NULL pointer dereference of Ap4Descriptor.h in function GetTag

NigelX commented 3 years ago

Hi

I found an crash erro.

System info： Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0

Bento4 version 1.6.0.0

commit:0c7705733de80172712e487dd6fdd28387fd7184

poc.zip

Verification steps： 1.Get the source code of Bento4 2.Compile the Bento4

$ cd Bento4
$ mkdir check_build && cd check_build
$ cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address"
$ make -j 32

3.run mp42aac

$ ./mp42aac poc.mp4  /dev/null

asan

=================================================================
==2608862==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x0000005e8a9e bp 0x7ffd347b8790 sp 0x7ffd347b86d0 T0)
==2608862==The signal is caused by a READ memory access.
==2608862==Hint: address points to the zero page.
    #0 0x5e8a9e in AP4_Descriptor::GetTag() /home/hh/Downloads/Bento4/Source/C++/Core/Ap4Descriptor.h:61:42
    #1 0x5e8a9e in AP4_DescriptorFinder::Test(AP4_Descriptor*) const /home/hh/Downloads/Bento4/Source/C++/Core/Ap4Descriptor.h:92:28
    #2 0x5f4733 in AP4_List<AP4_Descriptor>::Find(AP4_List<AP4_Descriptor>::Item::Finder const&, AP4_Descriptor*&) const /home/hh/Downloads/Bento4/Source/C++/Core/Ap4List.h:431:20
    #3 0x5f4733 in AP4_EsDescriptor::GetDecoderConfigDescriptor() const /home/hh/Downloads/Bento4/Source/C++/Core/Ap4EsDescriptor.cpp:207:26
    #4 0x500238 in AP4_MpegSampleDescription::AP4_MpegSampleDescription(unsigned int, AP4_EsdsAtom*) /home/hh/Downloads/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:725:22
    #5 0x501a76 in AP4_MpegAudioSampleDescription::AP4_MpegAudioSampleDescription(unsigned int, unsigned short, unsigned short, AP4_EsdsAtom*) /home/hh/Downloads/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:838:5
    #6 0x50c166 in AP4_MpegAudioSampleEntry::ToSampleDescription() /home/hh/Downloads/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:675:16
    #7 0x51eb6d in AP4_StsdAtom::GetSampleDescription(unsigned int) /home/hh/Downloads/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:181:53
    #8 0x4c797f in main /home/hh/Downloads/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:268:39
    #9 0x7fcea49890b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #10 0x41c8ad in _start (/home/hh/Downloads/Bento4/afl_fuzz/mp42aac+0x41c8ad)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hh/Downloads/Bento4/Source/C++/Core/Ap4Descriptor.h:61:42 in AP4_Descriptor::GetTag()
==2608862==ABORTING

gdb info

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffffdd00 --> 0xffffffffb98 --> 0x0 
RCX: 0x7224f8 --> 0x5e8a50 (<AP4_DescriptorFinder::Test(AP4_Descriptor*) const>:    lea    rsp,[rsp-0x98])
RDX: 0xffffffffb98 --> 0x0 
RSI: 0x8 
RDI: 0x7fffffffdce0 --> 0x7224e8 --> 0x5e8af0 (<AP4_List<AP4_Descriptor>::Item::Finder::~Finder()>: lea    rsp,[rsp-0x98])
RBP: 0x7fffffffdd70 --> 0xc1800000040 --> 0x0 
RSP: 0x7fffffffdcb0 --> 0xe449f 
RIP: 0x5e8a9e (<AP4_DescriptorFinder::Test(AP4_Descriptor*) const+78>:  mov    cl,BYTE PTR [rsi])
R8 : 0x6040000000d0 --> 0x724430 --> 0x5f6410 (<AP4_EsdsAtom::~AP4_EsdsAtom()>: lea    rsp,[rsp-0x98])
R9 : 0xfffffc0000000000 
R10: 0x18 
R11: 0x201 
R12: 0x6030000002e0 --> 0x0 
R13: 0xc060000005c --> 0x0 
R14: 0xffffffffb9c --> 0x0 
R15: 0x7fffffffdce0 --> 0x7224e8 --> 0x5e8af0 (<AP4_List<AP4_Descriptor>::Item::Finder::~Finder()>: lea    rsp,[rsp-0x98])
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x5e8a94 <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+68>: mov    al,BYTE PTR [rax+0x7fff8000]
   0x5e8a9a <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+74>: test   al,al
   0x5e8a9c <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+76>: jne    0x5e8ac0 <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+112>
=> 0x5e8a9e <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+78>: mov    cl,BYTE PTR [rsi]
   0x5e8aa0 <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+80>: add    rdi,0x8
   0x5e8aa4 <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+84>: mov    rax,rdi
   0x5e8aa7 <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+87>: shr    rax,0x3
   0x5e8aab <AP4_DescriptorFinder::Test(AP4_Descriptor*) const+91>: mov    al,BYTE PTR [rax+0x7fff8000]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdcb0 --> 0xe449f 
0008| 0x7fffffffdcb8 --> 0x5f4734 (<AP4_EsDescriptor::GetDecoderConfigDescriptor() const+484>:  test   eax,eax)
0016| 0x7fffffffdcc0 --> 0x41b58ab3 
0024| 0x7fffffffdcc8 --> 0x7242d7 ("1 32 16 11 ref.tmp:207")
0032| 0x7fffffffdcd0 --> 0x5f4550 (<AP4_EsDescriptor::GetDecoderConfigDescriptor() const>:  lea    rsp,[rsp-0x98])
0040| 0x7fffffffdcd8 --> 0x5f4572 (<AP4_EsDescriptor::GetDecoderConfigDescriptor() const+34>:   mov    rax,QWORD PTR [rsp+0x10])
0048| 0x7fffffffdce0 --> 0x7224e8 --> 0x5e8af0 (<AP4_List<AP4_Descriptor>::Item::Finder::~Finder()>:    lea    rsp,[rsp-0x98])
0056| 0x7fffffffdce8 --> 0x723d04 ("4_ElstAtom")
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00000000005e8a9e in AP4_Descriptor::GetTag (this=<optimized out>) at /home/hh/Downloads/Bento4/Source/C++/Core/Ap4Descriptor.h:61
61      AP4_UI08 GetTag() { return (AP4_UI08)m_ClassId; }

dimitry-ishenko commented 3 years ago

@barbibulle this is duplicate of issue #604 and is fixed in PR #606

dimitry-ishenko commented 3 years ago

@barbibulle this was fixed in #606. Feel free to close.

axiomatic-systems / Bento4

NULL pointer dereference of Ap4Descriptor.h in function GetTag #603