Open mugichiya opened 2 weeks ago
I also found heap-based buffer overflow in mp4file.cpp:2662.
See testcases.
git clone https://github.com/mugichiya/pockey.git
cp -r ./pockey/projects/mp4v2_hof/testcases .
./mp4chaps --list ./testcases/0000000000.mp4
banjo@ttc:/opt/mp4v2/build$ ./mp4chaps --list ../../0000000000.mp4
ReadAtom: "../../0000000000.mp4": invalid atom size, extends outside parent atom - skipping to end of "stbl" "stco" 150996203 vs 1279
=================================================================
==5147==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003b11 at pc 0x7f562f5e80f7 bp 0x7ffe6f3c6680 sp 0x7ffe6f3c6670
READ of size 1 at 0x602000003b11 thread T0
#0 0x7f562f5e80f6 in mp4v2::impl::MP4File::GetChapters(MP4Chapter_s**, unsigned int*, MP4ChapterType) /opt/mp4v2/src/mp4file.cpp:2662
#1 0x7f562f5b7177 in MP4GetChapters /opt/mp4v2/src/mp4.cpp:1647
#2 0x555e9921415a in mp4v2::util::ChapterUtility::actionList(mp4v2::util::Utility::JobContext&) /opt/mp4v2/util/mp4chaps.cpp:182
#3 0x555e9921a581 in mp4v2::util::ChapterUtility::utility_job(mp4v2::util::Utility::JobContext&) /opt/mp4v2/util/mp4chaps.cpp:664
#4 0x7f562f4e44c5 in mp4v2::util::Utility::job(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /opt/mp4v2/libutil/Utility.cpp:298
#5 0x7f562f4e2595 in mp4v2::util::Utility::batch(int) /opt/mp4v2/libutil/Utility.cpp:105
#6 0x7f562f4e718d in mp4v2::util::Utility::process_impl() /opt/mp4v2/libutil/Utility.cpp:565
#7 0x7f562f4e6252 in mp4v2::util::Utility::process() /opt/mp4v2/libutil/Utility.cpp:449
#8 0x555e9921d794 in main /opt/mp4v2/util/mp4chaps.cpp:1188
#9 0x7f562edf0082 in __libc_start_main ../csu/libc-start.c:308
#10 0x555e9921012d in _start (/opt/mp4v2/build2/mp4chaps+0xf12d)
0x602000003b11 is located 0 bytes to the right of 1-byte region [0x602000003b10,0x602000003b11)
allocated by thread T0 here:
#0 0x7f562f948808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x7f562f4d9392 in mp4v2::impl::MP4Malloc(unsigned long) /opt/mp4v2/src/mp4util.h:63
#2 0x7f562f615dbc in mp4v2::impl::MP4Track::ReadSample(unsigned int, unsigned char**, unsigned int*, unsigned long*, unsigned long*, unsigned long*, bool*, bool*, unsigned int*) /opt/mp4v2/src/mp4track.cpp:323
#3 0x7f562f5e8016 in mp4v2::impl::MP4File::GetChapters(MP4Chapter_s**, unsigned int*, MP4ChapterType) /opt/mp4v2/src/mp4file.cpp:2655
#4 0x7f562f5b7177 in MP4GetChapters /opt/mp4v2/src/mp4.cpp:1647
#5 0x555e9921415a in mp4v2::util::ChapterUtility::actionList(mp4v2::util::Utility::JobContext&) /opt/mp4v2/util/mp4chaps.cpp:182
#6 0x555e9921a581 in mp4v2::util::ChapterUtility::utility_job(mp4v2::util::Utility::JobContext&) /opt/mp4v2/util/mp4chaps.cpp:664
#7 0x7f562f4e44c5 in mp4v2::util::Utility::job(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /opt/mp4v2/libutil/Utility.cpp:298
#8 0x7f562f4e2595 in mp4v2::util::Utility::batch(int) /opt/mp4v2/libutil/Utility.cpp:105
#9 0x7f562f4e718d in mp4v2::util::Utility::process_impl() /opt/mp4v2/libutil/Utility.cpp:565
#10 0x7f562f4e6252 in mp4v2::util::Utility::process() /opt/mp4v2/libutil/Utility.cpp:449
#11 0x555e9921d794 in main /opt/mp4v2/util/mp4chaps.cpp:1188
#12 0x7f562edf0082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow /opt/mp4v2/src/mp4file.cpp:2662 in mp4v2::impl::MP4File::GetChapters(MP4Chapter_s**, unsigned int*, MP4ChapterType)
Shadow bytes around the buggy address:
0x0c047fff8710: fa fa 04 fa fa fa 04 fa fa fa fd fa fa fa fd fd
0x0c047fff8720: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 04 fa
0x0c047fff8730: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 01 fa
0x0c047fff8740: fa fa fd fd fa fa 04 fa fa fa 04 fa fa fa fd fa
0x0c047fff8750: fa fa 00 00 fa fa 04 fa fa fa 00 fa fa fa 00 00
=>0x0c047fff8760: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff87b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==5147==ABORTING
ty
Hi, I found segfault on unknown address in mp4file.cpp:2662. It seems to occur because
sample
could not get a valid reference inpChapterTrack->ReadSample
on line 2655.Abstract
Segmentation fault (maybe null pointer reference) on mp4chaps(libmp4v2.so.2).
Environment
OS: Ubuntu 22.04.4 LTS Compiler: gcc version 11.4.0
Build
To enable Address Sanitizer, add the following options to CMakeFiles.txt.
PoC
See testcases.
ASAN output
Solution
It is recommended to insert a null pointer judgment, and take other instruction (if-else/exception handling) if
sample
is NULL. For example, if branch inserted line 2662 in src/mp4file.cpp can prevent the segfault.ty