sheep@sheep-virtual-machine:~/Desktop/fuzz/untrunc$ ./untrunc -sv -dyn -dcc -dyn -dst ./out/1.mp4 ./out/default/crashes/3
Info: version 'v367-13cafed' using ffmpeg '4.4.2-0ubuntu0.22.04.1' Lavc58.134.100
Info: reading ./out/default/crashes/3
Info: parsing healthy moov atom ...
Composition time offset atom found. Out of order samples possible.
[mov,mp4,m4a,3gp,3g2,mj2 @ 0x61b000000080] overread end of atom 'stts' by 504 bytes
=================================================================
==3975822==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005d20 at pc 0x5d43bdbdc5a2 bp 0x7ffcc05fa120 sp 0x7ffcc05fa118
READ of size 4 at 0x602000005d20 thread T0
#0 0x5d43bdbdc5a1 in Atom::readInt(long) /home/sheep/Desktop/fuzz/untrunc/src/atom.cpp:372:16
#1 0x5d43bdce3a3b in Track::getSampleTimes() /home/sheep/Desktop/fuzz/untrunc/src/track.cpp:259:25
#2 0x5d43bdce20ac in Track::parseOk() /home/sheep/Desktop/fuzz/untrunc/src/track.cpp:85:2
#3 0x5d43bdc27eaf in Mp4::parseTracksOk() /home/sheep/Desktop/fuzz/untrunc/src/mp4.cpp:179:9
#4 0x5d43bdc232f2 in Mp4::parseHealthy() /home/sheep/Desktop/fuzz/untrunc/src/mp4.cpp:67:2
#5 0x5d43bdc2a9e0 in Mp4::parseOk(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/sheep/Desktop/fuzz/untrunc/src/mp4.cpp:161:3
#6 0x5d43bdc1b0ba in main /home/sheep/Desktop/fuzz/untrunc/src/main.cpp:206:7
#7 0x7071b8829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x7071b8829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#9 0x5d43bdb071f4 in _start (/home/sheep/Desktop/fuzz/untrunc/untrunc+0x651f4) (BuildId: f34bb497b760a82b3977f75bc17586e910e078ca)
0x602000005d20 is located 0 bytes to the right of 16-byte region [0x602000005d10,0x602000005d20)
allocated by thread T0 here:
#0 0x5d43bdbc4e0d in operator new(unsigned long) (/home/sheep/Desktop/fuzz/untrunc/untrunc+0x122e0d) (BuildId: f34bb497b760a82b3977f75bc17586e910e078ca)
#1 0x5d43bdc14277 in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/ext/new_allocator.h:127:27
#2 0x5d43bdc14277 in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/alloc_traits.h:464:20
#3 0x5d43bdc14277 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_vector.h:346:20
#4 0x5d43bdc14277 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_vector.h:361:33
#5 0x5d43bdc14277 in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_vector.h:305:9
#6 0x5d43bdc14277 in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, std::allocator<unsigned char> const&) /usr/lib/gcc/x86_64-linux-gnu/11/../../../../include/c++/11/bits/stl_vector.h:511:9
#7 0x5d43bdc14277 in FileRead::read(unsigned long) /home/sheep/Desktop/fuzz/untrunc/src/file.cpp:159:16
#8 0x5d43bdbcee0f in Atom::parse(FileRead&) /home/sheep/Desktop/fuzz/untrunc/src/atom.cpp:73:10
#9 0x5d43bdbcee0f in Atom::parse(FileRead&) /home/sheep/Desktop/fuzz/untrunc/src/atom.cpp:73:10
#10 0x5d43bdbcee0f in Atom::parse(FileRead&) /home/sheep/Desktop/fuzz/untrunc/src/atom.cpp:73:10
#11 0x5d43bdbcee0f in Atom::parse(FileRead&) /home/sheep/Desktop/fuzz/untrunc/src/atom.cpp:73:10
#12 0x5d43bdbcee0f in Atom::parse(FileRead&) /home/sheep/Desktop/fuzz/untrunc/src/atom.cpp:73:10
#13 0x5d43bdc29514 in Mp4::parseOk(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) /home/sheep/Desktop/fuzz/untrunc/src/mp4.cpp:114:10
#14 0x5d43bdc1b0ba in main /home/sheep/Desktop/fuzz/untrunc/src/main.cpp:206:7
#15 0x7071b8829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sheep/Desktop/fuzz/untrunc/src/atom.cpp:372:16 in Atom::readInt(long)
Shadow bytes around the buggy address:
0x0c047fff8b50: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c047fff8b60: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x0c047fff8b70: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 fa
0x0c047fff8b80: fa fa fd fd fa fa fd fa fa fa fd fd fa fa 00 04
0x0c047fff8b90: fa fa fd fa fa fa 00 fa fa fa fd fd fa fa fd fa
=>0x0c047fff8ba0: fa fa 00 00[fa]fa fd fd fa fa 00 04 fa fa fd fd
0x0c047fff8bb0: fa fa fd fa fa fa 00 fa fa fa fd fd fa fa fd fa
0x0c047fff8bc0: fa fa fd fd fa fa 00 fa fa fa fd fa fa fa 00 fa
0x0c047fff8bd0: fa fa fd fd fa fa fd fa fa fa 00 00 fa fa fd fd
0x0c047fff8be0: fa fa 03 fa fa fa fd fd fa fa 00 04 fa fa 05 fa
0x0c047fff8bf0: fa fa fd fd fa fa 00 06 fa fa 04 fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3975822==ABORTING
Environment info
OS: Ubuntu 20.04.6
untrunc: version 'v367-13cafed'
Describe the bug
AddressSanitizer: heap-buffer-overflow in untrunc
To Reproduce
./untrunc -sv -dyn -dcc -dyn -dst ./out/1.mp4 ./out/default/crashes/3
ASAN Output
Environment info
OS: Ubuntu 20.04.6 untrunc: version 'v367-13cafed'
Crashing file
heap-buffer-overflow2.zip