Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of bound write in AP4_CttsTableEntry::AP4_CttsTableEntry() #374

Open
SegfaultMasters opened this Issue Feb 28, 2019 · 0 comments

Comments

Projects
None yet
1 participant
@SegfaultMasters
Copy link

SegfaultMasters commented Feb 28, 2019

Description - we observed a Out of bound write occured in function AP4_Array<AP4_CttsTableEntry>::SetItemCount() located in Ap4Array.h.The same be triggered by sending a crafted file to the [mp42hls.exe(windows)] [mp42hls(ubuntu)] binary. It allows an attacker to cause Denial of Service (Segmentation fault) or possibly have unspecified other impact.
Command in linux - mp42hls --hls-version 3 --pmt-pid 0x100 --video-pid 0x102 --video-track-id 1 --segment-duration 6 --segment-duration-threshold 15 --pcr-offset 10000 --index-filename stream.m3u8 --segment-filename-template stream.mp4 --output-single-file $POC
Command in windows - mp42hls.exe --hls-version 3 --pmt-pid 0x100 --video-pid 0x102 --video-track-id 1 --segment-duration 6 --segment-duration-threshold 15 --pcr-offset 10000 --index-filename stream.m3u8 --segment-filename-template stream.mp4 --output-single-file $POC
POC - REPRODUCER
Degub -
ASAN REPORT -

ASAN report: 
WARNING: forcing version to 4 in order to support single file output 
================================================================= 
==9911==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4303d10 at pc 0x08187f87 bp 0xbfffd008 sp 0xbfffcff8 
WRITE of size 4 at 0xb4303d10 thread T0 
    #0 0x8187f86 in AP4_CttsTableEntry::AP4_CttsTableEntry() /Bento4/Source/C++/Core/Ap4CttsAtom.h:51 
    #1 0x8188428 in AP4_Array<AP4_CttsTableEntry>::SetItemCount(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:215 
    #2 0x8187441 in AP4_CttsAtom::AP4_CttsAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4CttsAtom.cpp:79 
    #3 0x81870aa in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4CttsAtom.cpp:52 
    #4 0x8196e9a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:469 
    #5 0x81950ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:231 
    #6 0x80c376f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194 
    #7 0x80c31a1 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139 
    #8 0x80c2c79 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88 
    #9 0x81987d0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:774 
    #10 0x81950ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:231 
    #11 0x80c376f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194 
    #12 0x80c31a1 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139 
    #13 0x80c2c79 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88 
    #14 0x81987d0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:774 
SUMMARY: AddressSanitizer: heap-buffer-overflow /Bento4/Source/C++/Core/Ap4CttsAtom.h:51 AP4_CttsTableEntry::AP4_CttsTableEntry() 
Shadow bytes around the buggy address: 
  0x36860750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x36860760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x36860770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x36860780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
  0x36860790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
=>0x368607a0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x368607b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x368607c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x368607d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x368607e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
  0x368607f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 
Shadow byte legend (one shadow byte represents 8 application bytes): 
  Addressable:           00 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa 
  Heap right redzone:      fb 
  Freed heap region:       fd 
  Stack left redzone:      f1 
  Stack mid redzone:       f2 
  Stack right redzone:     f3 
  Stack partial redzone:   f4 
  Stack after return:      f5 
  Stack use after scope:   f8 
  Global redzone:          f9 
  Global init order:       f6 
  Poisoned by user:        f7 
  Container overflow:      fc 
  Array cookie:            ac 
  Intra object redzone:    bb 
  ASan internal:           fe 
==9911==ABORTING 

GDB -

source:/home/loginsoft/ACE/sources/himanshu_sources/Bento4/Source/C++/Core/Ap4Array.h+215 ────
   210      AP4_Result result = EnsureCapacity(item_count);
   211      if (AP4_FAILED(result)) return result;
   212
   213      // construct the new items
   214      for (unsigned int i=m_ItemCount; i<item_count; i++) {
               // i=0x27ae
→  215          new ((void*)&m_Items[i]) T();
   216      }
   217      m_ItemCount = item_count;
   218      return AP4_SUCCESS;
   219  }
   220
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "mp42hls", stopped, reason: SIGSEGV
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x810429f → AP4_Array<AP4_SbgpAtom::Entry>::SetItemCount(this=0x8165278, item_count=0x80000001)
[#1] 0x8103d92 → AP4_SbgpAtom::AP4_SbgpAtom(this=0x8165250, size=0x1c, version=0x0, flags=0x0, stream=@0x8159ea0)
[#2] 0x8103bf5 → AP4_SbgpAtom::Create(size=0x1c, stream=@0x8159ea0)
[#3] 0x80f59da → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, type=0x73626770, size_32=0x1c, size_64=0x1c, atom=@0xbfffe72c)
[#4] 0x80f412a → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, bytes_available=@0xbfffe730, atom=@0xbfffe72c)
[#5] 0x80a4cd5 → AP4_ContainerAtom::ReadChildren(this=0x815ea10, atom_factory=@0xbffff1c4, stream=@0x8159ea0, size=0x4a40)
[#6] 0x80a4a44 → AP4_ContainerAtom::AP4_ContainerAtom(this=0x815ea10, type=0x7374626c, size=0x4a48, force_64=0x0, stream=@0x8159ea0, atom_factory=@0xbffff1c4)
[#7] 0x80a47e5 → AP4_ContainerAtom::Create(type=0x7374626c, size=0x4a48, is_full=0x0, force_64=0x0, stream=@0x8159ea0, atom_factory=@0xbffff1c4)
[#8] 0x80f5bbf → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, type=0x7374626c, size_32=0x4a48, size_64=0x4a48, atom=@0xbfffe93c)
[#9] 0x80f412a → AP4_AtomFactory::CreateAtomFromStream(this=0xbffff1c4, stream=@0x8159ea0, bytes_available=@0xbfffe940, atom=@0xbfffe93c)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

gef➤  p/d entry_count 
$3 = 1073742722 
gef➤  p/d item_count 
$4 = 1073742722 
gef➤  ptype i 
type = unsigned int 
gef➤  p/d i 
$13 = 15468 
gef➤  p/d m_Items 
$14 = 135638176 
gef➤  ptype m_Items 
type = class AP4_CttsTableEntry { 
  public: 
    AP4_UI32 m_SampleCount; 
    AP4_UI32 m_SampleOffset; 
  
    AP4_CttsTableEntry(void); 
    AP4_CttsTableEntry(AP4_UI32, AP4_UI32); 
} * 
gef➤  x m_Items[i] 
Cannot access memory at address 0x8179000 
gef➤  p m_Items[15468] 
Cannot access memory at address 0x8179000 
gef➤  i r 
eax            0x8179000           0x8179000 
ecx            0xb7df3780          0xb7df3780 
edx            0x1e360             0x1e360 
ebx            0x815ac60           0x815ac60 
esp            0xbfffe528          0xbfffe528 
ebp            0xbfffe528          0xbfffe528 
esi            0x1c20              0x1c20 
edi            0xb7df3000          0xb7df3000 
eip            0x80ef168           0x80ef168 <AP4_CttsTableEntry::AP4_CttsTableEntry()+6> 
eflags         0x10292             [ AF SF IF RF ] 
cs             0x73                0x73 
ss             0x7b                0x7b 
ds             0x7b                0x7b 
es             0x7b                0x7b 
fs             0x0                 0x0 
gs             0x33                0x33 

DEBUG ON WINDOWS -

STACK_TEXT:   
004be750 000d6b2d 0074f000 00000551 00000000 Mp42Hls!AP4_CttsTableEntry::AP4_CttsTableEntry+0x11 
004be76c 000d60e3 40000382 15981e17 004be928 Mp42Hls!AP4_Array<AP4_CttsTableEntry>::SetItemCount+0xbd 
004be7bc 000d668b 00001c20 00000000 00000000 Mp42Hls!AP4_CttsAtom::AP4_CttsAtom+0xa3 
004be808 000a1fb9 00001c20 00749810 1598109f Mp42Hls!AP4_CttsAtom::Create+0xab 
004be934 000a08dd 00749810 63747473 00001c20 Mp42Hls!AP4_AtomFactory::CreateAtomFromStream+0x14c9 
004be9e8 000ae0b9 00749810 004bea08 004bea18 Mp42Hls!AP4_AtomFactory::CreateAtomFromStream+0x26d 
FAILURE_BUCKET_ID:  INVALID_POINTER_WRITE_c0000005_Mp42Hls.exe!AP4_CttsTableEntry::AP4_CttsTableEntry 
  
BUCKET_ID:  APPLICATION_FAULT_INVALID_POINTER_WRITE_Mp42Hls!AP4_CttsTableEntry::AP4_CttsTableEntry+11 
  
ExceptionCode: c0000005 (Access violation) 
FAULTING_SOURCE_FILE:  \bento4-master\source\c++\core\ap4cttsatom.h 
FAILURE_FUNCTION_NAME:  AP4_CttsTableEntry::AP4_CttsTableEntry 
Registers: 
eax=0074f000 ebx=7efde000 ecx=0074f000 edx=00000001 esi=004be954 edi=004be7b0 
eip=000d62f1 esp=004be74c ebp=004be750 iopl=0         nv up ei pl nz na po nc 
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.