search

axiomatic-systems / Bento4

Full-featured MP4 format, MPEG DASH, HLS, CMAF SDK and tools
http://www.bento4.com
2.03k stars 483 forks source link

Multiple vulnerabilities exist in mp4edit #964

Open zhangteng0526 opened 5 months ago

zhangteng0526 commented 5 months ago

Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems. To debug a program built with ASan, here is some output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==27037==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005e3c0c bp 0x7ffe220ba180 sp 0x7ffe220b9de0 T0)
==27037==The signal is caused by a READ memory access.
==27037==Hint: address points to the zero page.
    #0 0x5e3c0c in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56
    #1 0x5f2f50 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:726:18
    #2 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #3 0x7f090c30f082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&)
==27037==ABORTING

AddressSanitizer:DEADLYSIGNAL
=================================================================
==27105==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005e484c bp 0x7ffecbdb2d80 sp 0x7ffecbdb29e0 T0)
==27105==The signal is caused by a READ memory access.
==27105==Hint: address points to the zero page.
    #0 0x5e484c in AP4_TfhdAtom::GetTrackId() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfhdAtom.h:71:67
    #1 0x5e484c in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:229:62
    #2 0x5f2f50 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:726:18
    #3 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #4 0x7f5ed75c6082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfhdAtom.h:71:67 in AP4_TfhdAtom::GetTrackId()
==27105==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==27157==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004d71c5 bp 0x7ffcac39c810 sp 0x7ffcac39c400 T0)
==27157==The signal is caused by a READ memory access.
==27157==Hint: address points to the zero page.
    #0 0x4d71c5 in AP4_AtomParent::RemoveChild(AP4_Atom*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:567:16
    #1 0x5ed0c1 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:490:19
    #2 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #3 0x7f499819b082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:567:16 in AP4_AtomParent::RemoveChild(AP4_Atom*)
==27157==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==27211==ERROR: AddressSanitizer: FPE on unknown address 0x0000006afd75 (pc 0x0000006afd75 bp 0x7ffeee810dd0 sp 0x7ffeee810b40 T0)
    #0 0x6afd75 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfraAtom.cpp:153:53
    #1 0x6af194 in AP4_TfraAtom::Create(unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfraAtom.cpp:53:16
    #2 0x50432c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:443:20
    #3 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #4 0x4fecf8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #5 0x5ec5ea in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:456:9
    #6 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #7 0x7f1e7c636082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #8 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TfraAtom.cpp:153:53 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)
==27211==ABORTING
=================================================================
==27682==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000001f4 at pc 0x0000006e0c42 bp 0x7ffcc9da2100 sp 0x7ffcc9da20f8
READ of size 1 at 0x6040000001f4 thread T0
    #0 0x6e0c41 in AP4_BitReader::ReadCache() const /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40
    #1 0x6e0c41 in AP4_BitReader::SkipBits(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:559:20
    #2 0x54857d in AP4_Dac4Atom::AP4_Dac4Atom(unsigned int, unsigned char const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:396:22
    #3 0x53cc8a in AP4_Dac4Atom::Create(unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:58:16
    #4 0x504a63 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:776:24
    #5 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #6 0x52bf9f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #7 0x6436fe in AP4_AudioSampleEntry::AP4_AudioSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleEntry.cpp:420:5
    #8 0x5f852d in AP4_EncaSampleEntry::AP4_EncaSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Protection.cpp:74:5
    #9 0x503315 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:298:24
    #10 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #11 0x67a20e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:101:13
    #12 0x67737b in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:57:16
    #13 0x5035a6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:458:20
    #14 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #15 0x52bf9f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #16 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #17 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #18 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #19 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #20 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #21 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #22 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #23 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #24 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #25 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #26 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #27 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #28 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #29 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #30 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #31 0x52bd68 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #32 0x6c32f3 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.cpp:165:5
    #33 0x5019f9 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4TrakAtom.h:58:20
    #34 0x5019f9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:413:20
    #35 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #36 0x52c330 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    #37 0x52a5c8 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
    #38 0x52a5c8 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #39 0x50307a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #40 0x4ffcef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #41 0x4fecf8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #42 0x5ec5ea in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:456:9
    #43 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #44 0x7f993383e082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #45 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

0x6040000001f4 is located 0 bytes to the right of 36-byte region [0x6040000001d0,0x6040000001f4)
allocated by thread T0 here:
    #0 0x4c48bd in operator new[](unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x4c48bd)
    #1 0x5616a3 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:210:28
    #2 0x5616a3 in AP4_DataBuffer::SetBufferSize(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:136:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40 in AP4_BitReader::ReadCache() const
Shadow bytes around the buggy address:
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff8000: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 04
  0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c087fff8020: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 03 fa
=>0x0c087fff8030: fa fa 00 00 00 00 03 fa fa fa 00 00 00 00[04]fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27682==ABORTING
AddressSanitizer:DEADLYSIGNAL
=================================================================
==27379==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x0000005e3c0c bp 0x7ffcc75463a0 sp 0x7ffcc7546000 T0)
==27379==The signal is caused by a READ memory access.
==27379==Hint: address points to the zero page.
    #0 0x5e3c0c in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56
    #1 0x5f2f50 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:726:18
    #2 0x4cc7a1 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp:451:15
    #3 0x7fd32cf9c082 in __libc_start_main /build/glibc-e2p3jK/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41c8fd in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp4edit+0x41c8fd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Processor.cpp:192:56 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&)
==27379==ABORTING

Crash input:

crash_input.zip

Validation steps

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j$(nproc)
./mp4edit input /dev/null

环境

Ubuntu 20.04 LTS
Bento v1.6.0-641