10fb8d0, ID=24087, name=0x0) at scenegraph/base_scenegraph.c:994
994             } else if (sg->id_node_last->NodeID < ID) {
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
──────────────────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────────────────
 RAX  0x400010000
 RBX  0x7
 RCX  0x10de212 ◂— 0x4000400060002
 RDX  0x10fcb70 —▸ 0x10fcf50 —▸ 0x10fd1f0 ◂— 0x0
 RDI  0x20
 RSI  0x10fcf50 —▸ 0x10fd1f0 ◂— 0x0
 R8   0x10fcb70 —▸ 0x10fcf50 —▸ 0x10fd1f0 ◂— 0x0
 R9   0x10cbf40 (main_arena) ◂— 0x0
 R10  0x10cbfa0 (main_arena+96) —▸ 0x10ff3a0 ◂— 0x0
 R11  0x10cbfa0 (main_arena+96) —▸ 0x10ff3a0 ◂— 0x0
 R12  0xd0a0b0 (__libc_csu_fini) ◂— endbr64 
 R13  0x0
 R14  0x10a6018 (_GLOBAL_OFFSET_TABLE_+24) —▸ 0xd80bb0 (__memmove_avx_unaligned_erms) ◂— endbr64 
 R15  0x0
 RBP  0x7fffffff7320 —▸ 0x7fffffff7360 —▸ 0x7fffffff77d0 —▸ 0x7fffffff7c90 —▸ 0x7fffffff8150 ◂— ...
 RSP  0x7fffffff72f0 ◂— 0x0
 RIP  0x479f97 (insert_node_def+158) ◂— mov    eax, dword ptr [rax + 0x10]
───────────────────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────────────────
 ► 0x479f97 <insert_node_def+158>    mov    eax, dword ptr [rax + 0x10]
   0x479f9a <insert_node_def+161>    cmp    dword ptr [rbp - 0x24], eax
   0x479f9d <insert_node_def+164>    jbe    insert_node_def+209                      <insert_node_def+209>
    ↓
   0x479fca <insert_node_def+209>    mov    rax, qword ptr [rbp - 0x18]
   0x479fce <insert_node_def+213>    mov    rax, qword ptr [rax + 8]
   0x479fd2 <insert_node_def+217>    mov    eax, dword ptr [rax + 0x10]
   0x479fd5 <insert_node_def+220>    cmp    dword ptr [rbp - 0x24], eax
   0x479fd8 <insert_node_def+223>    jae    insert_node_def+254                      <insert_node_def+254>
    ↓
   0x479ff7 <insert_node_def+254>    mov    rax, qword ptr [rbp - 0x18]
   0x479ffb <insert_node_def+258>    mov    rax, qword ptr [rax + 8]
   0x479fff <insert_node_def+262>    mov    qword ptr [rbp - 0x10], rax
────────────────────────────────────────────────────────────────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────────────────────────────────────────────────────────────
In file: /home/hankle/Testing/source/gpac/src/scenegraph/base_scenegraph.c
   989 
   990  if (!sg->id_node) {
   991          sg->id_node = reg_node;
   992          sg->id_node_last = sg->id_node;
   993          reg_node->next = NULL;
 ► 994  } else if (sg->id_node_last->NodeID < ID) {
   995          sg->id_node_last->next = reg_node;
   996          sg->id_node_last = reg_node;
   997          reg_node->next = NULL;
   998  } else if (sg->id_node->NodeID>ID) {
   999          reg_node->next = sg->id_node;
────────────────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────────────────
00:0000│ rsp 0x7fffffff72f0 ◂— 0x0
01:0008│     0x7fffffff72f8 ◂— 0x5e17010fb8d0
02:0010│     0x7fffffff7300 —▸ 0x10fb8d0 —▸ 0x10fe450 ◂— 0x8000000300000039 /* '9' */
03:0018│     0x7fffffff7308 —▸ 0x10de210 ◂— 0x4000600020005
04:0020│     0x7fffffff7310 ◂— 0x1007fffffff77d0
05:0028│     0x7fffffff7318 —▸ 0x10fcb70 —▸ 0x10fcf50 —▸ 0x10fd1f0 ◂— 0x0
06:0030│ rbp 0x7fffffff7320 —▸ 0x7fffffff7360 —▸ 0x7fffffff77d0 —▸ 0x7fffffff7c90 —▸ 0x7fffffff8150 ◂— ...
07:0038│     0x7fffffff7328 —▸ 0x47a113 (gf_node_set_id+169) ◂— jmp    0x47a15b
──────────────────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────────────────
 ► f 0         0x479f97 insert_node_def+158
   f 1         0x47a113 gf_node_set_id+169
   f 2         0x5667ca gf_bifs_dec_node+1981
   f 3         0x55c938 gf_bifs_dec_proto_list+1565
   f 4         0x55c8fb gf_bifs_dec_proto_list+1504
   f 5         0x55c8fb gf_bifs_dec_proto_list+1504
   f 6         0x55d2ca BD_DecSceneReplace+111
   f 7         0x56c81d BM_SceneReplace+153
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg> bt
#0  insert_node_def (sg=0x10de210, def=0x10fb8d0, ID=24087, name=0x0) at scenegraph/base_scenegraph.c:994
#1  0x000000000047a113 in gf_node_set_id (p=0x10fb8d0, ID=24087, name=0x0) at scenegraph/base_scenegraph.c:1034
#2  0x00000000005667ca in gf_bifs_dec_node (codec=0x10f7570, bs=0x10eaf50, NDT_Tag=1) at bifs/field_decode.c:924
#3  0x000000000055c938 in gf_bifs_dec_proto_list (codec=0x10f7570, bs=0x10eaf50, proto_list=0x0) at bifs/com_dec.c:1131
#4  0x000000000055c8fb in gf_bifs_dec_proto_list (codec=0x10f7570, bs=0x10eaf50, proto_list=0x0) at bifs/com_dec.c:1124
#5  0x000000000055c8fb in gf_bifs_dec_proto_list (codec=0x10f7570, bs=0x10eaf50, proto_list=0x10f9b00) at bifs/com_dec.c:1124
#6  0x000000000055d2ca in BD_DecSceneReplace (codec=0x10f7570, bs=0x10eaf50, proto_list=0x10f9b00) at bifs/com_dec.c:1322
#7  0x000000000056c81d in BM_SceneReplace (codec=0x10f7570, bs=0x10eaf50, com_list=0x10f7930) at bifs/memory_decoder.c:860
#8  0x000000000056ca9e in BM_ParseCommand (codec=0x10f7570, bs=0x10eaf50, com_list=0x10f7930) at bifs/memory_decoder.c:908
#9  0x000000000056cf48 in gf_bifs_decode_command_list (codec=0x10f7570, ESID=8, data=0x10f79b0 '\314' <repeats 199 times>, <incomplete sequence \314>..., data_length=8208, com_list=0x10f7930) at bifs/memory_decoder.c:1009
#10 0x00000000006be0e9 in gf_sm_load_run_isom (load=0x7fffffff88c0) at scene_manager/loader_isom.c:303
#11 0x00000000006a2059 in gf_sm_load_run (load=0x7fffffff88c0) at scene_manager/scene_manager.c:719
#12 0x000000000041786e in dump_isom_scene (file=0x7fffffffe626 "poc", inName=0x10da460 <outfile> "poc", is_final_name=GF_FALSE, dump_mode=GF_SM_DUMP_BT, do_log=GF_FALSE, no_odf_conv=GF_FALSE) at filedump.c:199
#13 0x000000000041521f in mp4boxMain (argc=3, argv=0x7fffffffe348) at main.c:6044
#14 0x000000000041719b in main (argc=3, argv=0x7fffffffe348) at main.c:6496
#15 0x0000000000d09840 in __libc_start_main ()
#16 0x000000000040211e in _start ()
pwndbg> bt
jeanlf commented 2 years ago

fixed when fixing #1998, thanks for the report