New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allocate for large amounts of memory failed in Ap4DataBuffer.cpp:55 at Bento4 1.5.1-627 when running mp42hls #349

Closed
PikaQQQ opened this Issue Dec 26, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@PikaQQQ
Copy link

PikaQQQ commented Dec 26, 2018

A crafted input will lead to Memory allocation failed in Ap4DataBuffer.cpp at Bento4 1.5.1-627

Triggered by
./mp42hls crash6.mp4

Poc
crash6.mp4.zip

Bento4 Version 1.5.1-627
The ASAN information is as follows:

==28472==ERROR: AddressSanitizer failed to allocate 0x100002000 (4294975488) bytes of LargeMmapAllocator (error code: 12)
==28472==Process memory map follows:
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x56075ed38000-0x56075f3de000	/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x56075f5dd000-0x56075f5e7000	/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x56075f5e7000-0x56075f7bb000	/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x619000000000	
	0x619000000000-0x619000010000	
	0x619000010000-0x619e00000000	
	0x619e00000000-0x619e00010000	
	0x619e00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x631000000000	
	0x631000000000-0x631000020000	
	0x631000020000-0x631e00000000	
	0x631e00000000-0x631e00010000	
	0x631e00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7fe617000000-0x7fe617100000	
	0x7fe617200000-0x7fe617300000	
	0x7fe617400000-0x7fe617500000	
	0x7fe617600000-0x7fe617700000	
	0x7fe617800000-0x7fe617900000	
	0x7fe6179d5000-0x7fe619d27000	
	0x7fe619d27000-0x7fe619ec4000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7fe619ec4000-0x7fe61a0c3000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7fe61a0c3000-0x7fe61a0c4000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7fe61a0c4000-0x7fe61a0c5000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7fe61a0c5000-0x7fe61a0df000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7fe61a0df000-0x7fe61a2de000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7fe61a2de000-0x7fe61a2df000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7fe61a2df000-0x7fe61a2e0000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7fe61a2e0000-0x7fe61a2e4000	
	0x7fe61a2e4000-0x7fe61a2eb000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7fe61a2eb000-0x7fe61a4ea000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7fe61a4ea000-0x7fe61a4eb000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7fe61a4eb000-0x7fe61a4ec000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7fe61a4ec000-0x7fe61a4ef000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7fe61a4ef000-0x7fe61a6ee000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7fe61a6ee000-0x7fe61a6ef000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7fe61a6ef000-0x7fe61a6f0000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7fe61a6f0000-0x7fe61a8d7000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7fe61a8d7000-0x7fe61aad7000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7fe61aad7000-0x7fe61aadb000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7fe61aadb000-0x7fe61aadd000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7fe61aadd000-0x7fe61aae1000	
	0x7fe61aae1000-0x7fe61aaf8000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fe61aaf8000-0x7fe61acf7000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fe61acf7000-0x7fe61acf8000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fe61acf8000-0x7fe61acf9000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7fe61acf9000-0x7fe61ae72000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7fe61ae72000-0x7fe61b072000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7fe61b072000-0x7fe61b07c000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7fe61b07c000-0x7fe61b07e000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7fe61b07e000-0x7fe61b082000	
	0x7fe61b082000-0x7fe61b1d2000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7fe61b1d2000-0x7fe61b3d2000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7fe61b3d2000-0x7fe61b3d5000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7fe61b3d5000-0x7fe61b3d8000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7fe61b3d8000-0x7fe61c03d000	
	0x7fe61c03d000-0x7fe61c064000	/lib/x86_64-linux-gnu/ld-2.27.so
	0x7fe61c104000-0x7fe61c24f000	
	0x7fe61c24f000-0x7fe61c264000	
	0x7fe61c264000-0x7fe61c265000	/lib/x86_64-linux-gnu/ld-2.27.so
	0x7fe61c265000-0x7fe61c266000	/lib/x86_64-linux-gnu/ld-2.27.so
	0x7fe61c266000-0x7fe61c267000	
	0x7ffd36c8c000-0x7ffd36cad000	[stack]
	0x7ffd36daa000-0x7ffd36dad000	[vvar]
	0x7ffd36dad000-0x7ffd36daf000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==28472==End of process memory map.
==28472==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:118 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x7fe61b16bc02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
    #1 0x7fe61b18a595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
    #2 0x7fe61b175492  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xf3492)
    #3 0x7fe61b1818a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xff8a5)
    #4 0x7fe61b0aba51  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x29a51)
    #5 0x7fe61b1625de in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe05de)
    #6 0x56075f0945f9 in AP4_DataBuffer::AP4_DataBuffer(unsigned int) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4DataBuffer.cpp:55
    #7 0x56075f0a13e1 in AP4_HvccAtom::Create(unsigned int, AP4_ByteStream&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4HvccAtom.cpp:86
    #8 0x56075f07e124 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:484
    #9 0x56075f07c310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #10 0x56075f07b8d3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:151
    #11 0x56075f09c849 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4File.cpp:104
    #12 0x56075f09c4b8 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4File.cpp:78
    #13 0x56075f068ec3 in main /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1837
    #14 0x7fe61a711b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #15 0x56075f05ca89 in _start (/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls+0x324a89)

FoundBy: yjiiit@aliyun.com

@fgeek

This comment has been minimized.

Copy link

fgeek commented Jan 1, 2019

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20502 has been assigned for this vulnerability. Btw sometimes I've seen this error message because of ASan and not because of real issue in the codebase.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment