Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Heap-buffer-overflow with ASAN in mp42aac #914

Closed
zhangteng0526 opened this issue Dec 28, 2023 · 0 comments
Closed

Heap-buffer-overflow with ASAN in mp42aac #914

zhangteng0526 opened this issue Dec 28, 2023 · 0 comments
Assignees
@barbibulle
Labels
fuzzing

Comments

@zhangteng0526
Copy link

Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems.
To debug a program built with ASan, here is some output

=================================================================
==1982814==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000011f at pc 0x0000008aa64d bp 0x7fffba272270 sp 0x7fffba272268
READ of size 1 at 0x60200000011f thread T0
    #0 0x8aa64c in AP4_Dec3Atom::AP4_Dec3Atom(unsigned int, unsigned char const*) /home/zt/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:161:57
    #1 0x8a1f6e in AP4_Dec3Atom::Create(unsigned int, AP4_ByteStream&) /home/zt/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:56:16
    #2 0x703433 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:769:24
    #3 0x6f99a8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #4 0x833287 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #5 0x588686 in AP4_AudioSampleEntry::AP4_AudioSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420:5
    #6 0x51763d in AP4_EncaSampleEntry::AP4_EncaSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/Bento4/Source/C++/Core/Ap4Protection.cpp:74:5
    #7 0x70135f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:298:24
    #8 0x6f99a8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #9 0x5bbc96 in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101:13
    #10 0x5b5c06 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57:16
    #11 0x7018e6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458:20
    #12 0x6f99a8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #13 0x6f79ac in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #14 0x4f0896 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/zt/Bento4/Source/C++/Core/Ap4File.cpp:104:12
    #15 0x4f1ec4 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/zt/Bento4/Source/C++/Core/Ap4File.cpp:78:5
    #16 0x4ca35b in main /home/zt/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
    #17 0x7fadc2fd5082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #18 0x41eccd in _start (/home/zt/Bento4/build/mp42aac+0x41eccd)

0x60200000011f is located 0 bytes to the right of 15-byte region [0x602000000110,0x60200000011f)
allocated by thread T0 here:
    #0 0x4c6c8d in operator new[](unsigned long) (/home/zt/Bento4/build/mp42aac+0x4c6c8d)
    #1 0x4e9450 in AP4_DataBuffer::AP4_DataBuffer(unsigned int) /home/zt/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16
    #2 0x703433 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:769:24
    #3 0x6f99a8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #4 0x833287 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #5 0x588686 in AP4_AudioSampleEntry::AP4_AudioSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420:5

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zt/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:161:57 in AP4_Dec3Atom::AP4_Dec3Atom(unsigned int, unsigned char const*)
Shadow bytes around the buggy address:
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8010: fa fa 04 fa fa fa fd fa fa fa 01 fa fa fa 00 fa
=>0x0c047fff8020: fa fa 00[07]fa fa 00 07 fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1982814==ABORTING

Crash input:

https://github.com/zhangteng0526/crashes/blob/main/Bento4/input1

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
./mp42aac input1 /dev/null

环境

Ubuntu 20.04 LTS
Bento v1.6.0-641-2-g1529b83
@barbibulle barbibulle self-assigned this Feb 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barbibulle barbibulle

Labels
fuzzing
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@barbibulle @zhangteng0526