Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A global-buffer-overflow has occurred when running mp4info #301

Open
swtkiwi opened this issue Jul 23, 2018 · 0 comments
Open

A global-buffer-overflow has occurred when running mp4info #301

swtkiwi opened this issue Jul 23, 2018 · 0 comments
Assignees
@barbibulle
Labels
fuzzing

Comments

@swtkiwi
Copy link

swtkiwi commented Jul 23, 2018

A global-buffer-overflow has occurred when running ./mp4info

=================================================================
==10109==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000962cc1 at pc 0x7fb7f844e935 bp 0x7ffe06fca470 sp 0x7ffe06fc9c18
READ of size 28 at 0x000000962cc1 thread T0
    #0 0x7fb7f844e934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x56ff54 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x56ff54 in AP4_MemoryByteStream::WritePartial(void const*, unsigned int, unsigned int&) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4ByteStream.cpp:789
    #3 0x5739eb in AP4_ByteStream::Write(void const*, unsigned int) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4ByteStream.cpp:78
    #4 0x55bf16 in AP4_HdlrAtom::WriteFields(AP4_ByteStream&) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4HdlrAtom.cpp:125
    #5 0x587264 in AP4_Atom::Write(AP4_ByteStream&) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4Atom.cpp:229
    #6 0x587264 in AP4_Atom::Clone() /home/swt_fuzz/Bento4/Source/C++/Core/Ap4Atom.cpp:316
    #7 0x54a772 in AP4_SampleDescription::AP4_SampleDescription(AP4_SampleDescription::Type, unsigned int, AP4_AtomParent*) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:127
    #8 0x54a772 in AP4_AvcSampleDescription::AP4_AvcSampleDescription(unsigned int, unsigned short, unsigned short, unsigned short, char const*, AP4_AtomParent*) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:353
    #9 0x699fa1 in AP4_AvcSampleEntry::ToSampleDescription() /home/swt_fuzz/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1028
    #10 0x68659f in AP4_StsdAtom::GetSampleDescription(unsigned int) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:179
    #11 0x456927 in ShowTrackInfo_Text /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1089
    #12 0x457aaf in ShowTrackInfo /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1213
    #13 0x457aaf in ShowTracks /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1323
    #14 0x44030d in main /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1587
    #15 0x7fb7f7a8082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #16 0x446508 in _start (/home/swt_fuzz/Bento4/cmakebuild/mp4info+0x446508)

0x000000962cc1 is located 0 bytes to the right of global variable 'EmptyString' defined in '/home/swt_fuzz/Bento4/Source/C++/Core/Ap4String.cpp:39:6' (0x962cc0) of size 1
  'EmptyString' is ascii string ''
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x000080124540: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x000080124550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080124560: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
  0x000080124570: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
  0x000080124580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080124590: 00 00 00 00 00 00 00 00[01]f9 f9 f9 f9 f9 f9 f9
  0x0000801245a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801245b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801245c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801245d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000801245e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10109==ABORTING

The testing program is mp4info.
And the input file has been put at:
https://github.com/fCorleone/fuzz_programs/blob/master/Bento4/test9.dms
@barbibulle barbibulle self-assigned this Aug 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barbibulle barbibulle

Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@barbibulle @swtkiwi