search

axiomatic-systems / Bento4

Full-featured MP4 format, MPEG DASH, HLS, CMAF SDK and tools
http://www.bento4.com
2.03k stars 483 forks source link

mp42avc found allocation-size-too-big crash #947

Open 40ngx opened 7 months ago

40ngx commented 7 months ago

Hi, I found allocation-size-too-big crash in mp42avc. It seems to be caused by a bug in Bento4/Source/C++/Core/Ap4RtpAtom.cpp:50:25. I noticed someone had found a similar problem with mp42aac. But it seems it still hasn't been fixed. The command that causes the vulnerability and related crash information are as follows:

./mp42avc poc out

poc.zip Asan trace report:

=================================================================
==1784304==ERROR: AddressSanitizer: requested allocation size 0xffffffffe7000019 (0xffffffffe7001020 after adjustments for alignment, red zones etc.) exceeds maximum supported size of 0x10000000000 (thread T0)
    #0 0x55fab814153d in operator new[](unsigned long) (/root/fuzzing_Bento4/Bento4/cmakebuild/mp42avc+0x18f53d) (BuildId: b6869cc7d4500ad6)
    #1 0x55fab817a0c6 in AP4_RtpAtom::AP4_RtpAtom(unsigned int, AP4_ByteStream&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4RtpAtom.cpp:50:25
    #2 0x55fab817a0c6 in AP4_RtpAtom::Create(unsigned int, AP4_ByteStream&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4RtpAtom.h:53:20
    #3 0x55fab817a0c6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689:20
    #4 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #5 0x55fab81a3613 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #6 0x55fab81762f3 in AP4_VisualSampleEntry::AP4_VisualSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:884:5
    #7 0x55fab81762f3 in AP4_AvcSampleEntry::AP4_AvcSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1136:5
    #8 0x55fab81762f3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:319:24
    #9 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #10 0x55fab8308e0e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101:13
    #11 0x55fab8308953 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57:16
    #12 0x55fab81795bb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458:20
    #13 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #14 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #15 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #16 0x55fab81a123b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #17 0x55fab8179573 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #18 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #19 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #20 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #21 0x55fab81a123b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #22 0x55fab8179573 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #23 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #24 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #25 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #26 0x55fab81a123b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #27 0x55fab8179573 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #28 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #29 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #30 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #31 0x55fab8179b12 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165:5
    #32 0x55fab8179b12 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4TrakAtom.h:58:20
    #33 0x55fab8179b12 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413:20
    #34 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #35 0x55fab81a29d2 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #36 0x55fab81a29d2 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #37 0x55fab81f2436 in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:79:5
    #38 0x55fab8179e2a in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
    #39 0x55fab8179e2a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
    #40 0x55fab81809ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #41 0x55fab8180021 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /root/fuzzing_Bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12

==1784304==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: allocation-size-too-big (/root/fuzzing_Bento4/Bento4/cmakebuild/mp42avc+0x18f53d) (BuildId: b6869cc7d4500ad6) in operator new[](unsigned long)