You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A Heap-buffer-overflow problem was discovered in function AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) in Ap4BitStream.cpp. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./avcinfo $POC" to reproduce the error. POC.zip
=================================================================
==5498==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000eff4 at pc 0x0000004a817d bp 0x7ffddfab9910 sp 0x7ffddfab90c0
READ of size 8 at 0x60200000eff4 thread T0
#0 0x4a817c in __asan_memcpy (/Bento4/Build/avcinfo+0x4a817c)
#1 0x4f90ab in AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) /Bento4/Source/C++/Codecs/Ap4BitStream.cpp:133:9
#2 0x4f4829 in PrintSliceInfo(unsigned char const*) /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:84:5
#3 0x4f40a3 in main /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:171:21
#4 0x7f9e01e3982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x41e318 in _start (/Bento4/Build/avcinfo+0x41e318)
0x60200000eff4 is located 0 bytes to the right of 4-byte region [0x60200000eff0,0x60200000eff4)
allocated by thread T0 here:
#0 0x4efb90 in operator new[](unsigned long) (/Bento4/Build/avcinfo+0x4efb90)
#1 0x51b622 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x51bb39 in AP4_DataBuffer::SetDataSize(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151:33
#3 0x4f786b in AP4_NalParser::Feed(void const*, unsigned int, unsigned int&, AP4_DataBuffer const*&, bool) /Bento4/Source/C++/Codecs/Ap4NalParser.cpp:188:9
#4 0x4f39f5 in main /Bento4/Source/C++/Apps/AvcInfo/AvcInfo.cpp:150:22
#5 0x7f9e01e3982f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-buffer-overflow (/Bento4/Build/avcinfo+0x4a817c) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[04]fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5498==ABORTING
Aborted
$ git log
commit 5a0ce8023ea312a2d87c194049106e893ed57767
Merge: 91d2bc6 bab5bb9
Author: Gilles Boccon-Gibod <bok@bok.net>
Date: Fri Dec 28 22:42:38 2018 -0800
Merge pull request #347 from orivej/apps
Let Scons and CMake build all apps
The text was updated successfully, but these errors were encountered:
Hi, there.
A Heap-buffer-overflow problem was discovered in function AP4_BitStream::WriteBytes(unsigned char const*, unsigned int) in Ap4BitStream.cpp. A crafted input can cause segment faults and I have confirmed them with address sanitizer too.
Here are the POC files. Please use "./avcinfo $POC" to reproduce the error.
POC.zip
$ git log
The text was updated successfully, but these errors were encountered: