Heap buffer overflow caused by exhaustive memory usage #412
Assignees
Labels
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There is a buffer overflow inside AP4_RtpAtom of Ap4RtpAtom.cpp.
./mp42aac input_file /dev/null
In file Source/C++/Core/Ap4RtpAtom.cpp
AP4_RtpAtom allocates a new buffer to parse the atom in the stream.
The unhandled memory allocation failure causes the read content memcpy to a null pointer.
This is the start points.
In file In file Source/C++/Core/Ap4ByteStream.cpp
AP4_CopyMemory is the macro define of memcpy and the path formed.
Asan trace report:
==112964==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf54006ef at pc 0x0917bae1 bp 0xff98dce8 sp 0xff98dcd8
WRITE of size 1 at 0xf54006ef thread T0
#0 0x917bae0 in AP4_RtpAtom::AP4_RtpAtom(unsigned int, AP4_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4RtpAtom.cpp:51
#1 0x82dda81 in AP4_RtpAtom::Create(unsigned int, AP4_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4RtpAtom.h:53
#2 0x82dda81 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:648
#3 0x8301ca3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225
#4 0x82b6bae in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:194
#5 0x82b6bae in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:139
#6 0x841a898 in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.cpp:80
#7 0x82e2631 in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.h:56
#8 0x82e2631 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:363
#9 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225
#10 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:151
#11 0x809a044 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:104
#12 0x809a044 in AP4_File::AP4_File(AP4_ByteStream&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:78
#13 0x8082ce7 in main /mnt/data/playground/mp42-a/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#14 0xf6a14636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#15 0x808df1b (/mnt/data/playground/mp42-patch/Build/mp42aac+0x808df1b)
0xf54006ef is located 1 bytes to the left of 1-byte region [0xf54006f0,0xf54006f1)
allocated by thread T0 here:
#0 0xf728be46 in operator new[](unsigned int) (/usr/lib32/libasan.so.2+0x97e46)
#1 0x917b5b4 in AP4_RtpAtom::AP4_RtpAtom(unsigned int, AP4_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4RtpAtom.cpp:49
#2 0x82dda81 in AP4_RtpAtom::Create(unsigned int, AP4_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4RtpAtom.h:53
#3 0x82dda81 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:648
#4 0x8301ca3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225
#5 0x82b6bae in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:194
#6 0x82b6bae in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4ContainerAtom.cpp:139
#7 0x841a898 in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.cpp:80
#8 0x82e2631 in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4MoovAtom.h:56
#9 0x82e2631 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:363
#10 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225
#11 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:151
#12 0x809a044 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:104
#13 0x809a044 in AP4_File::AP4_File(AP4_ByteStream&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:78
#14 0x8082ce7 in main /mnt/data/playground/mp42-a/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#15 0xf6a14636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/data/playground/mp42-a/Source/C++/Core/Ap4RtpAtom.cpp:51 AP4_RtpAtom::AP4_RtpAtom(unsigned int, AP4_ByteStream&)
Shadow bytes around the buggy address:
0x3ea80080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea800d0: fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]01 fa
0x3ea800e0: fa fa 00 04 fa fa 00 fa fa fa 00 04 fa fa 00 fa
0x3ea800f0: fa fa 00 04 fa fa 00 fa fa fa 00 04 fa fa 00 fa
0x3ea80100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==112964==ABORTING
The attachment is the poc file.
poc_input3.zip
The text was updated successfully, but these errors were encountered: