Lucene search

7resp4ss7852E4D2-AF4E-4421-A39E-DB23E0549922

HistoryAug 18, 2023 - 3:00 p.m.

There are 6 NULL Pointer Dereference vulnerabilities in MP4Box

2023-08-1815:00:23

7resp4ss

www.huntr.dev

mp4box

null pointer dereference

xml_parser.c

dasher.c

ubuntu 20.04

gpac

addresssanitizer

proof of concept

0.0004 Low

EPSS

Percentile

12.7%

JSON

NULL Pointer Dereference in function utils/xml_parser.c:1038

Description

NULL Pointer Dereference in function utils/xml_parser.c:1038

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Version

MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

Build

sudo CC=gcc CXX=g++ CFLAGS="-fsanitize=address -static-libasan" CXXFLAGS="-fsanitize=address -static-libasan" LDFLAGS="-fsanitize=address -static-libasan" ./configure && sudo make

Proof of Concept

MP4Box -bin ./poc_null_ptr0x1

Poc is here!

ASAN

==2465170==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fe7119f76f5 bp 0x7ffcfd8279d0 sp 0x7ffcfd827148 T0)
==2465170==The signal is caused by a READ memory access.
==2465170==Hint: address points to the zero page.
    #0 0x7fe7119f76f4  (/lib/x86_64-linux-gnu/libc.so.6+0x1886f4)
    #1 0x55ee5c88337b in __interceptor_strlen.part.0 (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0xb137b)
    #2 0x7fe711e7e08e in gf_xml_sax_parse_intern (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b08e)
    #3 0x7fe711e7e5a4 in gf_xml_sax_parse (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b5a4)
    #4 0x7fe711e7e642 in xml_sax_read_file.part.0 (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b642)
    #5 0x7fe711e7e936 in gf_xml_sax_parse_file (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25b936)
    #6 0x7fe711e7f972 in gf_xml_dom_parse (/home/hack/github_work/Fuzzing_gpac/asan_bin/lib/libgpac.so.12+0x25c972)
    #7 0x55ee5c96bd54 in xml_bs_to_bin (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0x199d54)
    #8 0x55ee5c97c04c in mp4box_main (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0x1aa04c)
    #9 0x7fe711893082 in __libc_start_main ../csu/libc-start.c:308
    #10 0x55ee5c83e5bd in _start (/home/hack/github_work/Fuzzing_gpac/asan_bin/bin/MP4Box+0x6c5bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x1886f4) 
==2465170==ABORTING

NULL Pointer Dereference in function filters/dasher.c:8146

Description

NULL Pointer Dereference in function filters/dasher.c:8146

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Version

MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

Build

./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20

Proof of Concept

MP4Box -dash-live 1000 ./poc_null_ptr0x2.bt

Poc is here!

Sanitizer

Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No template assigned, using $File$_dash$FS$$Number$
Failed to connect filter btplay PID poc_null_ptr0x2.bt to filter dasher: Feature Not Supported
Blacklisting dasher as output from btplay and retrying connections
BT: MPEG-4 Scene Parsing
[Dasher] No bitrate property assigned to PID vout, computing from bitstream
[Dasher] MPD Availability start time initialized to 1692432805329 ms

Slept for 0 ms before generation, dash cumulated time 38
[Dasher] Loop requested in subdur mode, but source cannot seek, defaulting to multi period for all streams
filters/dasher.c:8146:50: runtime error: member access within null pointer of type 'struct GF_MPD_Period'

NULL Pointer Dereference in function utils/alloc.c:170

Description

NULL Pointer Dereference in function utils/alloc.c:170

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Version

MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

Build

./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20

Proof of Concept

MP4Box -dash-live 1000 ./poc_null_ptr0x3

Poc is here!

Sanitizer

Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] MPD Availability start time initialized to 1692432844285 ms
utils/alloc.c:170:2: runtime error: null pointer passed as argument 1, which is declared to never be null

NULL Pointer Dereference in function filters/dasher.c:6332

Description

NULL Pointer Dereference in function filters/dasher.c:6332

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Version

MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

Build

./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20

Proof of Concept

MP4Box -dash-live 1000 ./poc_null_ptr0x4

Poc is here!

Sanitizer

Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[iso file] extra box maxr found in hinf, deleting
[iso file] extra box maxr found in hinf, deleting
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] Input /home/hack/github_work/POCs/gpac/poc_null_ptr0x4: max audio duration 1007616/33598532 in the period is less than duration 2052000/90000, clamping will happen
[Dasher] MPD Availability start time initialized to 1692433068742 ms
[MPD] Generating MPD at time 2023-08-19T08:17:48.746Z
[Dasher] updated period DID1 duration 1 MPD time 1
[Dasher] updated period DID1 duration 29 MPD time 29
[Dasher] updated period DID1 duration 29 MPD time 29
[Dasher] updated period DID1 duration 29 MPD time 29
[MPD] Generating MPD at time 2023-08-19T08:17:48.776Z
[Dasher] Broken muxer, received segment size info event but no pending segments

Slept for 0 ms before generation, dash cumulated time 74
[Dasher] Input /home/hack/github_work/POCs/gpac/poc_null_ptr0x4: max audio duration 1007616/33598532 in the period is less than duration 2052000/90000, clamping will happen
[Dasher] updated period DID1 duration 29 MPD time 29
[MPD] Generating MPD at time 2023-08-19T08:17:48.783Z
[Dasher] End of Period DID1
filters/dasher.c:6332:6: runtime error: null pointer passed as argument 1, which is declared to never be null

NULL Pointer Dereference in function filters/dasher.c:7389

Description

NULL Pointer Dereference in function filters/dasher.c:7389

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Version

MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

Build

./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20

Proof of Concept

MP4Box -dash-live 1000 ./poc_null_ptr0x5

Poc is here!

Sanitizer

Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
Live DASH-ing - press 'q' to quit, 's' to save context and quit
[iso file] extra box maxr found in hinf, deleting
[iso file] Read Box type 00000000 (0x00000000) at position 5214 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
[iso file] Box "moov" (start 20) has 6273 extra bytes
[iso file] Unknown top-level box type 000001 
[iso file] Unknown top-level box type 00011D00
[iso file] Unknown top-level box type 0904F08
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[IsoMedia] Track #1 fail to fetch sample 1 / 342: Bad Parameter
[Dasher] MPD Availability start time initialized to 1692433170122 ms

Slept for 0 ms before generation, dash cumulated time 42
filters/dasher.c:7389:43: runtime error: member access within null pointer of type 'struct GF_MPD_Period'

NULL Pointer Dereference in function filter_core/filter_pck.c:434

Description

NULL Pointer Dereference in function filter_core/filter_pck.c:434

Environment

No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 20.04 LTS
Release:    20.04
Codename:   focal

Version

MP4Box - GPAC version 2.3-DEV-rev478-g892852666-master
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io

Please cite our work in your research:
	GPAC Filters: https://doi.org/10.1145/3339825.3394929
	GPAC: https://doi.org/10.1145/1291233.1291452

Build

./configure --enable-sanitizer && make lib -j 20 && make apps -j 20 && sudo make install -j 20

Proof of Concept

MP4Box -dash 1000 ./poc_null_ptr0x6.mp4

Poc is here!

Sanitizer

Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[Core] default modules directory not found
Couldn't find any modules in lib path /home/hack/github_work/Fuzzing_gpac/sanitizer_bin/lib/gpac
Couldn't find any modules in HOME path (app path /home/hack/.gpac/modules)
[iso file] Found stts entry with sample_delta=0 - forbidden ! Fixing to 1
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[MP4Mux] muxing unknown codec ID Codec Not Supported, using generic sample entry with 4CC "000000FF"
filter_core/filter_pck.c:434:6: runtime error: member access within null pointer of type 'struct GF_FilterPid'