Lucene search
FunctionmainD67C5619-AB36-41CC-93B7-04828E25F60EHistoryAug 29, 2023 - 7:00 a.m.
NULL Pointer Dereference in media_tools/mpeg2_ps.c, media_tools/avilib.c and filters/dasher.c
2023-08-2907:00:59
functionmain
www.huntr.dev
8
mp4box
null pointer dereference
crashes
0.0004 Low
EPSS
Percentile
12.7%
Description
NULL Pointer Dereference in MP4Box.
Version
$ ./bin/gcc/MP4Box -version
MP4Box - GPAC version 2.3-DEV-revrelease
(c) 2000-2023 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
Please cite our work in your research:
GPAC Filters: https://doi.org/10.1145/3339825.3394929
GPAC: https://doi.org/10.1145/1291233.1291452
GPAC Configuration: --enable-sanitizer
Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SSL GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_LINUX_DVB GPAC_DISABLE_3D
Reproduce
complie and run
./configure --enable-sanitizer
make
Proof of Concept
./bin/gcc/MP4Box -dash 1000 ./crashes/crash000004
./bin/gcc/MP4Box -dash 1000 ./crashes/crash000007
./bin/gcc/MP4Box -dash 1000 ./crashes/crash000014
./bin/gcc/MP4Box -dash 1000 ./crashes/crash000069
crash000004 is here
crash000007 is here
crash000014 is here
crash000069 is here
Crash000069 Info
information reported by sanitizer
$ ./bin/gcc/MP4Box -dash 1000 ./crash000069
AddressSanitizer:DEADLYSIGNAL
=================================================================
==540488==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f07d6f78e85 bp 0x7ffc9161b230 sp 0x7ffc9161a970 T0)
==540488==The signal is caused by a READ memory access.
==540488==Hint: address points to the zero page.
#0 0x7f07d6f78e84 in __GI__IO_fread /build/glibc-SzIz7B/glibc-2.31/libio/iofread.c:35
#1 0x7f07dce74435 in __interceptor_fread ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:988
#2 0x7f07d9e40e80 in file_read_bytes media_tools/mpeg2_ps.c:163
#3 0x7f07d9e40e80 in read_to_next_pes_header media_tools/mpeg2_ps.c:544
#4 0x7f07d9e41ca8 in search_for_next_pes_header media_tools/mpeg2_ps.c:681
#5 0x7f07d9e421d5 in mpeg2ps_stream_read_next_pes_buffer media_tools/mpeg2_ps.c:732
#6 0x7f07d9e42d48 in mpeg2ps_stream_find_mpeg_video_frame media_tools/mpeg2_ps.c:823
#7 0x7f07d9e48e17 in mpeg2ps_stream_read_frame media_tools/mpeg2_ps.c:953
#8 0x7f07d9e48e17 in get_info_for_all_streams media_tools/mpeg2_ps.c:1211
#9 0x7f07d9e48e17 in mpeg2ps_scan_file media_tools/mpeg2_ps.c:1368
#10 0x7f07d9e48e17 in mpeg2ps_init media_tools/mpeg2_ps.c:1625
#11 0x7f07da47c50c in m2psdmx_process filters/dmx_mpegps.c:327
#12 0x7f07da30933e in gf_filter_process_task filter_core/filter.c:2971
#13 0x7f07da2c866a in gf_fs_thread_proc filter_core/filter_session.c:1962
#14 0x7f07da2d5fd6 in gf_fs_run filter_core/filter_session.c:2261
#15 0x7f07d9c6ba9d in gf_dasher_process media_tools/dash_segmenter.c:1236
#16 0x562cd9a11bb6 in do_dash /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:4825
#17 0x562cd9a11bb6 in mp4box_main /home/functionmain/desktop/gpac-master-asan/applications/mp4box/mp4box.c:6239
#18 0x7f07d6f1a082 in __libc_start_main ../csu/libc-start.c:308
#19 0x562cd99e9f5d in _start (/home/functionmain/desktop/gpac-master-asan/bin/gcc/MP4Box+0xa5f5d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-SzIz7B/glibc-2.31/libio/iofread.c:35 in __GI__IO_fread
==540488==ABORTING
Crash000004 Info
information reported by sanitizer
./bin/gcc/MP4Box -dash 1000 ./crash000004
media_tools/avilib.c:559:2: runtime error: null pointer passed as argument 1, which is declared to never be null
Crash000007 Info
information reported by sanitizer
./bin/gcc/MP4Box -dash 1000 ./crash000007
[Dasher] No template assigned, using $File$_dash$FS$$Number$
[Dasher] No bitrate property assigned to PID crash000007, computing from bitstream
[Dasher] No bitrate property assigned to PID crash000007, computing from bitstream
[RFC6381] Cannot find M4V config, using default mp4v.20
[Dasher] No bitrate property assigned to PID crash000007, computing from bitstream
[Dasher] PID crash000007 config changed during active period, forcing period switch
filters/dasher.c:8390:27: runtime error: member access within null pointer of type 'struct GF_DashStream'
Crash000014 Info
information reported by sanitizer
./bin/gcc/MP4Box -dash 1000 ./crash000014
[Dasher] No template assigned, using $File$_dash$FS$$Number$
Unknown CICP mapping for channel config 4/0.0
[RFC6381] Cannot find MPEG-H Audio Config or audio PL, defaulting to profile 0x01
[MP4Mux] No timescale specified, guessing from media: 0
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 0/0
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 1024/0
[Dasher] Representation not initialized, dropping non-SAP1/2 packet CTS 2048/0
Unsupported cicp audio layout value 58
[Dasher] PID audio config changed during active period, forcing period switch
filters/dasher.c:8417:9: runtime error: member access within null pointer of type 'struct GF_DashStream'
Impact
This is capable of causing crashes.
References
crash000004 is here
crash000007 is here
crash000014 is here
crash000069 is here
Related
cve
cve
CVE-2023-4681
2023-08-31 16:15:10
ubuntucve
ubuntucve
CVE-2023-4681
2023-08-31 00:00:00
nvd
nvd
CVE-2023-4681
2023-08-31 16:15:10
prion
prion
Null pointer dereference
2023-08-31 16:15:00
debiancve
debiancve
CVE-2023-4681
2023-08-31 16:15:10
osv
osv
CVE-2023-4681
2023-08-31 16:15:10
cvelist
cvelist
CVE-2023-4681 NULL Pointer Dereference in gpac/gpac
2023-08-31 15:53:57
veracode
veracode
NULL Pointer Dereference
2023-09-05 06:49:56