New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A global-buffer-overflow in Ap4ByteStream.cpp:783:5 #545
Comments
|
This issue was brought to our attention by https://nvd.nist.gov/vuln/detail/CVE-2021-32265. In a situation where a hdlr atom has no name defined, it is possible for this overflow to be generated. Analysis of the issue The source stream contains multiple 'hdlr' atoms. All of handler_type 'vide'. One of these has a name, but the others don't. If no name is attached to the hdlr atom, then this access violation will occur due to the code in AP4_HdlrAtom::WriteFields, approximately line 138. The failure is if name_size==0 (as retrieved at line 123 of this method) AND the size of the source atom is short enough that it shouldn't contain a name (which is valid); then it will recalculate name_size at line 138; giving it a negative value - but due to it being a u8, it ends up being 237 characters in length, instead of 0. Resolution Check for name_size before writing anything; if it's zero, then do not write any further data to this atom. Diff of a fix attached. |
Fix for CVE-2021-32265; axiomatic-systems#545 In an hdlr atom, where the size of the source atom is too short to contain a name, an exception will have occurred because it would try to recalculate the size of the name and end up with an arithmetic overflow.
CVE-2021-32265; axiomatic-systems#545 In an hdlr atom, where the size of the source atom is too short to contain a name, an exception will have occurred because it would try to recalculate the size of the name and end up with an arithmetic overflow.
System info
Ubuntu x86_64, clang 6.0, mp42aac (latest master 174b94)
Configure
cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" -DCMAKE_MODULE_LINKER_FLAGS="-fsanitize=address"
Command line
./build/mp4info --show-layout --show-samples --show-sample-data @@
AddressSanitizer output
POC
global-overflow-WritePartial-Ap4ByteStream-783.zip
The text was updated successfully, but these errors were encountered: