A Heap-buffer-overflow problem was discovered in function AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) in Ap4BitStream.cpp. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./avcinfo $POC" to reproduce the error. POC.zip
=================================================================
==5498==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004a817d bp 0x7ffddfab9910 sp 0x7ffddfab90c0
READ of size 8 at 0x60200000eff4 thread T0
#0 0x4a817c in __asan_memcpy (/Bento4/Build/avcinfo+0x4a817c)
#1 0x4f90ab in AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) /Bento4/Source/C++/Codecs/Ap4BitStream.cpp:133:9
#2 0x4f4829 in PrintSliceInfo(unsigned char const*) /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:84:5
#3 0x4f40a3 in main /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:171:21
#4 0x7f9e01e3982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x41e318 in _start (/Bento4/Build/avcinfo+0x41e318)
0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
allocated by thread T0 here:
#0 0x4efb90 in operator new[](unsigned long) (/Bento4/Build/avcinfo+0x4efb90)
#1 0x51b622 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x51bb39 in AP4_DataBuffer::SetDataSize(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151:33
#3 0x4f786b in AP4_NalParser::Feed(void const*, unsigned int, unsigned int&, AP4_DataBuffer const*&, bool) /Bento4/Source/C++/Codecs/Ap4NalParser.cpp:188:9
#4 0x4f39f5 in main /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:150:22
#5 0x7f9e01e3982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow (/Bento4/Build/avcinfo+0x4a817c) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5498==ABORTING
Aborted
$ git log
commit 5a0ce8023ea312a2d87c194049106e893ed57767
Merge: 91d2bc6 bab5bb9
Author: Gilles Boccon-Gibod <bok@bok.net>
Date: Fri Dec 28 22:42:38 2018 -0800
Merge pull request #347 from orivej/apps
Let Scons and CMake build all apps
The text was updated successfully, but these errors were encountered:
Hi, there.
A Heap-buffer-overflow problem was discovered in function AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) in Ap4BitStream.cpp. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./avcinfo $POC" to reproduce the error.
POC.zip
$ git log
The text was updated successfully, but these errors were encountered: