Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A heap-buffer-overflow occured in function AP4_BitStream::ReadBytes() #363

Open
SegfaultMasters opened this issue Jan 29, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@SegfaultMasters
Copy link

commented Jan 29, 2019

Description - we observed a heap-buffer-overflow occured in function AP4_BitStream::ReadBytes() located in Ap4BitStream.cpp.The same be triggered by sending a crafted file to the aac2mp4 binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.

Command - ./aac2mp4 $POC output.mp4

POC - REPRODUCER

Degub -

ASAN REPORT -

ASAN REPORT:
==2056==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002100 at pc 0x7ffff6e93733 bp 0x7fffffffc840 sp 0x7fffffffbfe8
READ of size 4294967289 at 0x625000002100 thread T0
#0 0x7ffff6e93732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
#1 0x555555868840 in AP4_BitStream::ReadBytes(unsigned char*, unsigned int) /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:192
#2 0x555555864ecb in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:142
#3 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#4 0x555555864369 in _start (/home/aceteam/Desktop/packages/Bento4/builds/aac2mp4+0x310369)


0x625000002100 is located 0 bytes to the right of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
#0 0x7ffff6efa618 in operator new [] (unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe0618)
#1 0x555555867a67 in AP4_BitStream: AP4_BitStream () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4BitStream.cpp:45
#2 0x5555558661f2 in AP4_AdtsParser: AP4_AdtsParser () /home/aceteam/Desktop/packages/Bento4/Source/C++/Codecs/Ap4AdtsParser.cpp:125
#3 0x55555586492a in main /home/aceteam/Desktop/packages/Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:100
#4 0x7ffff64a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)


SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 
Shadow bytes around the buggy address:
0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8420: [fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2056==ABORTING

GDB -

Program received signal SIGSEGV, Segmentation fault.
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ registers ]────
$rax   : 0x7ffef70a4010      →  0x0000000000000000
$rbx   : 0x7fffffffcc48      →  0x000055555588f8d0  →  0xf7c6e70fa88241a4
$rcx   : 0x555555890136      →  0x100389d9fd941721
$rdx   : 0xfffffff9        
$rsp   : 0x7fffffffcb48      →  0x00005555555bd601  →  <AP4_BitStream::ReadBytes(unsigned+0> mov rax, QWORD PTR [rbp-0x18]
$rbp   : 0x7fffffffcb80      →  0x00007fffffffdca0  →  0x0000555555631190  →  <__libc_csu_init+0> push r15
$rsi   : 0x555555890136      →  0x100389d9fd941721
$rdi   : 0x7ffef70a4010      →  0x0000000000000000
$rip   : 0x7ffff74fe6d3      →  <__memmove_sse2_unaligned_erms+435> movups xmm8, XMMWORD PTR [rsi+rdx*1-0x10]
$r8    : 0xffffffff        
$r9    : 0x0               
$r10   : 0x22              
$r11   : 0x246             
$r12   : 0xfffffff9        
$r13   : 0x7fffffffdd80      →  0x0000000000000003
$r14   : 0x0               
$r15   : 0x0               
$eflags: [zero carry parity ADJUST sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$gs: 0x0000  $fs: 0x0000  $ds: 0x0000  $ss: 0x002b  $es: 0x0000  $cs: 0x0033  
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ stack ]────
0x00007fffffffcb48│+0x00: 0x00005555555bd601  →  <AP4_BitStream::ReadBytes(unsigned+0> mov rax, QWORD PTR [rbp-0x18]     ← $rsp
0x00007fffffffcb50│+0x08: 0x00007fffffffcb80  →  0x00007fffffffdca0  →  0x0000555555631190  →  <__libc_csu_init+0> push r15
0x00007fffffffcb58│+0x10: 0xfffffff95589a0a0
0x00007fffffffcb60│+0x18: 0x00007ffef70a4010  →  0x0000000000000000
0x00007fffffffcb68│+0x20: 0x00007fffffffcc48  →  0x000055555588f8d0  →  0xf7c6e70fa88241a4
0x00007fffffffcb70│+0x28: 0x000055555589a070  →  0x00005555558714c8  →  0x00005555555bec94  →  <AP4_MemoryByteStream::~AP4_MemoryByteStream()+0> push rbp
0x00007fffffffcb78│+0x30: 0xe9967b959a292100
0x00007fffffffcb80│+0x38: 0x00007fffffffdca0  →  0x0000555555631190  →  <__libc_csu_init+0> push r15     ← $rbp
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ code:i386:x86-64 ]────
   0x7ffff74fe6c6 <__memmove_sse2_unaligned_erms+422> movups xmm5, XMMWORD PTR es:[rsi+0x10]
   0x7ffff74fe6cb <__memmove_sse2_unaligned_erms+427> movups xmm6, XMMWORD PTR [rsi+0x20]
   0x7ffff74fe6cf <__memmove_sse2_unaligned_erms+431> movups xmm7, XMMWORD PTR [rsi+0x30]
→ 0x7ffff74fe6d3 <__memmove_sse2_unaligned_erms+435> movups xmm8, XMMWORD PTR [rsi+rdx*1-0x10]
   0x7ffff74fe6d9 <__memmove_sse2_unaligned_erms+441> lea    r11, [rdi+rdx*1-0x10]
   0x7ffff74fe6de <__memmove_sse2_unaligned_erms+446> lea    rcx, [rsi+rdx*1-0x10]
   0x7ffff74fe6e3 <__memmove_sse2_unaligned_erms+451> mov    r9, r11
   0x7ffff74fe6e6 <__memmove_sse2_unaligned_erms+454> mov    r8, r11
   0x7ffff74fe6e9 <__memmove_sse2_unaligned_erms+457> and    r8, 0xf
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]────
[#0] Id 1, Name: "aac2mp4", stopped, reason: SIGSEGV
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]────
[#0] 0x7ffff74fe6d3 → Name: __memmove_sse2_unaligned_erms()
[#1] 0x5555555bd601 → Name: AP4_BitStream::ReadBytes(this=0x7fffffffcc48, bytes=0x7ffef70a4010 "", byte_count=0xfffffff9)
[#2] 0x5555555bc395 → Name: main(argc=0x3, argv=0x7fffffffdd88)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.