New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allocate for large amounts of memory failed in Ap4StcoAtom.cpp:81 at Bento4 1.5.1-627 when running mp42hls #350

Closed
PikaQQQ opened this Issue Dec 31, 2018 · 2 comments

Comments

Projects
None yet
4 participants
@PikaQQQ
Copy link

PikaQQQ commented Dec 31, 2018

A crafted input will lead to Memory allocation failed in Ap4StcoAtom.cpp at Bento4 1.5.1-627

Triggered by
./mp42hls crash7.mp4

Poc
crash7.mp4.zip

Bento4 Version 1.5.1-627
The ASAN information is as follows:

==10432==ERROR: AddressSanitizer failed to allocate 0x100002000 (4294975488) bytes of LargeMmapAllocator (error code: 12)
==10432==Process memory map follows:
	0x00007fff7000-0x00008fff7000	
	0x00008fff7000-0x02008fff7000	
	0x02008fff7000-0x10007fff8000	
	0x561a5fbfc000-0x561a602a2000	/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x561a604a1000-0x561a604ab000	/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x561a604ab000-0x561a6067f000	/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
	0x600000000000-0x602000000000	
	0x602000000000-0x602000010000	
	0x602000010000-0x602e00000000	
	0x602e00000000-0x602e00010000	
	0x602e00010000-0x603000000000	
	0x603000000000-0x603000010000	
	0x603000010000-0x603e00000000	
	0x603e00000000-0x603e00010000	
	0x603e00010000-0x604000000000	
	0x604000000000-0x604000010000	
	0x604000010000-0x604e00000000	
	0x604e00000000-0x604e00010000	
	0x604e00010000-0x606000000000	
	0x606000000000-0x606000010000	
	0x606000010000-0x606e00000000	
	0x606e00000000-0x606e00010000	
	0x606e00010000-0x607000000000	
	0x607000000000-0x607000010000	
	0x607000010000-0x607e00000000	
	0x607e00000000-0x607e00010000	
	0x607e00010000-0x608000000000	
	0x608000000000-0x608000010000	
	0x608000010000-0x608e00000000	
	0x608e00000000-0x608e00010000	
	0x608e00010000-0x60b000000000	
	0x60b000000000-0x60b000010000	
	0x60b000010000-0x60be00000000	
	0x60be00000000-0x60be00010000	
	0x60be00010000-0x60c000000000	
	0x60c000000000-0x60c000010000	
	0x60c000010000-0x60ce00000000	
	0x60ce00000000-0x60ce00010000	
	0x60ce00010000-0x60d000000000	
	0x60d000000000-0x60d000010000	
	0x60d000010000-0x60de00000000	
	0x60de00000000-0x60de00010000	
	0x60de00010000-0x60e000000000	
	0x60e000000000-0x60e000010000	
	0x60e000010000-0x60ee00000000	
	0x60ee00000000-0x60ee00010000	
	0x60ee00010000-0x611000000000	
	0x611000000000-0x611000010000	
	0x611000010000-0x611e00000000	
	0x611e00000000-0x611e00010000	
	0x611e00010000-0x615000000000	
	0x615000000000-0x615000010000	
	0x615000010000-0x615e00000000	
	0x615e00000000-0x615e00010000	
	0x615e00010000-0x616000000000	
	0x616000000000-0x616000010000	
	0x616000010000-0x616e00000000	
	0x616e00000000-0x616e00010000	
	0x616e00010000-0x619000000000	
	0x619000000000-0x619000010000	
	0x619000010000-0x619e00000000	
	0x619e00000000-0x619e00010000	
	0x619e00010000-0x621000000000	
	0x621000000000-0x621000010000	
	0x621000010000-0x621e00000000	
	0x621e00000000-0x621e00010000	
	0x621e00010000-0x624000000000	
	0x624000000000-0x624000010000	
	0x624000010000-0x624e00000000	
	0x624e00000000-0x624e00010000	
	0x624e00010000-0x631000000000	
	0x631000000000-0x631000020000	
	0x631000020000-0x631e00000000	
	0x631e00000000-0x631e00010000	
	0x631e00010000-0x640000000000	
	0x640000000000-0x640000003000	
	0x7f8b99e00000-0x7f8b99f00000	
	0x7f8b9a000000-0x7f8b9a100000	
	0x7f8b9a200000-0x7f8b9a300000	
	0x7f8b9a400000-0x7f8b9a500000	
	0x7f8b9a600000-0x7f8b9a700000	
	0x7f8b9a770000-0x7f8b9cac2000	
	0x7f8b9cac2000-0x7f8b9cc5f000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7f8b9cc5f000-0x7f8b9ce5e000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7f8b9ce5e000-0x7f8b9ce5f000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7f8b9ce5f000-0x7f8b9ce60000	/lib/x86_64-linux-gnu/libm-2.27.so
	0x7f8b9ce60000-0x7f8b9ce7a000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7f8b9ce7a000-0x7f8b9d079000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7f8b9d079000-0x7f8b9d07a000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7f8b9d07a000-0x7f8b9d07b000	/lib/x86_64-linux-gnu/libpthread-2.27.so
	0x7f8b9d07b000-0x7f8b9d07f000	
	0x7f8b9d07f000-0x7f8b9d086000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7f8b9d086000-0x7f8b9d285000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7f8b9d285000-0x7f8b9d286000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7f8b9d286000-0x7f8b9d287000	/lib/x86_64-linux-gnu/librt-2.27.so
	0x7f8b9d287000-0x7f8b9d28a000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7f8b9d28a000-0x7f8b9d489000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7f8b9d489000-0x7f8b9d48a000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7f8b9d48a000-0x7f8b9d48b000	/lib/x86_64-linux-gnu/libdl-2.27.so
	0x7f8b9d48b000-0x7f8b9d672000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7f8b9d672000-0x7f8b9d872000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7f8b9d872000-0x7f8b9d876000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7f8b9d876000-0x7f8b9d878000	/lib/x86_64-linux-gnu/libc-2.27.so
	0x7f8b9d878000-0x7f8b9d87c000	
	0x7f8b9d87c000-0x7f8b9d893000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f8b9d893000-0x7f8b9da92000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f8b9da92000-0x7f8b9da93000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f8b9da93000-0x7f8b9da94000	/lib/x86_64-linux-gnu/libgcc_s.so.1
	0x7f8b9da94000-0x7f8b9dc0d000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7f8b9dc0d000-0x7f8b9de0d000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7f8b9de0d000-0x7f8b9de17000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7f8b9de17000-0x7f8b9de19000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
	0x7f8b9de19000-0x7f8b9de1d000	
	0x7f8b9de1d000-0x7f8b9df6d000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7f8b9df6d000-0x7f8b9e16d000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7f8b9e16d000-0x7f8b9e170000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7f8b9e170000-0x7f8b9e173000	/usr/lib/x86_64-linux-gnu/libasan.so.4.0.0
	0x7f8b9e173000-0x7f8b9edd8000	
	0x7f8b9edd8000-0x7f8b9edff000	/lib/x86_64-linux-gnu/ld-2.27.so
	0x7f8b9ee9f000-0x7f8b9efea000	
	0x7f8b9efea000-0x7f8b9efff000	
	0x7f8b9efff000-0x7f8b9f000000	/lib/x86_64-linux-gnu/ld-2.27.so
	0x7f8b9f000000-0x7f8b9f001000	/lib/x86_64-linux-gnu/ld-2.27.so
	0x7f8b9f001000-0x7f8b9f002000	
	0x7ffce3bd8000-0x7ffce3bf9000	[stack]
	0x7ffce3bfb000-0x7ffce3bfe000	[vvar]
	0x7ffce3bfe000-0x7ffce3c00000	[vdso]
	0xffffffffff600000-0xffffffffff601000	[vsyscall]
==10432==End of process memory map.
==10432==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_common.cc:118 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x7f8b9df06c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
    #1 0x7f8b9df25595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
    #2 0x7f8b9df10492  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xf3492)
    #3 0x7f8b9df1c8a5  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xff8a5)
    #4 0x7f8b9de46a51  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x29a51)
    #5 0x7f8b9defd5de in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe05de)
    #6 0x561a5ffcf4c4 in AP4_StcoAtom::AP4_StcoAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4StcoAtom.cpp:81
    #7 0x561a5ffcf104 in AP4_StcoAtom::Create(unsigned int, AP4_ByteStream&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4StcoAtom.cpp:52
    #8 0x561a5ff41d64 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:434
    #9 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #10 0x561a5ff515bc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:194
    #11 0x561a5ffbe494 in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4SampleEntry.cpp:115
    #12 0x561a5ffc2710 in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4SampleEntry.cpp:742
    #13 0x561a5ffc3f00 in AP4_AvcSampleEntry::AP4_AvcSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4SampleEntry.cpp:994
    #14 0x561a5ff40e2d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:306
    #15 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #16 0x561a5ffd4ce5 in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4StsdAtom.cpp:101
    #17 0x561a5ffd4553 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4StsdAtom.cpp:57
    #18 0x561a5ff41ca4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:424
    #19 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #20 0x561a5ff515bc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:194
    #21 0x561a5ff51030 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:139
    #22 0x561a5ff50b8e in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:88
    #23 0x561a5ff43519 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:764
    #24 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #25 0x561a5ff515bc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:194
    #26 0x561a5ff51030 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:139
    #27 0x561a5ff50b8e in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:88
    #28 0x561a5ff43519 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:764
    #29 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #30 0x561a5ff515bc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:194
    #31 0x561a5ff51030 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:139
    #32 0x561a5ff50b8e in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:88
    #33 0x561a5ff43519 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:764
    #34 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #35 0x561a5ff515bc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:194
    #36 0x561a5ff51030 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:139
    #37 0x561a5ffeb530 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4TrakAtom.cpp:165
    #38 0x561a5ff44589 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls+0x348589)
    #39 0x561a5ff4193d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:379
    #40 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #41 0x561a5ff515bc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:194
    #42 0x561a5ff51030 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4ContainerAtom.cpp:139
    #43 0x561a5ff83d52 in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4MoovAtom.cpp:80
    #44 0x561a5ff44523 in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls+0x348523)
    #45 0x561a5ff417b6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:359
    #46 0x561a5ff40310 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:221
    #47 0x561a5ff3f8d3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4AtomFactory.cpp:151
    #48 0x561a5ff60849 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4File.cpp:104
    #49 0x561a5ff604b8 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4File.cpp:78
    #50 0x561a5ff2cec3 in main /home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1837
    #51 0x7f8b9d4acb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #52 0x561a5ff20a89 in _start (/home/parallels/Desktop/Fuzz/Bento4/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls+0x324a89)

FoundBy: yjiiit@aliyun.com

@fgeek

This comment has been minimized.

Copy link

fgeek commented Jan 3, 2019

Are you sure that this is not caused by ASan? In my amd64 server this uses 2.5 - 4G of memory and keeps processing the sample for at least few hours. Maybe a denial of service issue.

Someone apparently requested a CVE for this, which got assigned https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20659. Description might need to be updated:

An issue was discovered in Bento4 1.5.1-627. The AP4_StcoAtom class in Core/Ap4StcoAtom.cpp has an attempted excessive memory allocation when called from AP4_AtomFactory::CreateAtomFromStream in Core/Ap4AtomFactory.cpp, as demonstrated by mp42hls.
@orivej

This comment has been minimized.

Copy link
Contributor

orivej commented Jan 3, 2019

If you run mp42hls built without ASAN on this 1 KB file, it consumes a steady 8 GB of RAM and does not terminate. (ASAN needs a small constant multiple of the application RAM. If it has failed to allocate 4 GiB, I guess the application had requested between 1 and 4 GiB.)

@barbibulle barbibulle self-assigned this Jan 12, 2019

@barbibulle barbibulle added the fuzzing label Jan 12, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment