Skip to content
Branch: master
Find file History
Pull request Compare This branch is 1 commit ahead, 3 commits behind mudongliang:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
00338-bento4-NULLptr-AP4_DataAtom_AP4_DataAtom
README.md

README.md

CVE/EDB ID

CVE-2017-14641

Experiment Environment

Ubuntu 14.04

INSTALL and Configuration

https://www.bento4.com/downloads/

Problems in Installation and Configuration

n/a

How to trigger vulnerability

mp42aac $FILE out.aac

PoC

In folder

Vulnerability Details and Patch

Root Cause

n/a

Stack Trace

==11595==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000005b27fe bp 0x7ffce60a67e0 sp 0x7ffce60a67c0 T0)
==11595==The signal is caused by a READ memory access.
==11595==Hint: address points to the zero page.
    #0 0x5b27fd in AP4_DataAtom::~AP4_DataAtom() /tmp/Bento4-1.5.0-617/Source/C++/MetaData/Ap4MetaData.cpp:1357:5
    #1 0x5b27fd in AP4_DataAtom::~AP4_DataAtom() /tmp/Bento4-1.5.0-617/Source/C++/MetaData/Ap4MetaData.cpp:1356
    #2 0x5bf8d4 in AP4_List::DeleteReferences() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4List.h:476:9
    #3 0x5bf8d4 in AP4_AtomParent::~AP4_AtomParent() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4Atom.cpp:512
    #4 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #5 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48
    #6 0x5bf8d4 in AP4_List::DeleteReferences() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4List.h:476:9
    #7 0x5bf8d4 in AP4_AtomParent::~AP4_AtomParent() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4Atom.cpp:512
    #8 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #9 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48
    #10 0x5bf8d4 in AP4_List::DeleteReferences() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4List.h:476:9
    #11 0x5bf8d4 in AP4_AtomParent::~AP4_AtomParent() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4Atom.cpp:512
    #12 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #13 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48
    #14 0x5bf8d4 in AP4_List::DeleteReferences() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4List.h:476:9
    #15 0x5bf8d4 in AP4_AtomParent::~AP4_AtomParent() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4Atom.cpp:512
    #16 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #17 0x60e6d8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48
    #18 0x5bf8d4 in AP4_List::DeleteReferences() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4List.h:476:9
    #19 0x5bf8d4 in AP4_AtomParent::~AP4_AtomParent() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4Atom.cpp:512
    #20 0x553af8 in AP4_ContainerAtom::~AP4_ContainerAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #21 0x553af8 in AP4_MoovAtom::~AP4_MoovAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4MoovAtom.h:47
    #22 0x553af8 in AP4_MoovAtom::~AP4_MoovAtom() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4MoovAtom.h:47
    #23 0x5bf8d4 in AP4_List::DeleteReferences() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4List.h:476:9
    #24 0x5bf8d4 in AP4_AtomParent::~AP4_AtomParent() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4Atom.cpp:512
    #25 0x54f634 in AP4_File::~AP4_File() /tmp/Bento4-1.5.0-617/Source/C++/Core/Ap4File.cpp:85:1
    #26 0x5433c4 in main /tmp/Bento4-1.5.0-617/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:292:5
    #27 0x7f0ba50e1680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #28 0x44f3f8 in _start (/usr/bin/mp42aac+0x44f3f8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/Bento4-1.5.0-617/Source/C++/MetaData/Ap4MetaData.cpp:1357:5 in AP4_DataAtom::~AP4_DataAtom()
==11595==ABORTING
Audio Track:
  duration: 7848 ms
  sample count: 16

Patch

https://github.com/axiomatic-systems/Bento4/commit/41cad602709436628f07b4c4f64e9ff7a611f687

References

https://blogs.gentoo.org/ago/2017/09/14/bento4-null-pointer-dereference-in-ap4_dataatomap4_dataatom-ap4metadata-cpp/

You can’t perform that action at this time.