Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap-buffer-overflow issue found #282

Closed
swtkiwi opened this issue Jul 9, 2018 · 0 comments
Closed

A heap-buffer-overflow issue found #282

swtkiwi opened this issue Jul 9, 2018 · 0 comments
Assignees
Labels

Comments

@swtkiwi
Copy link

swtkiwi commented Jul 9, 2018

A heap buffer overflow problem has been found at Ap4Mpeg2Ts.cpp:663.

=================================================================
==20724==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ec34 at pc 0x000000466b63 bp 0x7fffaeec6980 sp 0x7fffaeec6970
READ of size 1 at 0x60200000ec34 thread T0
    #0 0x466b62 in AP4_Mpeg2TsVideoSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&) /home/mfc_fuzz/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:663
    #1 0x4550fb in WriteSamples /home/mfc_fuzz/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:309
    #2 0x457e3d in main /home/mfc_fuzz/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:623
    #3 0x7fb94b90082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #4 0x453938 in _start (/home/sandy/swt_fuzz/Bento4/cmakebuild/mp42ts+0x453938)

0x60200000ec34 is located 0 bytes to the right of 4-byte region [0x60200000ec30,0x60200000ec34)
allocated by thread T0 here:
    #0 0x7fb94c2db6b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x4a704a in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/mfc_fuzz/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210
    #2 0x4a69e8 in AP4_DataBuffer::SetDataSize(unsigned int) /home/mfc_fuzz/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151
    #3 0x46123e in AP4_Sample::ReadData(AP4_DataBuffer&, unsigned int, unsigned int) /home/mfc_fuzz/Bento4/Source/C++/Core/Ap4Sample.cpp:147
    #4 0x4610d3 in AP4_Sample::ReadData(AP4_DataBuffer&) /home/mfc_fuzz/Bento4/Source/C++/Core/Ap4Sample.cpp:127
    #5 0x45de2c in AP4_Track::ReadSample(unsigned int, AP4_Sample&, AP4_DataBuffer&) /home/mfc_fuzz/Bento4/Source/C++/Core/Ap4Track.cpp:473
    #6 0x453c8a in TrackSampleReader::ReadSample(AP4_Sample&, AP4_DataBuffer&) /home/mfc_fuzz/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:121
    #7 0x4541ab in ReadSample /home/mfc_fuzz/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:179
    #8 0x454789 in WriteSamples /home/mfc_fuzz/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:230
    #9 0x457e3d in main /home/mfc_fuzz/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:623
    #10 0x7fb94b90082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/mfc_fuzz/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:663 AP4_Mpeg2TsVideoSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&)
Shadow bytes around the buggy address:
  0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d80: fa fa fa fa fa fa[04]fa fa fa 04 fa fa fa 01 fa
  0x0c047fff9d90: fa fa 04 fa fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fff9da0: fa fa 02 fa fa fa 00 00 fa fa 00 00 fa fa 01 fa
  0x0c047fff9db0: fa fa fd fa fa fa 00 fa fa fa 02 fa fa fa 00 05
  0x0c047fff9dc0: fa fa fd fd fa fa 04 fa fa fa 04 fa fa fa fd fa
  0x0c047fff9dd0: fa fa 00 fa fa fa 04 fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==20724==ABORTING
'''
The testing program is mp42ts.
And the input file has been put at: 
https://github.com/fCorleone/fuzz_programs/blob/master/Bento4/test1
@barbibulle barbibulle self-assigned this Jul 21, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants