search

axiomatic-systems / Bento4

Full-featured MP4 format, MPEG DASH, HLS, CMAF SDK and tools
http://www.bento4.com
2.03k stars 483 forks source link

heap-use-after-free with ASAN in mp42ts #937

Open zhangteng0526 opened 8 months ago

zhangteng0526 commented 8 months ago

Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems. To debug a program built with ASan, here is some output

BUG1

=================================================================
==2611989==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000010 at pc 0x0000004d43d9 bp 0x7fff45dd24e0 sp 0x7fff45dd24d8
READ of size 8 at 0x604000000010 thread T0
    #0 0x4d43d8 in AP4_SubStream::~AP4_SubStream() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:428:17
    #1 0x4d43d8 in AP4_SubStream::~AP4_SubStream() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:427:1
    #2 0x5840b0 in AP4_DataAtom::~AP4_DataAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/MetaData/Ap4MetaData.cpp:1454:5
    #3 0x5840b0 in AP4_DataAtom::~AP4_DataAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/MetaData/Ap4MetaData.cpp:1453:1
    #4 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #5 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #6 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #7 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #8 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #9 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #10 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #11 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #12 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #13 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #14 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #15 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #16 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #17 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #18 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #19 0x5ec534 in AP4_ContainerAtom::~AP4_ContainerAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.h:48:7
    #20 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #21 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #22 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:88:1
    #23 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:85:1
    #24 0x4c84d5 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:519:9
    #25 0x7f20b83c5082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #26 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x41c8fd)

0x604000000010 is located 0 bytes inside of 48-byte region [0x604000000010,0x604000000040)
freed by thread T0 here:
    #0 0x4c500d in operator delete(void*) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c500d)
    #1 0x4c842a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:518:9
    #2 0x7f20b83c5082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4c47ad in operator new(unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c47ad)
    #1 0x589178 in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14

SUMMARY: AddressSanitizer: heap-use-after-free /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:428:17 in AP4_SubStream::~AP4_SubStream()
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8010: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8020: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8030: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8040: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2611989==ABORTING

BUG2

=================================================================
==3677656==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000000010 at pc 0x000000598dee bp 0x7ffd22a2a640 sp 0x7ffd22a2a638
READ of size 8 at 0x604000000010 thread T0
    #0 0x598ded in AP4_UnknownAtom::~AP4_UnknownAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:408:25
    #1 0x598ded in AP4_UnknownAtom::~AP4_UnknownAtom() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:405:1
    #2 0x59b000 in AP4_List<AP4_Atom>::DeleteReferences() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4List.h:476:9
    #3 0x59b000 in AP4_AtomParent::~AP4_AtomParent() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:516:16
    #4 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:88:1
    #5 0x4df821 in AP4_File::~AP4_File() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:85:1
    #6 0x4c84d5 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:519:9
    #7 0x7f3aff20b082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x41c8fd)

0x604000000010 is located 0 bytes inside of 48-byte region [0x604000000010,0x604000000040)
freed by thread T0 here:
    #0 0x4c500d in operator delete(void*) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c500d)
    #1 0x4c842a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:518:9
    #2 0x7f3aff20b082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x4c47ad in operator new(unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c47ad)
    #1 0x589178 in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14

SUMMARY: AddressSanitizer: heap-use-after-free /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:408:25 in AP4_UnknownAtom::~AP4_UnknownAtom()
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa[fd]fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c087fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3677656==ABORTING

BUG3

=================================================================
==3972313==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000002b18 at pc 0x0000004f35b1 bp 0x7fff7428d660 sp 0x7fff7428d658
READ of size 8 at 0x604000002b18 thread T0
    #0 0x4f35b0 in AP4_Sample::GetOffset() const /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Sample.h:99:48
    #1 0x4f35b0 in AP4_LinearReader::Advance(bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:434:54
    #2 0x4f42a2 in AP4_LinearReader::ReadNextSample(unsigned int, AP4_Sample&, AP4_DataBuffer&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:530:29
    #3 0x4cb0b0 in ReadSample(SampleReader&, AP4_Track&, AP4_Sample&, AP4_DataBuffer&, double&, bool&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:181:32
    #4 0x4cb0b0 in WriteSamples(AP4_Mpeg2TsWriter&, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:306:22
    #5 0x4cb0b0 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:640:14
    #6 0x7fa64720d082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x41c8fd)

0x604000002b18 is located 8 bytes inside of 48-byte region [0x604000002b10,0x604000002b40)
freed by thread T0 here:
    #0 0x4c500d in operator delete(void*) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c500d)
    #1 0x4f2dff in AP4_LinearReader::SampleBuffer::~SampleBuffer() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.h:104:26
    #2 0x4f2dff in AP4_LinearReader::Advance(bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:462:17

previously allocated by thread T0 here:
    #0 0x4c47ad in operator new(unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42ts+0x4c47ad)
    #1 0x4f2360 in AP4_LinearReader::Advance(bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4LinearReader.cpp:422:41

SUMMARY: AddressSanitizer: heap-use-after-free /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Sample.h:99:48 in AP4_Sample::GetOffset() const
Shadow bytes around the buggy address:
  0x0c087fff8510: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8520: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8530: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8540: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8550: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
=>0x0c087fff8560: fa fa fd[fd]fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8570: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff8580: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff8590: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff85a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff85b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3972313==ABORTING

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
./mp42ts input /dev/null

Version

Ubuntu 20.04 LTS
Bento v1.6.0-641 
master date:2024.3.24

Crash input:

poc.zip poc1.zip poc2.zip