search

axiomatic-systems / Bento4

Full-featured MP4 format, MPEG DASH, HLS, CMAF SDK and tools
http://www.bento4.com
2.03k stars 483 forks source link

AddressSanitizer: heap-buffer-overflow in mp42aac #958

Open gpriamo opened 6 months ago

gpriamo commented 6 months ago

Describe the bug

AddressSanitizer: heap-buffer-overflow in mp42aac.

To Reproduce

Built Bento4 main branch and release v1.6.0-641 according to the instructions in the README.md file.

ASAN Output

./mp42aaac <testcase> /dev/null

=================================================================
==270550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x000000434dee bp 0x7fff1e043750 sp 0x7fff1e042f18
WRITE of size 11 at 0x6020000000b1 thread T0
    #0 0x434ded in fread /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1029:16
    #1 0x54362b in AP4_StdcFileByteStream::ReadPartial(void*, unsigned int, unsigned int&) BUILD/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:341:14
    #2 0x4d161f in AP4_ByteStream::Read(void*, unsigned int) BUILD/Source/C++/Core/Ap4ByteStream.cpp:54:29
    #3 0x53f424 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:1637:12
    #4 0x533c10 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:428:24
    #5 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #6 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #7 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #8 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #9 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #10 0x533a7c in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:419:20
    #11 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #12 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #13 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #14 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #15 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #16 0x55ae35 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #17 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #18 0x55542e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #19 0x4da683 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) BUILD/Source/C++/Core/Ap4File.cpp:104:12
    #20 0x4dad7d in AP4_File::AP4_File(AP4_ByteStream&, bool) BUILD/Source/C++/Core/Ap4File.cpp:78:5
    #21 0x4cf8ee in main BUILD/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
    #22 0x7f8063b77082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #23 0x41d5ed in _start (target+0x41d5ed)

0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
    #0 0x4c94ad in operator new[](unsigned long) /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:102:3
    #1 0x50ab25 in AP4_String::AP4_String(unsigned int) BUILD/Source/C++/Core/Ap4String.cpp:85:15
    #2 0x53f3c1 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:1634:5
    #3 0x533c10 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:428:24
    #4 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #5 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #6 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #7 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #8 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #9 0x533a7c in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:419:20
    #10 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #11 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #12 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #13 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #14 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #15 0x55ae35 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #16 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #17 0x55542e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #18 0x4da683 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) BUILD/Source/C++/Core/Ap4File.cpp:104:12
    #19 0x4dad7d in AP4_File::AP4_File(AP4_ByteStream&, bool) BUILD/Source/C++/Core/Ap4File.cpp:78:5
    #20 0x4cf8ee in main BUILD/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
    #21 0x7f8063b77082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1029:16 in fread
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8010: fa fa 01 fa fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==270550==ABORTING

Environment info

OS: Ubuntu 20.04.6
Bento v1.6.0-641 (and main branch)

Crashing file

Please find the file provoking the crash inside the testcase.zip archive testcase.zip