Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

buffer overflow in AP4_NullTerminatedStringAtom #418

Open
5hadowblad3 opened this issue Aug 9, 2019 · 0 comments
Open

buffer overflow in AP4_NullTerminatedStringAtom #418

5hadowblad3 opened this issue Aug 9, 2019 · 0 comments
Assignees
Labels

Comments

@5hadowblad3
Copy link

5hadowblad3 commented Aug 9, 2019

There is a buffer overflow in Ap4ElstAtom.cpp related to AP4_ElstAtom.

Distributor ID: Ubuntu
Description: Ubuntu 16.04.6 LTS
Release: 16.04
Codename: xenial
gcc: 5.4.0

To reproduce the bug,
compile the project with flag
DCMAKE_C_FLAGS=-g -m32 -fsanitize=address,undefined

then run:
./mp42aac input /dev/null

The occur location in the function AP4_NullTerminatedStringAtom, Source/C++/Core/Ap4Atom.cpp.
image

Here is the trace reported by ASAN:
==10577==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf54006cf at pc 0x085d6d35 bp 0xffe49ac8 sp 0xffe49ab8
WRITE of size 1 at 0xf54006cf thread T0
#0 0x85d6d34 in AP4_NullTerminatedStringAtom::AP4_NullTerminatedStringAtom(unsigned int, unsigned long long, AP4_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4Atom.cpp:474
#1 0x82ccfbb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:529
#2 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225
#3 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:151
#4 0x809a044 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:104
#5 0x809a044 in AP4_File::AP4_File(AP4_ByteStream&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:78
#6 0x8082ce7 in main /mnt/data/playground/mp42-a/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#7 0xf6a25636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#8 0x808df1b (/mnt/data/playground/mp42-patch/Build/mp42aac+0x808df1b)

0xf54006cf is located 1 bytes to the left of 1-byte region [0xf54006d0,0xf54006d1)
allocated by thread T0 here:
#0 0xf729ce46 in operator new[](unsigned int) (/usr/lib32/libasan.so.2+0x97e46)
#1 0x85d6657 in AP4_NullTerminatedStringAtom::AP4_NullTerminatedStringAtom(unsigned int, unsigned long long, AP4_ByteStream&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4Atom.cpp:472
#2 0x82ccfbb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:529
#3 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:225
#4 0x82fa1f7 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4AtomFactory.cpp:151
#5 0x809a044 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:104
#6 0x809a044 in AP4_File::AP4_File(AP4_ByteStream&, bool) /mnt/data/playground/mp42-a/Source/C++/Core/Ap4File.cpp:78
#7 0x8082ce7 in main /mnt/data/playground/mp42-a/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#8 0xf6a25636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/data/playground/mp42-a/Source/C++/Core/Ap4Atom.cpp:474 AP4_NullTerminatedStringAtom::AP4_NullTerminatedStringAtom(unsigned int, unsigned long long, AP4_ByteStream&)
Shadow bytes around the buggy address:
0x3ea80080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea800c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x3ea800d0: fa fa fa fa fa fa fa fa fa[fa]01 fa fa fa 00 04
0x3ea800e0: fa fa 00 04 fa fa 00 fa fa fa 00 04 fa fa 00 fa
0x3ea800f0: fa fa 00 04 fa fa 00 fa fa fa 00 04 fa fa 00 fa
0x3ea80100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x3ea80120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==10577==ABORTING

This is the POC input:
poc_inputs.zip

@barbibulle barbibulle self-assigned this Aug 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants