A SEGV vulnerability found in faad2

[mondaylord]

Hi, developers of faad2:
In the test of the binary faad(1d53978) instrumented with ASAN. There is a SEGV vulnerability in faad, /faad2/frontend/mp4read.c:1039:67 in mp4info. Here is the ASAN mode output:

=================================================================
==58059==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000004 (pc 0x0000004d332f bp 0x7fff0e2f79b0 sp 0x7fff0e2f7900 T0)
==58059==The signal is caused by a READ memory access.
==58059==Hint: address points to the zero page.
#0 0x4d332f in mp4info /faad2/frontend/mp4read.c:1039:67
#1 0x4d2361 in mp4read_open /faad2/frontend/mp4read.c:1085:9
#2 0x4cc166 in decodeMP4file /faad2/frontend/main.c:820:9
#3 0x4cc166 in faad_main /faad2/frontend/main.c:1318:18
#4 0x4cc166 in main /faad2/frontend/main.c:1376:12
#5 0x7f99902d9c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41c419 in _start (/faad2/build/faad+0x41c419)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /faad2/frontend/mp4read.c:1039:67 in mp4info
==58059==ABORTING

Crash input

https://github.com/17ssDP/fuzzer_crashes/blob/main/faad2/segv

Command Line

./faad -o /dev/null @@

Environment

Ubuntu 16.04
Clang 10.0.1
gcc 5.5

[carnil]

This appears to be CVE-2023-38858.

[fabiangreffrath]

Should be sufficient to check if mp4config.frame.info has been allocated at all.

[eustas]

@mondaylord thanks for reporting.

May I ask what harness you use for fuzzing CLI?

[mondaylord]

@mondaylord thanks for reporting.

May I ask what harness you use for fuzzing CLI?

I used a custom-designed fuzzer. If everything goes as planned, I intend to open-source it soon.