Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

heap-buffer-overflow in mp42aac #818

Open
orangeloong opened this issue Nov 26, 2022 · 0 comments
Open

heap-buffer-overflow in mp42aac #818

orangeloong opened this issue Nov 26, 2022 · 0 comments

Comments

@orangeloong
Copy link

Hi, developers of Bento4:
When I tested the latest mp42aac, the following crash occurred.

The problem

The optput of mp42aac_asan:

==115490==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ee71 at pc 0x000000509921 bp 0x7fffffffd410 sp 0x7fffffffd400
READ of size 1 at 0x60200000ee71 thread T0
    #0 0x509920 in AP4_Stz2Atom::AP4_Stz2Atom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113
    #1 0x509ac6 in AP4_Stz2Atom::Create(unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:52
    #2 0x46efde in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:483
    #3 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
    #4 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
    #5 0x40bd11 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:104
    #6 0x40bd11 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:78
    #7 0x402a40 in main /home/xxzs/workdir/test/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
    #8 0x7ffff621f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)
    #9 0x4045d8 in _start (/home/xxzs/workdir/test/mp42aac/mp42aac_asan+0x4045d8)

0x60200000ee71 is located 0 bytes to the right of 1-byte region [0x60200000ee70,0x60200000ee71)
allocated by thread T0 here:
    #0 0x7ffff6f036b2 in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x996b2)
    #1 0x509235 in AP4_Stz2Atom::AP4_Stz2Atom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:101
    #2 0x509ac6 in AP4_Stz2Atom::Create(unsigned int, AP4_ByteStream&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:52
    #3 0x46efde in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:483
    #4 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
    #5 0x472452 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
    #6 0x40bd11 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:104
    #7 0x40bd11 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:78
    #8 0x402a40 in main /home/xxzs/workdir/test/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
    #9 0x7ffff621f83f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2083f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113 AP4_Stz2Atom::AP4_Stz2Atom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)
Shadow bytes around the buggy address:
  0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
  0x0c047fff9dd0: fa fa fd fa fa fa 00 04 fa fa fd fa fa fa fd fa
  0x0c047fff9de0: fa fa fd fa fa fa 00 04 fa fa fd fa fa fa fd fa
  0x0c047fff9df0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==115490==ABORTING
[Inferior 1 (process 115490) exited with code 01]

The output of gdb:

GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.5) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./mp42aac...done.
(gdb) set args /home/xxzs/workdir/test/mp42aac/out/afl-slave/crashes/id:000239,sig:06,src:000523+002959,op:splice,rep:2 /dev/null
(gdb) r
Starting program: /home/xxzs/workdir/test/mp42aac/mp42aac /home/xxzs/workdir/test/mp42aac/out/afl-slave/crashes/id:000239,sig:06,src:000523+002959,op:splice,rep:2 /dev/null

Program received signal SIGSEGV, Segmentation fault.
AP4_Stz2Atom::AP4_Stz2Atom (this=0x6b5bb0, size=<optimized out>, version=<optimized out>, 
    flags=<optimized out>, stream=...)
    at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113
113	                    m_Entries[i] = (buffer[i/2]>>4)&0x0F;
(gdb) bt
#0  AP4_Stz2Atom::AP4_Stz2Atom (this=0x6b5bb0, size=<optimized out>, version=<optimized out>, 
    flags=<optimized out>, stream=...)
    at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:113
#1  0x000000000045b112 in AP4_Stz2Atom::Create (size=28, stream=...)
    at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4Stz2Atom.cpp:52
#2  0x00000000004268b5 in AP4_AtomFactory::CreateAtomFromStream (this=0x7fffffffdc70, stream=..., 
    type=1937013298, size_32=28, size_64=28, atom=@0x7fffffffdc60: 0x0)
    at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:483
#3  0x00000000004283c6 in AP4_AtomFactory::CreateAtomFromStream (atom=@0x7fffffffdc60: 0x0, 
    bytes_available=<synthetic pointer>, stream=..., this=0x7fffffffdc70)
    at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#4  AP4_AtomFactory::CreateAtomFromStream (this=this@entry=0x7fffffffdc70, stream=..., 
    atom=@0x7fffffffdc60: 0x0) at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
#5  0x0000000000403e12 in AP4_File::ParseStream (moov_only=<optimized out>, atom_factory=..., 
    stream=..., this=<optimized out>) at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:104
#6  AP4_File::AP4_File (this=0x6b5610, stream=..., moov_only=false)
    at /home/xxzs/workdir/test/Bento4/Source/C++/Core/Ap4File.cpp:78
#7  0x000000000040134f in main (argc=<optimized out>, argv=<optimized out>)
    at /home/xxzs/workdir/test/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
(gdb) list
108	    m_Entries.SetItemCount((AP4_Cardinal)sample_count);
109	    switch (m_FieldSize) {
110	        case 4:
111	            for (unsigned int i=0; i<sample_count; i++) {
112	                if ((i%2) == 0) {
113	                    m_Entries[i] = (buffer[i/2]>>4)&0x0F;
114	                } else {
115	                    m_Entries[i] = buffer[i/2]&0x0F;
116	                }
117	            }

Crash input

POC2.tar.gz

Validation steps

  1. build the latest mp42aac
  2. ./mp42aac ./POC2 /dev/null

Environment

  • Host Operating System and version: Ubuntu 16.04 LTS
  • Host CPU architecture: 11th Gen Intel® Core™ i5-11500 @ 2.70GHz × 8
  • gcc version: 5.4.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant