Bento4 icon indicating copy to clipboard operation
Bento4 copied to clipboard
verified publisher icon axiomatic-systems

[BUG] heap-buffer overflow in WriteSample, mp42hevc

Open kdsjZh opened this issue 4 years ago • 2 comments

brief description

There is a buffer overflow in WriteSample, can be triggered via mp42hevc + ASan.

To reproduce

mkdir build && pushd build
CC=clang CFLAGS="-fsanitize=address" CXX=clang CXXFLAGS="-fsanitize=address" cmake .. && make -j$(nproc)
./mp42hevc $POC /dev/null

output

Video Track:
  duration: 1000 ms
  sample count: 12
=================================================================
==2553363==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000240 at pc 0x00000040e1ca bp 0x7ffce241f7f0 sp 0x7ffce241f7e0
READ of size 1 at 0x602000000240 thread T0
    #0 0x40e1c9 in WriteSample(AP4_DataBuffer const&, AP4_DataBuffer&, unsigned int, AP4_ByteStream*) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x40e1c9)
    #1 0x40a0fa in WriteSamples(AP4_Track*, AP4_SampleDescription*, AP4_ByteStream*) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x40a0fa)
    #2 0x408cef in main (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x408cef)
    #3 0x7f9cb87390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #4 0x40780d in _start (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x40780d)

0x602000000240 is located 0 bytes to the right of 16-byte region [0x602000000230,0x602000000240)
allocated by thread T0 here:
    #0 0x8dc617 in operator new[](unsigned long) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x8dc617)
    #1 0x4257f8 in AP4_DataBuffer::ReallocateBuffer(unsigned int) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x4257f8)
    #2 0x4267bd in AP4_DataBuffer::SetDataSize(unsigned int) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x4267bd)
    #3 0x452913 in AP4_Sample::ReadData(AP4_DataBuffer&, unsigned int, unsigned int) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x452913)
    #4 0x451f6e in AP4_Sample::ReadData(AP4_DataBuffer&) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x451f6e)
    #5 0x493bd9 in AP4_Track::ReadSample(unsigned int, AP4_Sample&, AP4_DataBuffer&) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x493bd9)
    #6 0x409f78 in WriteSamples(AP4_Track*, AP4_SampleDescription*, AP4_ByteStream*) (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x409f78)
    #7 0x408cef in main (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x408cef)
    #8 0x7f9cb87390b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/hzheng/workspace/fuzz/mp42hevc/mp42hevc+0x40e1c9) in WriteSample(AP4_DataBuffer const&, AP4_DataBuffer&, unsigned int, AP4_ByteStream*)
Shadow bytes around the buggy address:
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
  0x0c047fff8010: fa fa 04 fa fa fa 00 03 fa fa 00 fa fa fa 00 04
  0x0c047fff8020: fa fa fd fd fa fa fd fa fa fa 04 fa fa fa fd fd
  0x0c047fff8030: fa fa 00 03 fa fa fd fa fa fa fd fa fa fa fd fd
=>0x0c047fff8040: fa fa fd fd fa fa 00 00[fa]fa fd fa fa fa fd fa
  0x0c047fff8050: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c047fff8060: fa fa fd fa fa fa fd fa fa fa fa fa fa fa fa fa
  0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2553363==ABORTING

system

Ubuntu 20.04 clang 12.0.1 Bento4 latest commit 46dd88c5cc0e20e1fc1b970aa87ce68645057f0e

Acknowledgement

NCNIPC of China

POC

poc1.zip

kdsjZh avatar Mar 13 '22 19:03 kdsjZh

The issue doesn't seem to happen with the latest commit on the main branch. Can you confirm?

barbibulle avatar May 01 '22 21:05 barbibulle

Hello, this issue seems still happens in latest commit. my test environment: Ubuntu 20.04.3 LTS, gcc 9.3.0.

kdsjZh avatar May 02 '22 08:05 kdsjZh