Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

heap-buffer-overflow in mp42aac #991

Open
madao123123 opened this issue Jan 16, 2025 · 0 comments
Open

heap-buffer-overflow in mp42aac #991

madao123123 opened this issue Jan 16, 2025 · 0 comments

Comments

@madao123123
Copy link

madao123123 commented Jan 16, 2025
edited
Loading

Describe the bug

I found two bugs when I tested mp42aac

Bug 1

some ASan output

==1031213==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000118 at pc 0x0000005053d5 bp 0x7fffa2227a80 sp 0x7fffa2227a78
READ of size 1 at 0x606000000118 thread T0
    #0 0x5053d4 in AP4_BitReader::ReadBits(unsigned int) (/home/fuzz/Bento4/check_build/mp42aac+0x5053d4)
    #1 0x581570 in AP4_Dac4Atom::AP4_Dac4Atom(unsigned int, unsigned char const*) (/home/fuzz/Bento4/check_build/mp42aac+0x581570)
    #2 0x57d076 in AP4_Dac4Atom::Create(unsigned int, AP4_ByteStream&) (/home/fuzz/Bento4/check_build/mp42aac+0x57d076)
    #3 0x53ae7a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53ae7a)
    #4 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #5 0x57676d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/fuzz/Bento4/check_build/mp42aac+0x57676d)
    #6 0x4ee9cd in AP4_AudioSampleEntry::AP4_AudioSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x4ee9cd)
    #7 0x4d6a25 in AP4_EncaSampleEntry::AP4_EncaSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x4d6a25)
    #8 0x53a26c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a26c)
    #9 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #10 0x4f9b8e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x4f9b8e)
    #11 0x4f8465 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x4f8465)
    #12 0x53a3dd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a3dd)
    #13 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #14 0x53815b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53815b)
    #15 0x4cefde in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (/home/fuzz/Bento4/check_build/mp42aac+0x4cefde)
    #16 0x4cf4ea in AP4_File::AP4_File(AP4_ByteStream&, bool) (/home/fuzz/Bento4/check_build/mp42aac+0x4cf4ea)
    #17 0x4c7212 in main (/home/fuzz/Bento4/check_build/mp42aac+0x4c7212)
    #18 0x7fab5f4b2082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #19 0x41c60d in _start (/home/fuzz/Bento4/check_build/mp42aac+0x41c60d)

0x606000000118 is located 0 bytes to the right of 56-byte region [0x6060000000e0,0x606000000118)
allocated by thread T0 here:
    #0 0x4c45cd in operator new[](unsigned long) (/home/fuzz/Bento4/check_build/mp42aac+0x4c45cd)
    #1 0x4cdf1f in AP4_DataBuffer::SetBufferSize(unsigned int) (/home/fuzz/Bento4/check_build/mp42aac+0x4cdf1f)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/Bento4/check_build/mp42aac+0x5053d4) in AP4_BitReader::ReadBits(unsigned int)
==1031213==ABORTING

Crash input

seeds/input1
./mp42aac input1 /dev/null

Bug 2

some ASan output

==2552848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000091 at pc 0x000000434931 bp 0x7ffe9f638be0 sp 0x7ffe9f6383a8
WRITE of size 558 at 0x602000000091 thread T0
    #0 0x434930 in fread (/home/fuzz/Bento4/check_build/mp42aac+0x434930)
    #1 0x520b4b in AP4_StdcFileByteStream::ReadPartial(void*, unsigned int, unsigned int&) (/home/fuzz/Bento4/check_build/mp42aac+0x520b4b)
    #2 0x4c839a in AP4_ByteStream::Read(void*, unsigned int) (/home/fuzz/Bento4/check_build/mp42aac+0x4c839a)
    #3 0x514ab3 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x514ab3)
    #4 0x53a556 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a556)
    #5 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #6 0x57676d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/fuzz/Bento4/check_build/mp42aac+0x57676d)
    #7 0x575b69 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x575b69)
    #8 0x514f6c in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x514f6c)
    #9 0x53a556 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a556)
    #10 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #11 0x57676d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/fuzz/Bento4/check_build/mp42aac+0x57676d)
    #12 0x575b69 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x575b69)
    #13 0x53a12c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a12c)
    #14 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #15 0x53815b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53815b)
    #16 0x4cefde in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (/home/fuzz/Bento4/check_build/mp42aac+0x4cefde)
    #17 0x4cf4ea in AP4_File::AP4_File(AP4_ByteStream&, bool) (/home/fuzz/Bento4/check_build/mp42aac+0x4cf4ea)
    #18 0x4c7212 in main (/home/fuzz/Bento4/check_build/mp42aac+0x4c7212)
    #19 0x7f43bfd27082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16
    #20 0x41c60d in _start (/home/fuzz/Bento4/check_build/mp42aac+0x41c60d)

0x602000000091 is located 0 bytes to the right of 1-byte region [0x602000000090,0x602000000091)
allocated by thread T0 here:
    #0 0x4c45cd in operator new[](unsigned long) (/home/fuzz/Bento4/check_build/mp42aac+0x4c45cd)
    #1 0x4f7a73 in AP4_String::AP4_String(unsigned int) (/home/fuzz/Bento4/check_build/mp42aac+0x4f7a73)
    #2 0x53a556 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a556)
    #3 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #4 0x57676d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/fuzz/Bento4/check_build/mp42aac+0x57676d)
    #5 0x575b69 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x575b69)
    #6 0x514f6c in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x514f6c)
    #7 0x53a556 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a556)
    #8 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #9 0x57676d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/home/fuzz/Bento4/check_build/mp42aac+0x57676d)
    #10 0x575b69 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/home/fuzz/Bento4/check_build/mp42aac+0x575b69)
    #11 0x53a12c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53a12c)
    #12 0x538931 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x538931)
    #13 0x53815b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/home/fuzz/Bento4/check_build/mp42aac+0x53815b)
    #14 0x4cefde in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (/home/fuzz/Bento4/check_build/mp42aac+0x4cefde)
    #15 0x4cf4ea in AP4_File::AP4_File(AP4_ByteStream&, bool) (/home/fuzz/Bento4/check_build/mp42aac+0x4cf4ea)
    #16 0x4c7212 in main (/home/fuzz/Bento4/check_build/mp42aac+0x4c7212)
    #17 0x7f43bfd27082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/fuzz/Bento4/check_build/mp42aac+0x434930) in fread
==2552848==ABORTING

Crash input

seeds/input2

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
 ./mp4decrypt input /dev/null

Environment

Ubuntu 20.04.6 LTS
Bento4 v1.6.0

finder

Teng Zhang, Mingxuan Liu, Chengsiyuan Yang, Heng Zhang, Hao Liu,Yaoliang Zhang,Dawei Guo , Hang Liu(all from NPU Unmanned Systems Safety Laboratory)
seeds.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@madao123123