Ubuntu
gpac package

gpac application crashes on read

Bug #1919305 reported by xiao huang
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gpac (Ubuntu)
New
Undecided
Unassigned

Bug Description

The is a null pointer bug.

GPAC version 0.5.2-426-gc5ad4e4+dfsg5-5

System info: Ubuntu 20.04.1 LTS, x64 , gcc 9.3.0

Run Command:
$ MP4Box -def poc.mp4

gdb info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff73b0ed5 in MergeTrack (trak=<optimized out>, traf=<optimized out>, moof_box=<optimized out>, moof_offset=<optimized out>,
    compressed_diff=<optimized out>, cumulated_offset=<optimized out>, is_first_merge=<optimized out>) at isomedia/track.c:1086
1086 if (size > key_info[3])
(gdb) bt
#0 0x00007ffff73b0ed5 in MergeTrack (trak=<optimized out>, traf=<optimized out>, moof_box=<optimized out>, moof_offset=<optimized out>,
    compressed_diff=<optimized out>, cumulated_offset=<optimized out>, is_first_merge=<optimized out>) at isomedia/track.c:1086
#1 0x00007ffff72f4226 in MergeFragment (moof=0x4b8580, mov=<optimized out>) at isomedia/isom_intern.c:90
#2 0x00007ffff72f8071 in gf_isom_parse_movie_boxes_internal (mov=<optimized out>, boxType=0x0, bytesMissing=<optimized out>,
    progressive_mode=GF_FALSE) at isomedia/isom_intern.c:622
#3 gf_isom_parse_movie_boxes (mov=<optimized out>, boxType=0x0, bytesMissing=<optimized out>, progressive_mode=GF_FALSE)
    at isomedia/isom_intern.c:747
#4 0x00007ffff72f91da in gf_isom_open_file (
    fileName=0x7fffffffe6d4 "out_mp4box_wrl/default/crashes/id:000178,sig:11,src:002654,time:6287616,op:havoc,rep:4",
    OpenMode=GF_ISOM_OPEN_READ, tmp_dir=0x0) at isomedia/isom_intern.c:867
#5 0x000000000042b599 in mp4boxMain (argc=<optimized out>, argv=<optimized out>) at main.c:5670
#6 0x00007ffff6d750b3 in __libc_start_main (main=0x4362a0 <main>, argc=3, argv=0x7fffffffe448, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe438) at ../csu/libc-start.c:308
#7 0x000000000040e98e in _start ()

ASAN info:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==3432849==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000038 (pc 0x7f13f563a3da bp 0x7fff8e5d0fa0 sp 0x7fff8e5d0c80 T0)
==3432849==The signal is caused by a WRITE memory access.
==3432849==Hint: address points to the zero page.
    #0 0x7f13f563a3da in MergeTrack /home/topsec/Downloads/gpac/src/isomedia/track.c:1087:21
    #1 0x7f13f54db5c8 in MergeFragment /home/topsec/Downloads/gpac/src/isomedia/isom_intern.c:90:7
    #2 0x7f13f54e190f in gf_isom_parse_movie_boxes_internal /home/topsec/Downloads/gpac/src/isomedia/isom_intern.c:622:9
    #3 0x7f13f54e190f in gf_isom_parse_movie_boxes /home/topsec/Downloads/gpac/src/isomedia/isom_intern.c:747:6
    #4 0x7f13f54e3dea in gf_isom_open_file /home/topsec/Downloads/gpac/src/isomedia/isom_intern.c:867:19
    #5 0x4f0f92 in mp4boxMain /home/topsec/Downloads/gpac/applications/mp4box/main.c:5670:12
    #6 0x7f13f46b70b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x4289ed in _start (/home/topsec/Downloads/gpac/afl_build/bin/gcc/MP4Box+0x4289ed)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/topsec/Downloads/gpac/src/isomedia/track.c:1087:21 in MergeTrack
==3432849==ABORTING

edit by github address: https://github.com/gpac/gpac/issues/1702

CVE References

Colin Watson (cjwatson)
affects: launchpad → gpac (Ubuntu)
Revision history for this message
Avital Ostromich (avital) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. If you haven't already, could you please apply for a CVE for the issue?

Given the public github bug, can I make this bug report public?

Since the package referred to in this bug is in universe, it is community maintained. If you are able, I suggest posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

It looks like this has been fixed upstream: https://github.com/gpac/gpac/commit/c4a5109dad73abe25ad12d8d529a728ae98d78ca

tags: added: community-security
Revision history for this message
xiao huang (shanzhuli) wrote :

Can you help me apply for CVE?

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I've filed a CVE request. Thanks.

Revision history for this message
xiao huang (shanzhuli) wrote :

Thanks for you

Revision history for this message
Seth Arnold (seth-arnold) wrote :

CVE-2021-28300 has been assigned to this issue.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.