Out-of-memory bug from AP4_UrlAtom::AP4_UrlAtom() in v1.6.0-640

[Hee-won]

Hi,

There is another out-of-memory bug in the latest version (1.6.0-640) of mp4info because of the function AP4_UrlAtom::AP4_UrlAtom() at Ap4UrlAtom.cpp:71.

Unlike the issue #771, this vunerability happened in the different function AP4_UrlAtom::AP4_UrlAtom().

Here is the output of program with address sanitizer attached.

Bug Report

=================================================================
==973793==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xdd000000 bytes
#0 0x7f40c85f9787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107
#1 0x55f6be8e4ce7 in AP4_UrlAtom::AP4_UrlAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4UrlAtom.cpp:71
#2 0x55f6be8e4ed2 in AP4_UrlAtom::Create(unsigned int, AP4_ByteStream&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4UrlAtom.cpp:47
#3 0x55f6be843fc4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:585
#4 0x55f6be845530 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:234
#5 0x55f6be865836 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4DrefAtom.cpp:84
#6 0x55f6be865c13 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4DrefAtom.cpp:50
#7 0x55f6be841d44 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:580
#8 0x55f6be845530 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:234
#9 0x55f6be85241a in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:194
#10 0x55f6be8527c3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:139
#11 0x55f6be852ced in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:88
#12 0x55f6be841cf4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:816
#13 0x55f6be845530 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:234
#14 0x55f6be85241a in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:194
#15 0x55f6be8527c3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:139
#16 0x55f6be852ced in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:88
#17 0x55f6be841cf4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:816
#18 0x55f6be845530 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:234
#19 0x55f6be85241a in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:194
#20 0x55f6be8527c3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:139
#21 0x55f6be852ced in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:88
#22 0x55f6be841cf4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:816
#23 0x55f6be845530 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:234
#24 0x55f6be85241a in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:194
#25 0x55f6be8527c3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:139
#26 0x55f6be8e02a8 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4TrakAtom.cpp:165
#27 0x55f6be84239f in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4TrakAtom.h:58
#28 0x55f6be84239f in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:413
#29 0x55f6be845530 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4AtomFactory.cpp:234
#30 0x55f6be85241a in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/ubuntu/targets/Bento4-1.6.0-639_sanitizer/Source/C++/Core/Ap4ContainerAtom.cpp:194

==973793==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_new_delete.cc:107 in operator new[](unsigned long)
==973793==ABORTING

Envionment

OS: Ubuntu 20.04.5 LTS x86_64
Release: v1.6.0-640
Program: mp4info

How to reproduce

$ mp4info poc-file
poc-file is attached.
poc-file.txt

[Hee-won]

Hi I'd like to ask whether memory size checker will be included in Bento4 or not. According to CVE-2023-30551, it can cause an out of memory crash if files are sufficiently large, so it is better to add extra function to check memory size. Thanks.