[BUG] Heap overflow in mp42Hevc, WriteSample, Mp42Hevc.cpp:96
iskindar opened this issue · comments
iskindar commented
Hi,
There is a heap overflow in WriteSample, Mp42Hevc/Mp42Hevc.cpp:96, in the latest commit 1529b83, which also affects versions ranging from v1.5.1-628 to v1.6.0-641.
How to reproduce
Here are the detailed reproduction steps using docker.
docker pull ubuntu:20.04 && docker run -it ubuntu:20.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ cmake libgc-dev make -y
git clone https://github.com/axiomatic-systems/Bento4.git && pushd Bento4
## build binary mp42hevc
export CC="gcc"
export CXX="g++"
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
cmake . && make -j
## obtain poc
wget https://github.com/axiomatic-systems/Bento4/files/13470503/mp42hevc_poc1.zip
unzip mp42hevc_poc1.zip
## reproducing command
./mp42hevc mp42hevc_poc1 /dev/null
Platform
- OS : ubuntu 20.04 (docker)
- gcc version 9.4.0 (default)
ASAN
Here is the reproduce trace reported by ASAN:
root@d3932adedebb:/Bento4-1529b83# ./mp42hevc ./mp42hevc_poc1 /dev/null
Video Track:
duration: 1000 ms
sample count: 12
=================================================================
==4816==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000768 at pc 0x555d83926b79 bp 0x7ffdc7685210 sp 0x7ffdc7685200
READ of size 1 at 0x607000000768 thread T0
#0 0x555d83926b78 in WriteSample /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:96
#1 0x555d83928341 in WriteSamples /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:326
#2 0x555d83928a6f in main /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406
#3 0x7f8da8c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#4 0x555d8392684d in _start (/Bento4-1529b83/mp42hevc+0x31284d)
0x607000000768 is located 0 bytes to the right of 72-byte region [0x607000000720,0x607000000768)
allocated by thread T0 here:
#0 0x7f8da9262787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107
#1 0x555d8392fc94 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /Bento4-1529b83/Source/C++/Core/Ap4DataBuffer.cpp:210
#2 0x555d8392f993 in AP4_DataBuffer::SetDataSize(unsigned int) /Bento4-1529b83/Source/C++/Core/Ap4DataBuffer.cpp:151
#3 0x555d839431c9 in AP4_Sample::ReadData(AP4_DataBuffer&, unsigned int, unsigned int) /Bento4-1529b83/Source/C++/Core/Ap4Sample.cpp:156
#4 0x555d83942f50 in AP4_Sample::ReadData(AP4_DataBuffer&) /Bento4-1529b83/Source/C++/Core/Ap4Sample.cpp:127
#5 0x555d8395d49c in AP4_Track::ReadSample(unsigned int, AP4_Sample&, AP4_DataBuffer&) /Bento4-1529b83/Source/C++/Core/Ap4Track.cpp:475
#6 0x555d839282e3 in WriteSamples /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:325
#7 0x555d83928a6f in main /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406
#8 0x7f8da8c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
SUMMARY: AddressSanitizer: heap-buffer-overflow /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:96 in WriteSample
Shadow bytes around the buggy address:
0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
0x0c0e7fff80a0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
0x0c0e7fff80b0: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00
0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c0e7fff80d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
=>0x0c0e7fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa
0x0c0e7fff80f0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0e7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0e7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==4816==ABORTING
Affected Version
v1.5.1-628-v1.6.0-641
PoC
The PoC is available at mp42hevc_poc1.zip
Thanks for your time !