Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

CVE-2022-40885

Out of memory in Ap4DataBuffer:new AP4_Byte[buffer_size]

Hello,I use the fuzzer(AFL) to fuzz binary mp42avc and got some crashes which show that allocator is out of memory trying to allocate 0xXXXXXXXX bytes when method new is called.

There are two functions occur the crashes.

The following is the details.

Bug1

./mp42avc ~/out/crashes/id:000017,sig:06,src:000925+000617,op:splice,rep:128 3.avc

================================================================= ==4126303==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xc4b26d23 bytes #0 0x549287 in operator new[](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x558418 in AP4_DataBuffer::AP4_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16 #2 0x5ec12a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513:20 #3 0x5e7b66 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #4 0x6563c0 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16 #5 0x6559d7 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16 #6 0x5ec3a5 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20 #7 0x5e7b66 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #8 0x62e6b0 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12 #9 0x62e48b in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5

==4126303==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new[](unsigned long) ==4126303==ABORTING

Bug 2

[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild]# ./mp42avc ~/out/crashes/id:000018,sig:06,src:000606,op:havoc,rep:4 3.avc

================================================================= ==4126299==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7d727b02 bytes #0 0x549287 in operator new[](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x6637c0 in AP4_HdlrAtom::AP4_HdlrAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /root/Bento4/Source/C++/Core/Ap4HdlrAtom.cpp:88:18

==4126299==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new[](unsigned long) ==4126299==ABORTING

Ap4HdlrAtom.cpp:88 and Ap4HdlrAtom.cpp will call new[Big size] and then crash.

Bug3

./AFL/afl-fuzz -i ./seed2/ -o ./out3 -d -m none ./Bento4/cmakebuild/aac2mp4 @@ 3.mp4

After testing, the above problems also occur in acc2mp4 function.

The following is the details.

[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild]# ./aac2mp4 ~/out3/crashes/id:000008,sig:06,src:000074,op:havoc,rep:4 3.mp4

AAC frame [000000]: size = -7, 96000 kHz, 0 ch

================================================================= ==3788615==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xfffffff9 bytes #0 0x54a287 in operator new[](unsigned long) (/root/Bento4/cmakebuild/aac2mp4+0x54a287) #1 0x55b578 in AP4_DataBuffer::AP4_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16

==3788615==HINT: if you don't care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/aac2mp4+0x54a287) in operator new[](unsigned long) ==3788615==ABORTING

input

input.zip

Crashes

crashes.zip