Infinite loop in AP4_FtypAtom

[xcainiao]

MP4 To AAC File Converter - Version 1.0
(Bento4 Version 1.5.1.0)
(c) 2002-2008 Axiomatic Systems, LLC

./mp42aac @@testcase ./out.aac

(gdb) bt
#0  0x00007ffff756c230 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:84
#1  0x00007ffff74ef5e8 in _IO_new_file_underflow (fp=0x87b110) at fileops.c:592
#2  0x00007ffff74ee058 in __GI__IO_file_xsgetn (fp=0x87b110, data=<optimized out>, n=4) at fileops.c:1414
#3  0x00007ffff74e3236 in __GI__IO_fread (buf=<optimized out>, size=size@entry=1, count=4, fp=0x87b110) at iofread.c:38
#4  0x0000000000556017 in fread (__stream=<optimized out>, __n=<optimized out>, __size=1, __ptr=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/stdio2.h:295
#5  AP4_StdcFileByteStream::ReadPartial (this=0x87c350, buffer=<optimized out>, bytesToRead=<optimized out>, bytesRead=@0x7fffffffdcfc: 0) at /home/fuzz/fuzz/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:237
#6  0x00000000004466ac in AP4_ByteStream::Read (bytes_to_read=4, buffer=0x7fffffffdd00, this=0x87c350) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ByteStream.cpp:55
#7  AP4_ByteStream::ReadUI32 (this=this@entry=0x87c350, value=@0x7fffffffdd44: 0) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ByteStream.cpp:242
#8  0x000000000051deb5 in AP4_FtypAtom::AP4_FtypAtom (this=0x87dd10, size=4278466413, stream=...) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4FtypAtom.cpp:52
#9  0x00000000005c3a8a in AP4_FtypAtom::Create (stream=..., size=37) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4FtypAtom.h:66
#10 AP4_AtomFactory::CreateAtomFromStream (this=0x7fffffffe330, stream=..., type=<optimized out>, size_32=37, size_64=37, atom=@0x7fffffffde88: 0x0) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:583
#11 0x00000000005cb68f in AP4_AtomFactory::CreateAtomFromStream (this=this@entry=0x7fffffffe330, stream=..., bytes_available=@0x7fffffffde90: 1052, atom=@0x7fffffffde88: 0x0)
    at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:220
#12 0x00000000005d0aa5 in AP4_ContainerAtom::ReadChildren (size=<optimized out>, stream=..., atom_factory=..., this=0x87dc10) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
#13 AP4_ContainerAtom::AP4_ContainerAtom (this=0x87dc10, type=<optimized out>, size=<optimized out>, force_64=<optimized out>, stream=..., atom_factory=...) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
#14 0x00000000005d13b5 in AP4_ContainerAtom::Create (type=type@entry=1835297121, size=size@entry=1092, is_full=is_full@entry=false, force_64=<optimized out>, stream=..., atom_factory=...)
    at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
#15 0x00000000005c78c2 in AP4_AtomFactory::CreateAtomFromStream (this=0x7fffffffe330, stream=..., type=1835297121, size_32=1092, size_64=1092, atom=@0x7fffffffe038: 0x0) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:755
#16 0x00000000005cb68f in AP4_AtomFactory::CreateAtomFromStream (this=this@entry=0x7fffffffe330, stream=..., bytes_available=@0x7fffffffe040: 1092, atom=@0x7fffffffe038: 0x0)
    at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:220
#17 0x00000000005d0aa5 in AP4_ContainerAtom::ReadChildren (size=<optimized out>, stream=..., atom_factory=..., this=0x87daf0) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
#18 AP4_ContainerAtom::AP4_ContainerAtom (this=0x87daf0, type=<optimized out>, size=<optimized out>, force_64=<optimized out>, stream=..., atom_factory=...) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
#19 0x00000000004e4e67 in AP4_TrakAtom::AP4_TrakAtom (this=0x87daf0, size=<optimized out>, stream=..., atom_factory=...) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165
#20 0x00000000005c6f6d in AP4_TrakAtom::Create (atom_factory=..., stream=..., size=1192) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4TrakAtom.h:58
#21 AP4_AtomFactory::CreateAtomFromStream (this=0x7fffffffe330, stream=..., type=<optimized out>, size_32=1192, size_64=1192, atom=@0x7fffffffe1a8: 0x0) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:377
#22 0x00000000005cb68f in AP4_AtomFactory::CreateAtomFromStream (this=this@entry=0x7fffffffe330, stream=..., bytes_available=@0x7fffffffe1b0: 1405, atom=@0x7fffffffe1a8: 0x0)
    at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:220
#23 0x00000000005d0aa5 in AP4_ContainerAtom::ReadChildren (size=<optimized out>, stream=..., atom_factory=..., this=0x87d750) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
#24 AP4_ContainerAtom::AP4_ContainerAtom (this=0x87d750, type=<optimized out>, size=<optimized out>, force_64=<optimized out>, stream=..., atom_factory=...) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
#25 0x000000000050db63 in AP4_MoovAtom::AP4_MoovAtom (this=0x87d750, size=<optimized out>, stream=..., atom_factory=...) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:80
#26 0x00000000005c6089 in AP4_MoovAtom::Create (atom_factory=..., stream=..., size=1554) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4MoovAtom.h:56
#27 AP4_AtomFactory::CreateAtomFromStream (this=0x7fffffffe330, stream=..., type=<optimized out>, size_32=1554, size_64=1554, atom=@0x7fffffffe320: 0x0) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:357
#28 0x00000000005cada4 in AP4_AtomFactory::CreateAtomFromStream (atom=@0x7fffffffe320: 0x0, bytes_available=<synthetic pointer>, stream=..., this=0x7fffffffe330) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:220
#29 AP4_AtomFactory::CreateAtomFromStream (this=this@entry=0x7fffffffe330, stream=..., atom=@0x7fffffffe320: 0x0) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:150
#30 0x000000000048585a in AP4_File::ParseStream (moov_only=<optimized out>, atom_factory=..., stream=..., this=<optimized out>) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4File.cpp:104
#31 AP4_File::AP4_File (this=0x87d610, stream=..., moov_only=false) at /home/fuzz/fuzz/Bento4/Source/C++/Core/Ap4File.cpp:78
#32 0x000000000043c424 in main (argc=<optimized out>, argv=<optimized out>) at /home/fuzz/fuzz/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250

AP4_FtypAtom: if size not zero Infinite loop

 44 AP4_FtypAtom::AP4_FtypAtom(AP4_UI32 size, AP4_ByteStream& stream) :
 45     AP4_Atom(AP4_ATOM_TYPE_FTYP, size)
 46 {
 47     stream.ReadUI32(m_MajorBrand);
 48     stream.ReadUI32(m_MinorVersion);
 49     size -= 16;
 50     while (size) {
 51         AP4_UI32 compatible_brand;
 52         stream.ReadUI32(compatible_brand);
 53         m_CompatibleBrands.Append(compatible_brand);
 54         size -= 4;
 55     }
 56 }

testcase:https://github.com/xcainiao/poc/blob/master/Bento4_AP4_FtypAtom_Infinite_loop
Credit: topsec@zhangwy

[barbibulle]

fixed on master branch

[fgeek]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5253 has been assigned for this vulnerability.

[barbibulle]

Is it possible to differentiate "current" vulnerabilities from "old" ones (i.e vulnerabilities that have been fixed). This one was fixed a year ago.

[fgeek]

@barbibulle I didn't request CVE identifier. It was probably requested by @xcainiao. If this was previously fixed and announced CVE should be REJECTED. I added information about CVE here as distros and other CVE database users might need it. In my opinion this should be done automatically, but I haven't yet made a tool for it.