A heap-buffer-overflow vulnerability found in mp4read.c:449:63

[mondaylord]

Hi, developers of faad2:
In the test of the binary faad(1d53978) instrumented with ASAN. There is a heap-buffer-overflow vulnerability in faad, /faad2/frontend/mp4read.c:449:63 in static int stcoin(int size). Here is the ASAN mode output (I omit some repeated messages):

=================================================================
==35951==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000038 at pc 0x0000004d678e bp 0x7ffe52ce3f90 sp 0x7ffe52ce3f88
READ of size 4 at 0x602000000038 thread T0
#0 0x4d678d in stcoin /faad2/frontend/mp4read.c:449:63
#1 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19
#2 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#3 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#4 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#5 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#6 0x4d3bb8 in moovin /faad2/frontend/mp4read.c:940:15
#7 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19
#8 0x4d2312 in mp4read_open /faad2/frontend/mp4read.c:1071:16
#9 0x4cc166 in decodeMP4file /faad2/frontend/main.c:820:9
#10 0x4cc166 in faad_main /faad2/frontend/main.c:1318:18
#11 0x4cc166 in main /faad2/frontend/main.c:1376:12
#12 0x7f49af044c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#13 0x41c419 in _start (/faad2/build/faad+0x41c419)

0x602000000038 is located 0 bytes to the right of 8-byte region [0x602000000030,0x602000000038)
allocated by thread T0 here:
#0 0x4960ed in malloc (/faad2/build/faad+0x4960ed)
#1 0x4d5817 in stscin /faad2/frontend/mp4read.c:353:27
#2 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19
#3 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#4 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#5 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#6 0x4d2dda in parse /faad2/frontend/mp4read.c:873:24
#7 0x4d3bb8 in moovin /faad2/frontend/mp4read.c:940:15
#8 0x4d2cc5 in parse /faad2/frontend/mp4read.c:848:19
#9 0x4d2312 in mp4read_open /faad2/frontend/mp4read.c:1071:16
#10 0x4cc166 in decodeMP4file /faad2/frontend/main.c:820:9
#11 0x4cc166 in faad_main /faad2/frontend/main.c:1318:18
#12 0x4cc166 in main /faad2/frontend/main.c:1376:12
#13 0x7f49af044c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-buffer-overflow /faad2/frontend/mp4read.c:449:63 in stcoin
Shadow bytes around the buggy address:
0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 02 fa fa 00[fa]fa fa 00 00 fa fa fa fa
0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==35951==ABORTING

Crash input

https://github.com/17ssDP/fuzzer_crashes/blob/main/faad2/hbo-1

Command Line

./faad -o /dev/null @@

Environment

Ubuntu 16.04
Clang 10.0.1
gcc 5.5

[carnil]

This appears to be CVE-2023-38857