You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An issue was discovered in MP4 File Info - Version 1.3.4 (Bento4 Version 1.6.0.0).
Version Information
MP4 File Info - Version 1.3.4 (Bento4 Version 1.6.0.0).
description of the vulnerability
When I use afl's asan mode to detect the mp4info program,AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) is called from the Ap4TfraAtom.cpp file, AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)+674 will call operator new(unsigned long)@plt allocates too much memory (0x1585948620), causing the program to crash.
The output of a program compiled normally without asan is as follows:
./mp4info--verbosemp4info_bad_alloc
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
[1] 2852939 abort ./mp4info --verbose
The output of afl's asan is as follows:
./mp4info--verbosemp4info_bad_alloc
=================================================================
==1178780==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x1585948620 bytes
#0 0x4c73ed in operator new(unsigned long) (/home/gxh/Bento4/check_build/mp4info+0x4c73ed) #1 0x72b8a7 in AP4_Array<AP4_TfraAtom::Entry>::EnsureCapacity(unsigned int) /home/gxh/Bento4/Source/C++/Core/Ap4Array.h:172:25 #2 0x72b8a7 in AP4_Array<AP4_TfraAtom::Entry>::SetItemCount(unsigned int) /home/gxh/Bento4/Source/C++/Core/Ap4Array.h:210:25 #3 0x72b8a7 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/gxh/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:88:15 #4 0x72992b in AP4_TfraAtom::Create(unsigned int, AP4_ByteStream&) /home/gxh/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:53:16 #5 0x555108 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:443:20 #6 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #7 0x57fc5d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12 #8 0x57f956 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5 #9 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #10 0x57ff95 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12 #11 0x57f956 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5 #12 0x55540b in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20 #13 0x55540b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20 #14 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #15 0x54cb00 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12 #16 0x5d0de1 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/gxh/Bento4/Source/C++/Core/Ap4File.cpp:104:12 #17 0x5d24aa in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/gxh/Bento4/Source/C++/Core/Ap4File.cpp:78:5 #18 0x4ca952 in main /home/gxh/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1902:26 #19 0x7ffff7a75d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: out-of-memory (/home/gxh/Bento4/check_build/mp4info+0x4c73ed) in operator new(unsigned long)
==1178780==ABORTING
Hi, developers of Bento4:
An issue was discovered in MP4 File Info - Version 1.3.4 (Bento4 Version 1.6.0.0).
Version Information
MP4 File Info - Version 1.3.4 (Bento4 Version 1.6.0.0).
description of the vulnerability
When I use afl's asan mode to detect the mp4info program,AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) is called from the Ap4TfraAtom.cpp file, AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)+674 will call operator new(unsigned long)@plt allocates too much memory (0x1585948620), causing the program to crash.
The output of a program compiled normally without asan is as follows:
terminate called after throwing an instance of 'std::bad_alloc'
what(): std::bad_alloc
[1] 2852939 abort ./mp4info --verbose
The output of afl's asan is as follows:
=================================================================
==1178780==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x1585948620 bytes
#0 0x4c73ed in operator new(unsigned long) (/home/gxh/Bento4/check_build/mp4info+0x4c73ed)
#1 0x72b8a7 in AP4_Array<AP4_TfraAtom::Entry>::EnsureCapacity(unsigned int) /home/gxh/Bento4/Source/C++/Core/Ap4Array.h:172:25
#2 0x72b8a7 in AP4_Array<AP4_TfraAtom::Entry>::SetItemCount(unsigned int) /home/gxh/Bento4/Source/C++/Core/Ap4Array.h:210:25
#3 0x72b8a7 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/gxh/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:88:15
#4 0x72992b in AP4_TfraAtom::Create(unsigned int, AP4_ByteStream&) /home/gxh/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:53:16
#5 0x555108 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:443:20
#6 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#7 0x57fc5d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#8 0x57f956 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#9 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#10 0x57ff95 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#11 0x57f956 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#12 0x55540b in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/gxh/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
#13 0x55540b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
#14 0x54da23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#15 0x54cb00 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/gxh/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#16 0x5d0de1 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/gxh/Bento4/Source/C++/Core/Ap4File.cpp:104:12
#17 0x5d24aa in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/gxh/Bento4/Source/C++/Core/Ap4File.cpp:78:5
#18 0x4ca952 in main /home/gxh/Bento4/Source/C++/Apps/Mp4Info/Mp4Info.cpp:1902:26
#19 0x7ffff7a75d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: out-of-memory (/home/gxh/Bento4/check_build/mp4info+0x4c73ed) in operator new(unsigned long)
==1178780==ABORTING
crash input
https://github.com/gxh191/fuzzer_crash/tree/main/Bento4
./mp4info --verbose mp4info_bad_alloc
Validation steps
The text was updated successfully, but these errors were encountered: