Description - we observed a Out of bound write occured in function AP4_Array<AP4_CttsTableEntry>::SetItemCount() located in Ap4Array.h.The same be triggered by sending a crafted file to the [mp42hls.exe(windows)] [mp42hls(ubuntu)] binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact. Command in linux - mp42hls --hls-version 3 --pmt-pid 0x100 --video-pid 0x102 --video-track-id 1 --segment-duration 6 --segment-duration-threshold 15 --pcr-offset 10000 --index-filename stream.m3u8 --segment-filename-template stream.mp4 --output-single-file $POC Command in windows - mp42hls.exe --hls-version 3 --pmt-pid 0x100 --video-pid 0x102 --video-track-id 1 --segment-duration 6 --segment-duration-threshold 15 --pcr-offset 10000 --index-filename stream.m3u8 --segment-filename-template stream.mp4 --output-single-file $POC POC - REPRODUCER Degub - ASAN REPORT -
ASAN report:
WARNING: forcing version to 4 in order to support single file output
=================================================================
==9911==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4303d10 at pc 0x08187f87 bp 0xbfffd008 sp 0xbfffcff8
WRITE of size 4 at 0xb4303d10 thread T0
#0 0x8187f86 in AP4_CttsTableEntry::AP4_CttsTableEntry() /Bento4/Source/C++/Core/Ap4CttsAtom.h:51
#1 0x8188428 in AP4_Array<AP4_CttsTableEntry>::SetItemCount(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:215
#2 0x8187441 in AP4_CttsAtom::AP4_CttsAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4CttsAtom.cpp:79
#3 0x81870aa in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4CttsAtom.cpp:52
#4 0x8196e9a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:469
#5 0x81950ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:231
#6 0x80c376f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
#7 0x80c31a1 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
#8 0x80c2c79 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
#9 0x81987d0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:774
#10 0x81950ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:231
#11 0x80c376f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194
#12 0x80c31a1 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139
#13 0x80c2c79 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
#14 0x81987d0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:774
SUMMARY: AddressSanitizer: heap-buffer-overflow /Bento4/Source/C++/Core/Ap4CttsAtom.h:51 AP4_CttsTableEntry::AP4_CttsTableEntry()
Shadow bytes around the buggy address:
0x36860750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36860760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36860770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36860780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36860790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x368607a0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x368607b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x368607c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x368607d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x368607e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x368607f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==9911==ABORTING
GDB -
source:/home/loginsoft/ACE/sources/himanshu_sources/Bento4/Source/C++/Core/Ap4Array.h+215 ────
210 AP4_Result result = EnsureCapacity(item_count);
211 if (AP4_FAILED(result)) return result;
212
213 // construct the new items
214 for (unsigned int i=m_ItemCount; i<item_count; i++) {
// i=0x27ae
→ 215 new ((void*)&m_Items[i]) T();
216 }
217 m_ItemCount = item_count;
218 return AP4_SUCCESS;
219 }
220
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "mp42hls", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x810429f → AP4_Array<AP4_SbgpAtom::Entry>::SetItemCount(this=0x8165278, item_count=0x80000001)
[#1] 0x8103d92 → AP4_SbgpAtom::AP4_SbgpAtom(this=0x8165250, size=0x1c, version=0x0, flags=0x0, stream=@0x8159ea0)
[#2] 0x8103bf5 → AP4_SbgpAtom::Create(size=0x1c, stream=@0x8159ea0)
[#3] 0x80f59da → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, type=0x73626770, size_32=0x1c, size_64=0x1c, atom=@0xbfffe72c)
[#4] 0x80f412a → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, bytes_available=@0xbfffe730, atom=@0xbfffe72c)
[#5] 0x80a4cd5 → AP4_ContainerAtom::ReadChildren(this=0x815ea10, atom_factory=@0xbffff1c4, stream=@0x8159ea0, size=0x4a40)
[#6] 0x80a4a44 → AP4_ContainerAtom::AP4_ContainerAtom(this=0x815ea10, type=0x7374626c, size=0x4a48, force_64=0x0, stream=@0x8159ea0, atom_factory=@0xbffff1c4)
[#7] 0x80a47e5 → AP4_ContainerAtom::Create(type=0x7374626c, size=0x4a48, is_full=0x0, force_64=0x0, stream=@0x8159ea0, atom_factory=@0xbffff1c4)
[#8] 0x80f5bbf → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, type=0x7374626c, size_32=0x4a48, size_64=0x4a48, atom=@0xbfffe93c)
[#9] 0x80f412a → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, bytes_available=@0xbfffe940, atom=@0xbfffe93c)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ p/d entry_count
$3 = 1073742722
gef➤ p/d item_count
$4 = 1073742722
gef➤ ptype i
type = unsigned int
gef➤ p/d i
$13 = 15468
gef➤ p/d m_Items
$14 = 135638176
gef➤ ptype m_Items
type = class AP4_CttsTableEntry {
public:
AP4_UI32 m_SampleCount;
AP4_UI32 m_SampleOffset;
AP4_CttsTableEntry(void);
AP4_CttsTableEntry(AP4_UI32, AP4_UI32);
} *
gef➤ x m_Items[i]
Cannot access memory at address 0x8179000
gef➤ p m_Items[15468]
Cannot access memory at address 0x8179000
gef➤ i r
eax 0x8179000 0x8179000
ecx 0xb7df3780 0xb7df3780
edx 0x1e360 0x1e360
ebx 0x815ac60 0x815ac60
esp 0xbfffe528 0xbfffe528
ebp 0xbfffe528 0xbfffe528
esi 0x1c20 0x1c20
edi 0xb7df3000 0xb7df3000
eip 0x80ef168 0x80ef168 <AP4_CttsTableEntry::AP4_CttsTableEntry()+6>
eflags 0x10292 [ AF SF IF RF ]
cs 0x73 0x73
ss 0x7b 0x7b
ds 0x7b 0x7b
es 0x7b 0x7b
fs 0x0 0x0
gs 0x33 0x33
Description - we observed a Out of bound write occured in function AP4_Array<AP4_CttsTableEntry>::SetItemCount() located in Ap4Array.h.The same be triggered by sending a crafted file to the [mp42hls.exe(windows)] [mp42hls(ubuntu)] binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Command in linux - mp42hls --hls-version 3 --pmt-pid 0x100 --video-pid 0x102 --video-track-id 1 --segment-duration 6 --segment-duration-threshold 15 --pcr-offset 10000 --index-filename stream.m3u8 --segment-filename-template stream.mp4 --output-single-file $POC
Command in windows - mp42hls.exe --hls-version 3 --pmt-pid 0x100 --video-pid 0x102 --video-track-id 1 --segment-duration 6 --segment-duration-threshold 15 --pcr-offset 10000 --index-filename stream.m3u8 --segment-filename-template stream.mp4 --output-single-file $POC
POC - REPRODUCER
Degub -
ASAN REPORT -
GDB -
DEBUG ON WINDOWS -
The text was updated successfully, but these errors were encountered: