search

axiomatic-systems / Bento4

Full-featured MP4 format, MPEG DASH, HLS, CMAF SDK and tools
http://www.bento4.com
2.03k stars 483 forks source link

SEGV ASAN in mp4fragment #941

Open zhangteng0526 opened 8 months ago

zhangteng0526 commented 8 months ago

Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems. To debug a program built with ASan, here is some output

unable to autodetect fragment duration, using default
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1718535==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000006b229c bp 0x60b000000408 sp 0x7ffe5a6079e0 T0)
==1718535==The signal is caused by a READ memory access.
==1718535==Hint: address points to the zero page.
    #0 0x6b229c in AP4_StsdAtom::AP4_StsdAtom(AP4_SampleTable*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:75:47
    #1 0x825ed3 in AP4_SampleTable::GenerateStblAtom(AP4_ContainerAtom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleTable.cpp:59:30
    #2 0x6fb497 in AP4_TrakAtom::AP4_TrakAtom(AP4_SampleTable*, unsigned int, char const*, unsigned int, unsigned long long, unsigned long long, unsigned long long, unsigned int, unsigned long long, unsigned short, char const*, unsigned int, unsigned int, unsigned short, unsigned short, int const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.cpp:131:28
    #3 0x6f60dd in AP4_Track::AP4_Track(AP4_SampleTable*, unsigned int, unsigned int, unsigned long long, unsigned int, unsigned long long, AP4_Track const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Track.cpp:183:22
    #4 0x4cf67a in Fragment(AP4_File&, AP4_ByteStream&, AP4_Array<TrackCursor*>&, unsigned int, unsigned int, bool, bool, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:360:39
    #5 0x4cf67a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:1475:5
    #6 0x7f0e35d8b082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41c90d in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4fragment+0x41c90d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:75:47 in AP4_StsdAtom::AP4_StsdAtom(AP4_SampleTable*)
==1718535==ABORTING

unable to autodetect fragment duration, using default
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1686304==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f80a52d6915 bp 0x7ffe1023fd70 sp 0x7ffe1023f528 T0)
==1686304==The signal is caused by a READ memory access.
==1686304==Hint: address points to the zero page.
    #0 0x7f80a52d6915  /build/glibc-wuryBv/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65
    #1 0x42f3e8 in strlen (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4fragment+0x42f3e8)
    #2 0x5e3c2f in AP4_MdhdAtom::AP4_MdhdAtom(unsigned long long, unsigned long long, unsigned int, unsigned long long, char const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4MdhdAtom.cpp:69:9
    #3 0x6fb6d1 in AP4_TrakAtom::AP4_TrakAtom(AP4_SampleTable*, unsigned int, char const*, unsigned int, unsigned long long, unsigned long long, unsigned long long, unsigned int, unsigned long long, unsigned short, char const*, unsigned int, unsigned int, unsigned short, unsigned short, int const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.cpp:143:22
    #4 0x6f60dd in AP4_Track::AP4_Track(AP4_SampleTable*, unsigned int, unsigned int, unsigned long long, unsigned int, unsigned long long, AP4_Track const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Track.cpp:183:22
    #5 0x4cf67a in Fragment(AP4_File&, AP4_ByteStream&, AP4_Array<TrackCursor*>&, unsigned int, unsigned int, bool, bool, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:360:39
    #6 0x4cf67a in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp:1475:5
    #7 0x7f80a5172082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c90d in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4fragment+0x41c90d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-wuryBv/glibc-2.31/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:65 
==1686304==ABORTING

Crash input:

poc.zip poc1.zip

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
./mp4fragment input /dev/null

环境

Ubuntu 20.04 LTS
Bento v1.6.0-641