Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SEGV ASAN in mp4fragment #941

Open
zhangteng0526 opened this issue Mar 25, 2024 · 0 comments
Open

SEGV ASAN in mp4fragment #941

zhangteng0526 opened this issue Mar 25, 2024 · 0 comments

Comments

@zhangteng0526
Copy link

Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems.
To debug a program built with ASan, here is some output

unable to autodetect fragment duration, using default
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1718535==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006b229c bp 0x60b000000408 sp 0x7ffe5a6079e0 T0)
==1718535==The signal is caused by a READ memory access.
==1718535==Hint: address points to the zero page.
    #0 0x6b229c in AP4_StsdAtom::AP4_StsdAtom(AP4_SampleTable*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:75:47
    #1 0x825ed3 in AP4_SampleTable::GenerateStblAtom(AP4_ContainerAtom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleTable.cpp:59:30
    #2 0x6fb497 in AP4_TrakAtom::AP4_TrakAtom(AP4_SampleTable*, unsigned int, char const*, unsigned int, unsigned long long, unsigned long long, unsigned long long, unsigned int, unsigned long long, unsigned short, char const*, unsigned int, unsigned int, unsigned short, unsigned short, int const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.cpp:131:28
    #3 0x6f60dd in AP4_Track::AP4_Track(AP4_SampleTable*, unsigned int, unsigned int, unsigned long long, unsigned int, unsigned long long, AP4_Track const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Track.cpp:183:22
    #4 0x4cf67a in Fragment(AP4_File&, AP4_ByteStream&, AP4_Array<TrackCursor*>&, unsigned int, unsigned int, bool, bool, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:360:39
    #5 0x4cf67a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:1475:5
    #6 0x7f0e35d8b082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41c90d in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4fragment+0x41c90d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:75:47 in AP4_StsdAtom::AP4_StsdAtom(AP4_SampleTable*)
==1718535==ABORTING


unable to autodetect fragment duration, using default
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1686304==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f80a52d6915 bp 0x7ffe1023fd70 sp 0x7ffe1023f528 T0)
==1686304==The signal is caused by a READ memory access.
==1686304==Hint: address points to the zero page.
    #0 0x7f80a52d6915  /build/glibc-wuryBv/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1 0x42f3e8 in strlen (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4fragment+0x42f3e8)
    #2 0x5e3c2f in AP4_MdhdAtom::AP4_MdhdAtom(unsigned long long, unsigned long long, unsigned int, unsigned long long, char const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4MdhdAtom.cpp:69:9
    #3 0x6fb6d1 in AP4_TrakAtom::AP4_TrakAtom(AP4_SampleTable*, unsigned int, char const*, unsigned int, unsigned long long, unsigned long long, unsigned long long, unsigned int, unsigned long long, unsigned short, char const*, unsigned int, unsigned int, unsigned short, unsigned short, int const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.cpp:143:22
    #4 0x6f60dd in AP4_Track::AP4_Track(AP4_SampleTable*, unsigned int, unsigned int, unsigned long long, unsigned int, unsigned long long, AP4_Track const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Track.cpp:183:22
    #5 0x4cf67a in Fragment(AP4_File&, AP4_ByteStream&, AP4_Array<TrackCursor*>&, unsigned int, unsigned int, bool, bool, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:360:39
    #6 0x4cf67a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:1475:5
    #7 0x7f80a5172082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c90d in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4fragment+0x41c90d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-wuryBv/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65 
==1686304==ABORTING

Crash input:

poc.zip
poc1.zip

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
./mp4fragment input /dev/null

环境

Ubuntu 20.04 LTS
Bento v1.6.0-641
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhangteng0526