Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mp4info: AP4_TfraAtom::AP4_TfraAtom in Ap4TfraAtom.cpp failed to allocate memory #894

Closed
gxh191 opened this issue Sep 26, 2023 · 0 comments
Closed

mp4info: AP4_TfraAtom::AP4_TfraAtom in Ap4TfraAtom.cpp failed to allocate memory #894

gxh191 opened this issue Sep 26, 2023 · 0 comments
Assignees
@barbibulle
Labels
fuzzing

Comments

@gxh191
Copy link

gxh191 commented Sep 26, 2023

Hi, developers of Bento4:

An issue was discovered in MP4 File Info - Version 1.3.4 (Bento4 Version 1.6.0.0).

Version Information

MP4 File Info - Version 1.3.4 (Bento4 Version 1.6.0.0).

description of the vulnerability

When I use afl's asan mode to detect the mp4info program,AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) is called from the Ap4TfraAtom.cpp file, AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)+674 will call operator new(unsigned long)@plt allocates too much memory (0x1585948620), causing the program to crash.

The output of a program compiled normally without asan is as follows:

./mp4info --verbose mp4info_bad_alloc

terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
[1] 2852939 abort ./mp4info --verbose

The output of afl's asan is as follows:

./mp4info --verbose mp4info_bad_alloc

=================================================================
==1178780==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x1585948620 bytes
#0 0x4c73ed in operator new(unsigned long) (/home/gxh/Bento4/check_build/mp4info+0x4c73ed)
#1 0x72b8a7 in AP4_Array<AP4_TfraAtom::Entry>::EnsureCapacity(unsigned int) /home/gxh/Bento4/Source/C++/Core/Ap4Array.h:172:25
#2 0x72b8a7 in AP4_Array<AP4_TfraAtom::Entry>::SetItemCount(unsigned int) /home/gxh/Bento4/Source/C++/Core/Ap4Array.h:210:25
#3 0x72b8a7 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/gxh/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:88:15
#4 0x72992b in AP4_TfraAtom::Create(unsigned int, AP4_ByteStream&) /home/gxh/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:53:16
#5 0x555108 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:443:20
#6 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#7 0x57fc5d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#8 0x57f956 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#9 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#10 0x57ff95 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#11 0x57f956 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#12 0x55540b in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
#13 0x55540b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
#14 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#15 0x54cb00 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#16 0x5d0de1 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/gxh/Bento4/Source/C++/Core/Ap4File.cpp:104:12
#17 0x5d24aa in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/gxh/Bento4/Source/C++/Core/Ap4File.cpp:78:5
#18 0x4ca952 in main /home/gxh/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1902:26
#19 0x7ffff7a75d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: out-of-memory (/home/gxh/Bento4/check_build/mp4info+0x4c73ed) in operator new(unsigned long)
==1178780==ABORTING

crash input

https://github.com/gxh191/fuzzer_crash/tree/main/Bento4

./mp4info --verbose mp4info_bad_alloc

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j16
./mp4info --verbose mp4info_bad_alloc
@barbibulle barbibulle self-assigned this Mar 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barbibulle barbibulle

Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@barbibulle @gxh191