Skip to content

Bugs in mp42avc #989

New issue
New issue
Open
Open
Bugs in mp42avc#989
@G2FUZZ

Description

@G2FUZZ
G2FUZZ
opened on Dec 24, 2024

Describe the bug

I found three bugs when I tested mp42avc.

To Reproduce

The related commit of Bento4 is 3bdc891

Environment

Ubuntu 22.04

Bug1

Input

bug1.zip

CMD

./mp42avc Bug1 /dev/null

ASAN Output

=================================================================
==16310==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
    #0 0x555555682e9d in operator new(unsigned long) (/experiments/programs_AFLplusplus/aflasan/mp42avc+0x12ee9d) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b)
    #1 0x5555556930a8 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4File.cpp:108:27
    #2 0x55555569365d in AP4_File::AP4_File(AP4_ByteStream&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4File.cpp:78:5
    #3 0x5555556857e7 in main /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Apps/Mp42Avc/Mp42Avc.cpp:307:32
    #4 0x7ffff7a6ad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)

Indirect leak of 40 byte(s) in 1 object(s) allocated from:
    #0 0x555555682e9d in operator new(unsigned long) (/experiments/programs_AFLplusplus/aflasan/mp42avc+0x12ee9d) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b)
    #1 0x555555698809 in AP4_Movie::AP4_Movie(AP4_MoovAtom*, AP4_ByteStream&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4Movie.cpp:118:28

Indirect leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x555555682e9d in operator new(unsigned long) (/experiments/programs_AFLplusplus/aflasan/mp42avc+0x12ee9d) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b)
    #1 0x55555569885e in AP4_List<AP4_Track>::Add(AP4_Track*) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4List.h:160:16
    #2 0x55555569885e in AP4_Movie::AP4_Movie(AP4_MoovAtom*, AP4_ByteStream&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4Movie.cpp:121:18

SUMMARY: AddressSanitizer: 128 byte(s) leaked in 3 allocation(s).

Bug2

Input

bug2.zip

CMD

./mp42avc Bug2 /dev/null

ASAN Output

=================================================================
==16352==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e9c at pc 0x555555647846 bp 0x7fffffffde20 sp 0x7fffffffd5e8
WRITE of size 4294967294 at 0x619000000e9c thread T0
    #0 0x555555647845 in __asan_memcpy (/experiments/programs_AFLplusplus/aflasan/mp42avc+0xf3845) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b)
    #1 0x55555568eafa in AP4_MemoryByteStream::WritePartial(void const*, unsigned int, unsigned int&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ByteStream.cpp:785:5
    #2 0x55555568843d in AP4_ByteStream::Write(void const*, unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77:29
    #3 0x555555755d18 in AP4_CencSampleEncryption::DoWriteFields(AP4_ByteStream&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4CommonEncryption.cpp:3569:16
    #4 0x555555703b2b in AP4_Atom::Clone() /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4Atom.cpp:316:9
    #5 0x5555556ae76d in AP4_SampleDescription::AP4_SampleDescription(AP4_SampleDescription::Type, unsigned int, AP4_AtomParent*) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138:41
    #6 0x5555556ae76d in AP4_AvcSampleDescription::AP4_AvcSampleDescription(unsigned int, unsigned short, unsigned short, unsigned short, char const*, AP4_AtomParent*) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:383:5
    #7 0x5555556c6233 in AP4_AvcSampleEntry::ToSampleDescription() /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1146:16
    #8 0x5555556d0ac4 in AP4_StsdAtom::GetSampleDescription(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:182:53
    #9 0x555555685843 in main /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Apps/Mp42Avc/Mp42Avc.cpp:326:39
    #10 0x7ffff7a6ad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #11 0x7ffff7a6ae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #12 0x5555555ae734 in _start (/experiments/programs_AFLplusplus/aflasan/mp42avc+0x5a734) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b)

0x619000000e9c is located 0 bytes after 1052-byte region [0x619000000a80,0x619000000e9c)
allocated by thread T0 here:
    #0 0x555555682fad in operator new[](unsigned long) (/experiments/programs_AFLplusplus/aflasan/mp42avc+0x12efad) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b)
    #1 0x5555556914b7 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
    #2 0x5555556914b7 in AP4_DataBuffer::SetBufferSize(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136:16
    #3 0x5555556914b7 in AP4_DataBuffer::Reserve(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:107:12

SUMMARY: AddressSanitizer: heap-buffer-overflow (/experiments/programs_AFLplusplus/aflasan/mp42avc+0xf3845) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b) in __asan_memcpy
Shadow bytes around the buggy address:
  0x619000000c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x619000000e80: 00 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000000f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000000f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000001000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000001080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000001100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16352==ABORTING

Bug3

Input

bug3.zip

CMD

./mp42avc Bug3 /dev/null

ASAN Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==16362==ERROR: AddressSanitizer: FPE on unknown address 0x5555557fa486 (pc 0x5555557fa486 bp 0x7fffffffd170 sp 0x7fffffffcfe0 T0)
    #0 0x5555557fa486 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:153:53
    #1 0x5555557f9b24 in AP4_TfraAtom::Create(unsigned int, AP4_ByteStream&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:53:16
    #2 0x555555718553 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:443:20
    #3 0x555555714d44 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #4 0x555555758747 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #5 0x555555758526 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #6 0x5555557579d4 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #7 0x555555717704 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #8 0x555555714d44 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #9 0x55555575896d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #10 0x555555758526 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #11 0x5555556d5cbd in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165:5
    #12 0x555555719fab in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TrakAtom.h:58:20
    #13 0x5555557183eb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413:20
    #14 0x555555714d44 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #15 0x55555575896d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #16 0x555555758526 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #17 0x55555569634d in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:79:5
    #18 0x555555719f0b in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
    #19 0x5555557186dd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
    #20 0x555555714d44 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #21 0x5555557142ea in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #22 0x555555692fee in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4File.cpp:104:12
    #23 0x55555569365d in AP4_File::AP4_File(AP4_ByteStream&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4File.cpp:78:5
    #24 0x5555556857e7 in main /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Apps/Mp42Avc/Mp42Avc.cpp:307:32
    #25 0x7ffff7a6ad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #26 0x7ffff7a6ae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #27 0x5555555ae734 in _start (/experiments/programs_AFLplusplus/aflasan/mp42avc+0x5a734) (BuildId: c01f8509b3ac0d9e58f538e08213db4ba779aa7b)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:153:53 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)
==16362==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions