Description - we observed a heap-buffer-overflow occured in function AP4_BitStream::ReadBytes() located in Ap4BitStream.cpp.The same be triggered by sending a crafted file to the aac2mp4 binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
ASAN REPORT:
==2056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002100 at pc 0x7ffff6e93733 bp 0x7fffffffc840 sp 0x7fffffffbfe8
READ of size 4294967289 at 0x625000002100 thread T0
#0 0x7ffff6e93732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x555555868840 in AP4_BitStream::ReadBytes(unsigned char*, unsigned int) /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:192
#2 0x555555864ecb in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:142
#3 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#4 0x555555864369 in _start (/home/aceteam/Desktop/packages/Bento4/builds/aac2mp4+0x310369)
0x625000002100 is located 0 bytes to the right of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
#0 0x7ffff6efa618 in operator new [] (unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
#1 0x555555867a67 in AP4_BitStream: AP4_BitStream () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:45
#2 0x5555558661f2 in AP4_AdtsParser: AP4_AdtsParser () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4AdtsParser.cpp:125
#3 0x55555586492a in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:100
#4 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
Shadow bytes around the buggy address:
0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8420: [fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2056==ABORTING
Description - we observed a heap-buffer-overflow occured in function
AP4_BitStream::ReadBytes()located inAp4BitStream.cpp.The same be triggered by sending a crafted file to the aac2mp4 binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.Command -
./aac2mp4 $POC output.mp4POC - REPRODUCER
Degub -
ASAN REPORT -
GDB -
The text was updated successfully, but these errors were encountered: