Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mp42avc found allocation-size-too-big crash #947

Open
40ngx opened this issue Mar 29, 2024 · 0 comments
Open

mp42avc found allocation-size-too-big crash #947

40ngx opened this issue Mar 29, 2024 · 0 comments

Comments

@40ngx
Copy link

40ngx commented Mar 29, 2024

Hi, I found allocation-size-too-big crash in mp42avc. It seems to be caused by a bug in Bento4/Source/C++/Core/Ap4RtpAtom.cpp:50:25. I noticed someone had found a similar problem with mp42aac. But it seems it still hasn't been fixed. The command that causes the vulnerability and related crash information are as follows:

./mp42avc poc out

poc.zip
Asan trace report:

=================================================================
==1784304==ERROR: AddressSanitizer: requested allocation size 0xffffffffe7000019 (0xffffffffe7001020 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x55fab814153d in operator new[](unsigned long) (/root/fuzzing_Bento4/Bento4/cmakebuild/mp42avc+0x18f53d) (BuildId: b6869cc7d4500ad6)
    #1 0x55fab817a0c6 in AP4_RtpAtom::AP4_RtpAtom(unsigned int, AP4_ByteStream&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4RtpAtom.cpp:50:25
    #2 0x55fab817a0c6 in AP4_RtpAtom::Create(unsigned int, AP4_ByteStream&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4RtpAtom.h:53:20
    #3 0x55fab817a0c6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689:20
    #4 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #5 0x55fab81a3613 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #6 0x55fab81762f3 in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:884:5
    #7 0x55fab81762f3 in AP4_AvcSampleEntry::AP4_AvcSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1136:5
    #8 0x55fab81762f3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:319:24
    #9 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #10 0x55fab8308e0e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101:13
    #11 0x55fab8308953 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57:16
    #12 0x55fab81795bb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458:20
    #13 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #14 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #15 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #16 0x55fab81a123b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #17 0x55fab8179573 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #18 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #19 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #20 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #21 0x55fab81a123b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #22 0x55fab8179573 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #23 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #24 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #25 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #26 0x55fab81a123b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #27 0x55fab8179573 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #28 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #29 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #30 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #31 0x55fab8179b12 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165:5
    #32 0x55fab8179b12 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4TrakAtom.h:58:20
    #33 0x55fab8179b12 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413:20
    #34 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #35 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #36 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #37 0x55fab81f2436 in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:79:5
    #38 0x55fab8179e2a in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
    #39 0x55fab8179e2a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
    #40 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #41 0x55fab8180021 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12

==1784304==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/root/fuzzing_Bento4/Bento4/cmakebuild/mp42avc+0x18f53d) (BuildId: b6869cc7d4500ad6) in operator new[](unsigned long)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@40ngx