Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple vulnerabilities exist in mp4edit #964

Open
zhangteng0526 opened this issue May 27, 2024 · 0 comments
Open

Multiple vulnerabilities exist in mp4edit #964

zhangteng0526 opened this issue May 27, 2024 · 0 comments

Comments

@zhangteng0526
Copy link

Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems.
To debug a program built with ASan, here is some output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==27037==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005e3c0c bp 0x7ffe220ba180 sp 0x7ffe220b9de0 T0)
==27037==The signal is caused by a READ memory access.
==27037==Hint: address points to the zero page.
    #0 0x5e3c0c in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56
    #1 0x5f2f50 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:726:18
    #2 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #3 0x7f090c30f082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&)
==27037==ABORTING


AddressSanitizer:DEADLYSIGNAL
=================================================================
==27105==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005e484c bp 0x7ffecbdb2d80 sp 0x7ffecbdb29e0 T0)
==27105==The signal is caused by a READ memory access.
==27105==Hint: address points to the zero page.
    #0 0x5e484c in AP4_TfhdAtom::GetTrackId() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfhdAtom.h:71:67
    #1 0x5e484c in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:229:62
    #2 0x5f2f50 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:726:18
    #3 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #4 0x7f5ed75c6082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfhdAtom.h:71:67 in AP4_TfhdAtom::GetTrackId()
==27105==ABORTING

AddressSanitizer:DEADLYSIGNAL
=================================================================
==27157==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004d71c5 bp 0x7ffcac39c810 sp 0x7ffcac39c400 T0)
==27157==The signal is caused by a READ memory access.
==27157==Hint: address points to the zero page.
    #0 0x4d71c5 in AP4_AtomParent::RemoveChild(AP4_Atom*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:567:16
    #1 0x5ed0c1 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:490:19
    #2 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #3 0x7f499819b082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:567:16 in AP4_AtomParent::RemoveChild(AP4_Atom*)
==27157==ABORTING

AddressSanitizer:DEADLYSIGNAL
=================================================================
==27211==ERROR: AddressSanitizer: FPE on unknown address 0x0000006afd75 (pc 0x0000006afd75 bp 0x7ffeee810dd0 sp 0x7ffeee810b40 T0)
    #0 0x6afd75 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfraAtom.cpp:153:53
    #1 0x6af194 in AP4_TfraAtom::Create(unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfraAtom.cpp:53:16
    #2 0x50432c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:443:20
    #3 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #4 0x4fecf8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #5 0x5ec5ea in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:456:9
    #6 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #7 0x7f1e7c636082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfraAtom.cpp:153:53 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)
==27211==ABORTING

=================================================================
==27682==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000001f4 at pc 0x0000006e0c42 bp 0x7ffcc9da2100 sp 0x7ffcc9da20f8
READ of size 1 at 0x6040000001f4 thread T0
    #0 0x6e0c41 in AP4_BitReader::ReadCache() const /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40
    #1 0x6e0c41 in AP4_BitReader::SkipBits(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:559:20
    #2 0x54857d in AP4_Dac4Atom::AP4_Dac4Atom(unsigned int, unsigned char const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:396:22
    #3 0x53cc8a in AP4_Dac4Atom::Create(unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:58:16
    #4 0x504a63 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:776:24
    #5 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #6 0x52bf9f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #7 0x6436fe in AP4_AudioSampleEntry::AP4_AudioSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleEntry.cpp:420:5
    #8 0x5f852d in AP4_EncaSampleEntry::AP4_EncaSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Protection.cpp:74:5
    #9 0x503315 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:298:24
    #10 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #11 0x67a20e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:101:13
    #12 0x67737b in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:57:16
    #13 0x5035a6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:458:20
    #14 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #15 0x52bf9f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #16 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #17 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #18 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #19 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #20 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #21 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #22 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #23 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #24 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #25 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #26 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #27 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #28 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #29 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #30 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #31 0x52bd68 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #32 0x6c32f3 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.cpp:165:5
    #33 0x5019f9 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.h:58:20
    #34 0x5019f9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:413:20
    #35 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #36 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #37 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #38 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #39 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #40 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #41 0x4fecf8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #42 0x5ec5ea in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:456:9
    #43 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #44 0x7f993383e082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #45 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

0x6040000001f4 is located 0 bytes to the right of 36-byte region [0x6040000001d0,0x6040000001f4)
allocated by thread T0 here:
    #0 0x4c48bd in operator new[](unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x4c48bd)
    #1 0x5616a3 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:210:28
    #2 0x5616a3 in AP4_DataBuffer::SetBufferSize(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:136:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40 in AP4_BitReader::ReadCache() const
Shadow bytes around the buggy address:
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 04
  0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff8020: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 03 fa
=>0x0c087fff8030: fa fa 00 00 00 00 03 fa fa fa 00 00 00 00[04]fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27682==ABORTING

AddressSanitizer:DEADLYSIGNAL
=================================================================
==27379==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005e3c0c bp 0x7ffcc75463a0 sp 0x7ffcc7546000 T0)
==27379==The signal is caused by a READ memory access.
==27379==Hint: address points to the zero page.
    #0 0x5e3c0c in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56
    #1 0x5f2f50 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:726:18
    #2 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #3 0x7fd32cf9c082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&)
==27379==ABORTING

Crash input:

crash_input.zip

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
./mp4edit input /dev/null

环境

Ubuntu 20.04 LTS
Bento v1.6.0-641
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zhangteng0526