Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A heap-buffer-overflow has occurred when running program mp4info. #303

Open
swtkiwi opened this issue Jul 23, 2018 · 1 comment
Open

A heap-buffer-overflow has occurred when running program mp4info. #303

swtkiwi opened this issue Jul 23, 2018 · 1 comment
Assignees
@barbibulle
Labels
fuzzing

Comments

@swtkiwi
Copy link

swtkiwi commented Jul 23, 2018

A heap-buffer-overflow has occurred when running program mp4info.

=================================================================
==10130==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee14 at pc 0x000000483bfb bp 0x7fff7c327330 sp 0x7fff7c327320
READ of size 1 at 0x60200000ee14 thread T0
    #0 0x483bfa in AP4_Mp4AudioDsiParser::ReadBits(unsigned int) /home/swt_fuzz/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:66
    #1 0x483bfa in AP4_Mp4AudioDecoderConfig::ParseExtension(AP4_Mp4AudioDsiParser&) /home/swt_fuzz/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:136
    #2 0x4847aa in AP4_Mp4AudioDecoderConfig::Parse(unsigned char const*, unsigned int) /home/swt_fuzz/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:314
    #3 0x546ba0 in AP4_MpegAudioSampleDescription::GetCodecString(AP4_String&) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:750
    #4 0x447cd1 in ShowMpegAudioSampleDescription /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:303
    #5 0x4527e6 in ShowSampleDescription_Text /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:412
    #6 0x456999 in ShowSampleDescription /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:783
    #7 0x456999 in ShowTrackInfo_Text /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1092
    #8 0x457aaf in ShowTrackInfo /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1213
    #9 0x457aaf in ShowTracks /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1323
    #10 0x44030d in main /home/swt_fuzz/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1587
    #11 0x7f63d94de82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x446508 in _start (/home/swt_fuzz/Bento4/cmakebuild/mp4info+0x446508)

0x60200000ee14 is located 0 bytes to the right of 4-byte region [0x60200000ee10,0x60200000ee14)
allocated by thread T0 here:
    #0 0x7f63d9eb96b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x538d85 in AP4_DataBuffer::AP4_DataBuffer(void const*, unsigned int) /home/swt_fuzz/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:68

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/swt_fuzz/Bento4/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp:66 AP4_Mp4AudioDsiParser::ReadBits(unsigned int)
Shadow bytes around the buggy address:
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dc0: fa fa[04]fa fa fa 04 fa fa fa 01 fa fa fa fd fa
  0x0c047fff9dd0: fa fa fd fa fa fa 04 fa fa fa fd fd fa fa 00 fa
  0x0c047fff9de0: fa fa 04 fa fa fa 00 05 fa fa fd fd fa fa 04 fa
  0x0c047fff9df0: fa fa fd fd fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==10130==ABORTING

he testing program is mp4info.
And the input file has been put at:
https://github.com/fCorleone/fuzz_programs/blob/master/Bento4/test11.dms
@barbibulle barbibulle self-assigned this Aug 30, 2018
@fgeek
Copy link

fgeek commented Jan 1, 2019
edited
Loading

Someone requested a CVE for this, which got assigned CVE-2018-14589. Reproduced in 5a0ce80.

@X3eRo0 X3eRo0 mentioned this issue Jul 22, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barbibulle barbibulle

Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fgeek @barbibulle @swtkiwi