Bento4
Bento4 copied to clipboard
Published
20 hours ago •
axiomatic-systems
axiomatic-systems
SEGV caused by accessing uninitialised memory in SetData, Ap4DataBuffer.cpp:175
Hi, there.
There is a segmentation fault caused by accessing uninitialized memory in the newest master branch 5922ba762a.
Compiled with:
-DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
Here is the reproducing command:
mp42aac poc /dev/null
POC: POC.zip (unzip first)
Here is the reproduce trace reported by ASAN:
==68530==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x0000004ae2be bp 0x7ffe63d3f700 sp 0x7ffe63d3eea0 T0)
==68530==The signal is caused by a READ memory access.
==68530==Hint: this fault was caused by a dereference of a high value address (see register values below). Dissassemble the provided pc to learn which register was used.
#0 0x4ae2be in AddressIsPoisoned /dependence/llvm-project/compiler-rt/lib/asan/asan_mapping.h:386
#1 0x4ae2be in QuickCheckForUnpoisonedRegion /dependence/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.h:31
#2 0x4ae2be in __asan_memcpy /dependence/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
#3 0x501e0e in AP4_DataBuffer::SetData(unsigned char const*, unsigned int) /mnt/data/playground/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:175:5
#4 0x5a575f in AP4_AvccAtom::AP4_AvccAtom(unsigned int, unsigned char const*) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AvccAtom.cpp:176:40
#5 0x5a30ff in AP4_AvccAtom::Create(unsigned int, AP4_ByteStream&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AvccAtom.cpp:95:16
#6 0x59956c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513:20
#7 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#8 0x5dcf0c in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#9 0x531f0a in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115:9
#10 0x53969d in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:884:5
#11 0x50f04c in AP4_EncvSampleEntry::AP4_EncvSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4Protection.cpp:173:5
#12 0x5974d6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:302:24
#13 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#14 0x54568d in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101:13
#15 0x544938 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57:16
#16 0x598b35 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458:20
#17 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#18 0x5dcf0c in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#19 0x5dcca0 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#20 0x5dbd2c in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#21 0x596f3e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#22 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#23 0x605528 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16
#24 0x604ae8 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16
#25 0x599804 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20
#26 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#27 0x5dcf0c in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#28 0x5dcca0 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#29 0x5dbd2c in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#30 0x596f3e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#31 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#32 0x5dcf0c in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#33 0x5dcca0 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#34 0x5dbd2c in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#35 0x596f3e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#36 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#37 0x5dcf0c in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#38 0x5dcca0 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#39 0x50680b in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:79:5
#40 0x59994f in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
#41 0x59994f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
#42 0x594a48 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#43 0x593e43 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /mnt/data/playground/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#44 0x502982 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /mnt/data/playground/Bento4/Source/C++/Core/Ap4File.cpp:104:12
#45 0x50306b in AP4_File::AP4_File(AP4_ByteStream&, bool) /mnt/data/playground/Bento4/Source/C++/Core/Ap4File.cpp:78:5
#46 0x4f6762 in main /mnt/data/playground/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
#47 0x7fa41bede83f in __libc_start_main /build/glibc-S7Ft5T/glibc-2.23/csu/../csu/libc-start.c:291
#48 0x41c1b8 in _start (/mnt/data/playground/Bento4/build/mp42aac+0x41c1b8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /dependence/llvm-project/compiler-rt/lib/asan/asan_mapping.h:386 in AddressIsPoisoned
==68530==ABORTING
Here is the details reported by Valgrind:
==70154== Memcheck, a memory error detector
==70154== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==70154== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==70154==
==70154== Conditional jump or move depends on uninitialised value(s)
==70154== at 0x404409: AP4_DataBuffer::SetData(unsigned char const*, unsigned int) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x43110C: AP4_AvccAtom::AP4_AvccAtom(unsigned int, unsigned char const*) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x430AA8: AP4_AvccAtom::Create(unsigned int, AP4_ByteStream&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42D63F: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x43F629: AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x412730: AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x4148B0: AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x407D89: AP4_EncvSampleEntry::AP4_EncvSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C7C1: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x4177AE: AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== Uninitialised value was created by a heap allocation
==70154== at 0x4C2E216: operator new(unsigned long) (vg_replace_malloc.c:334)
==70154== by 0x431C2A: AP4_Array<AP4_DataBuffer>::EnsureCapacity(unsigned int) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x431054: AP4_AvccAtom::AP4_AvccAtom(unsigned int, unsigned char const*) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x430AA8: AP4_AvccAtom::Create(unsigned int, AP4_ByteStream&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42D63F: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x43F629: AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x412730: AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x4148B0: AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x407D89: AP4_EncvSampleEntry::AP4_EncvSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C7C1: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154==
==70154== Conditional jump or move depends on uninitialised value(s)
==70154== at 0x404415: AP4_DataBuffer::SetData(unsigned char const*, unsigned int) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x43110C: AP4_AvccAtom::AP4_AvccAtom(unsigned int, unsigned char const*) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x430AA8: AP4_AvccAtom::Create(unsigned int, AP4_ByteStream&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42D63F: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x43F629: AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x412730: AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x4148B0: AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x407D89: AP4_EncvSampleEntry::AP4_EncvSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C7C1: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x4177AE: AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== Uninitialised value was created by a heap allocation
==70154== at 0x4C2E216: operator new(unsigned long) (vg_replace_malloc.c:334)
==70154== by 0x431C2A: AP4_Array<AP4_DataBuffer>::EnsureCapacity(unsigned int) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x431054: AP4_AvccAtom::AP4_AvccAtom(unsigned int, unsigned char const*) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x430AA8: AP4_AvccAtom::Create(unsigned int, AP4_ByteStream&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42D63F: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x43F629: AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x412730: AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x4148B0: AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x407D89: AP4_EncvSampleEntry::AP4_EncvSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C7C1: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154== by 0x42C335: AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (in /mnt/data/playground/Bento4/build-o/mp42aac)
==70154==
ERROR: unable to parse sample description
==70154==
==70154== HEAP SUMMARY:
==70154== in use at exit: 0 bytes in 0 blocks
==70154== total heap usage: 195 allocs, 195 frees, 107,917 bytes allocated
==70154==
==70154== All heap blocks were freed -- no leaks are possible
==70154==
==70154== For counts of detected and suppressed errors, rerun with: -v
==70154== ERROR SUMMARY: 10 errors from 2 contexts (suppressed: 0 from 0)
