Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allocate for large amounts of memory failed in Ap4DataBuffer.cpp:210 at Bento4 1.5.1-627 when running mp42hls #342

Closed
PikaQQQ opened this issue Dec 17, 2018 · 1 comment
Closed

Allocate for large amounts of memory failed in Ap4DataBuffer.cpp:210 at Bento4 1.5.1-627 when running mp42hls #342

PikaQQQ opened this issue Dec 17, 2018 · 1 comment
Assignees
@barbibulle
Labels
fuzzing

Comments

@PikaQQQ
Copy link

PikaQQQ commented Dec 17, 2018

A crafted input will lead to Memory allocation failed in Ap4DataBuffer.cpp at Bento4 1.5.1-627

Triggered by
./mp42hls crash2.mp4

Poc
crash2.zip

Bento4 Version 1.5.1-627
The ASAN information is as follows:

==92387==ERROR: AddressSanitizer failed to allocate 0x80003000 (2147495936) bytes of LargeMmapAllocator (errno: 12)
==92387==Process memory map follows:
	0x000000400000-0x0000005aa000	/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x0000007a9000-0x0000007aa000	/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x0000007aa000-0x0000007b9000	/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x0000007b9000-0x0000007ba000	
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60d000000000	
	0x60d000000000-0x60d000010000	
	0x60d000010000-0x60e000000000	
	0x60e000000000-0x60e000010000	
	0x60e000010000-0x610000000000	
	0x610000000000-0x610000010000	
	0x610000010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x613000000000	
	0x613000000000-0x613000010000	
	0x613000010000-0x614000000000	
	0x614000000000-0x614000020000	
	0x614000020000-0x615000000000	
	0x615000000000-0x615000020000	
	0x615000020000-0x616000000000	
	0x616000000000-0x616000020000	
	0x616000020000-0x619000000000	
	0x619000000000-0x619000020000	
	0x619000020000-0x61c000000000	
	0x61c000000000-0x61c000020000	
	0x61c000020000-0x621000000000	
	0x621000000000-0x621000020000	
	0x621000020000-0x624000000000	
	0x624000000000-0x624000020000	
	0x624000020000-0x626000000000	
	0x626000000000-0x626000020000	
	0x626000020000-0x629000000000	
	0x629000000000-0x629000010000	
	0x629000010000-0x62d000000000	
	0x62d000000000-0x62d000020000	
	0x62d000020000-0x631000000000	
	0x631000000000-0x631000030000	
	0x631000030000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7fe341500000-0x7fe341600000	
	0x7fe341700000-0x7fe341800000	
	0x7fe3418fe000-0x7fe343c50000	
	0x7fe343c50000-0x7fe343d58000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fe343d58000-0x7fe343f57000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fe343f57000-0x7fe343f58000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fe343f58000-0x7fe343f59000	/lib/x86_64-linux-gnu/libm-2.23.so
	0x7fe343f59000-0x7fe343f5c000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fe343f5c000-0x7fe34415b000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fe34415b000-0x7fe34415c000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fe34415c000-0x7fe34415d000	/lib/x86_64-linux-gnu/libdl-2.23.so
	0x7fe34415d000-0x7fe344175000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fe344175000-0x7fe344374000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fe344374000-0x7fe344375000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fe344375000-0x7fe344376000	/lib/x86_64-linux-gnu/libpthread-2.23.so
	0x7fe344376000-0x7fe34437a000	
	0x7fe34437a000-0x7fe34453a000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fe34453a000-0x7fe34473a000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fe34473a000-0x7fe34473e000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fe34473e000-0x7fe344740000	/lib/x86_64-linux-gnu/libc-2.23.so
	0x7fe344740000-0x7fe344744000	
	0x7fe344744000-0x7fe34475a000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fe34475a000-0x7fe344959000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fe344959000-0x7fe34495a000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fe34495a000-0x7fe344acc000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
	0x7fe344acc000-0x7fe344ccc000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
	0x7fe344ccc000-0x7fe344cd6000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
	0x7fe344cd6000-0x7fe344cd8000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
	0x7fe344cd8000-0x7fe344cdc000	
	0x7fe344cdc000-0x7fe344dd0000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fe344dd0000-0x7fe344fd0000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fe344fd0000-0x7fe344fd3000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fe344fd3000-0x7fe344fd4000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
	0x7fe344fd4000-0x7fe345c49000	
	0x7fe345c49000-0x7fe345c6f000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fe345d54000-0x7fe345e58000	
	0x7fe345e58000-0x7fe345e6e000	
	0x7fe345e6e000-0x7fe345e6f000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fe345e6f000-0x7fe345e70000	/lib/x86_64-linux-gnu/ld-2.23.so
	0x7fe345e70000-0x7fe345e71000	
	0x7fffeaa6e000-0x7fffeaa8f000	[stack]
	0x7fffeaae9000-0x7fffeaaeb000	[vvar]
	0x7fffeaaeb000-0x7fffeaaed000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==92387==End of process memory map.
==92387==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x7fe344d7c631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
    #1 0x7fe344d815e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
    #2 0x7fe344d89611  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad611)
    #3 0x7fe344cfec0c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22c0c)
    #4 0x7fe344d7567e in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9967e)
    #5 0x4abb54 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4DataBuffer.cpp:210
    #6 0x4abb54 in AP4_DataBuffer::SetDataSize(unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4DataBuffer.cpp:151
    #7 0x48ba72 in AP4_Sample::ReadData(AP4_DataBuffer&, unsigned int, unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4Sample.cpp:147
    #8 0x48ba72 in AP4_Sample::ReadData(AP4_DataBuffer&) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4Sample.cpp:127
    #9 0x4449dd in ReadSample /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:976
    #10 0x4485af in WriteSamples /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1251
    #11 0x4412a0 in main /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2088
    #12 0x7fe34439a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x4445b8 in _start (/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls+0x4445b8)

FoundBy: yjiiit@aliyun.com
@fgeek
Copy link

fgeek commented Jan 1, 2019

Someone requested a CVE for this, which got assigned CVE-2018-20186.

@barbibulle barbibulle self-assigned this Jan 12, 2019
@5hadowblad3 5hadowblad3 mentioned this issue May 24, 2019
Open
@yuhanghuang yuhanghuang mentioned this issue Sep 23, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barbibulle barbibulle

Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@fgeek @barbibulle @PikaQQQ