Hi, developers of Bento4:
When I tested the latest mp42aac, the following crash occurred.
The problem
The optput of mp42aac_asan:
==115490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee71 at pc 0x000000509921 bp 0x7fffffffd410 sp 0x7fffffffd400
READ of size 1 at 0x60200000ee71 thread T0
#0 0x509920 in AP4_Stz2Atom::AP4_Stz2Atom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113
#1 0x509ac6 in AP4_Stz2Atom::Create(unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:52
#2 0x46efde in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:483
#3 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#4 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
#5 0x40bd11 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:104
#6 0x40bd11 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:78
#7 0x402a40 in main /home/xxzs/workdir/test/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#8 0x7ffff621f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
#9 0x4045d8 in _start (/home/xxzs/workdir/test/mp42aac/mp42aac_asan+0x4045d8)
0x60200000ee71 is located 0 bytes to the right of 1-byte region [0x60200000ee70,0x60200000ee71)
allocated by thread T0 here:
#0 0x7ffff6f036b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
#1 0x509235 in AP4_Stz2Atom::AP4_Stz2Atom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:101
#2 0x509ac6 in AP4_Stz2Atom::Create(unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:52
#3 0x46efde in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:483
#4 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#5 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
#6 0x40bd11 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:104
#7 0x40bd11 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:78
#8 0x402a40 in main /home/xxzs/workdir/test/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#9 0x7ffff621f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113 AP4_Stz2Atom::AP4_Stz2Atom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)
Shadow bytes around the buggy address:
0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9dd0: fa fa fd fa fa fa 00 04 fa fa fd fa fa fa fd fa
0x0c047fff9de0: fa fa fd fa fa fa 00 04 fa fa fd fa fa fa fd fa
0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==115490==ABORTING
[Inferior 1 (process 115490) exited with code 01]
The output of gdb:
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./mp42aac...done.
(gdb) set args /home/xxzs/workdir/test/mp42aac/out/afl-slave/crashes/id:000239,sig:06,src:000523+002959,op:splice,rep:2 /dev/null
(gdb) r
Starting program: /home/xxzs/workdir/test/mp42aac/mp42aac /home/xxzs/workdir/test/mp42aac/out/afl-slave/crashes/id:000239,sig:06,src:000523+002959,op:splice,rep:2 /dev/null
Program received signal SIGSEGV, Segmentation fault.
AP4_Stz2Atom::AP4_Stz2Atom (this=0x6b5bb0, size=<optimized out>, version=<optimized out>,
flags=<optimized out>, stream=...)
at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113
113 m_Entries[i] = (buffer[i/2]>>4)&0x0F;
(gdb) bt
#0 AP4_Stz2Atom::AP4_Stz2Atom (this=0x6b5bb0, size=<optimized out>, version=<optimized out>,
flags=<optimized out>, stream=...)
at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113
#1 0x000000000045b112 in AP4_Stz2Atom::Create (size=28, stream=...)
at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:52
#2 0x00000000004268b5 in AP4_AtomFactory::CreateAtomFromStream (this=0x7fffffffdc70, stream=...,
type=1937013298, size_32=28, size_64=28, atom=@0x7fffffffdc60: 0x0)
at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:483
#3 0x00000000004283c6 in AP4_AtomFactory::CreateAtomFromStream (atom=@0x7fffffffdc60: 0x0,
bytes_available=<synthetic pointer>, stream=..., this=0x7fffffffdc70)
at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#4 AP4_AtomFactory::CreateAtomFromStream (this=this@entry=0x7fffffffdc70, stream=...,
atom=@0x7fffffffdc60: 0x0) at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
#5 0x0000000000403e12 in AP4_File::ParseStream (moov_only=<optimized out>, atom_factory=...,
stream=..., this=<optimized out>) at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:104
#6 AP4_File::AP4_File (this=0x6b5610, stream=..., moov_only=false)
at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:78
#7 0x000000000040134f in main (argc=<optimized out>, argv=<optimized out>)
at /home/xxzs/workdir/test/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
(gdb) list
108 m_Entries.SetItemCount((AP4_Cardinal)sample_count);
109 switch (m_FieldSize) {
110 case 4:
111 for (unsigned int i=0; i<sample_count; i++) {
112 if ((i%2) == 0) {
113 m_Entries[i] = (buffer[i/2]>>4)&0x0F;
114 } else {
115 m_Entries[i] = buffer[i/2]&0x0F;
116 }
117 }
Hi, developers of Bento4:
When I tested the latest mp42aac, the following crash occurred.
The problem
The optput of mp42aac_asan:
The output of gdb:
Crash input
POC2.tar.gz
Validation steps
Environment
The text was updated successfully, but these errors were encountered: