Giters

axiomatic-systems / Bento4

Full-featured MP4 format, MPEG DASH, HLS, CMAF SDK and tools

Home Page:http://www.bento4.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] Heap overflow in mp42Hevc, WriteSample, Mp42Hevc.cpp:96

iskindar opened this issue · comments

commented

Hi,
There is a heap overflow in WriteSample, Mp42Hevc/Mp42Hevc.cpp:96, in the latest commit 1529b83, which also affects versions ranging from v1.5.1-628 to v1.6.0-641.

How to reproduce

Here are the detailed reproduction steps using docker.

docker pull ubuntu:20.04 && docker run -it ubuntu:20.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ cmake libgc-dev make -y
git clone https://github.com/axiomatic-systems/Bento4.git && pushd Bento4
## build binary mp42hevc
export CC="gcc" 
export CXX="g++"
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
cmake . && make -j
## obtain poc
wget https://github.com/axiomatic-systems/Bento4/files/13470503/mp42hevc_poc1.zip
unzip mp42hevc_poc1.zip
## reproducing command
./mp42hevc mp42hevc_poc1 /dev/null

Platform

  • OS : ubuntu 20.04 (docker)
  • gcc version 9.4.0 (default)

ASAN

Here is the reproduce trace reported by ASAN:

root@d3932adedebb:/Bento4-1529b83# ./mp42hevc ./mp42hevc_poc1 /dev/null
Video Track:
  duration: 1000 ms
  sample count: 12
=================================================================
==4816==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000000768 at pc 0x555d83926b79 bp 0x7ffdc7685210 sp 0x7ffdc7685200
READ of size 1 at 0x607000000768 thread T0
    #0 0x555d83926b78 in WriteSample /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:96
    #1 0x555d83928341 in WriteSamples /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:326
    #2 0x555d83928a6f in main /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406
    #3 0x7f8da8c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #4 0x555d8392684d in _start (/Bento4-1529b83/mp42hevc+0x31284d)

0x607000000768 is located 0 bytes to the right of 72-byte region [0x607000000720,0x607000000768)
allocated by thread T0 here:
    #0 0x7f8da9262787 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:107
    #1 0x555d8392fc94 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /Bento4-1529b83/Source/C++/Core/Ap4DataBuffer.cpp:210
    #2 0x555d8392f993 in AP4_DataBuffer::SetDataSize(unsigned int) /Bento4-1529b83/Source/C++/Core/Ap4DataBuffer.cpp:151
    #3 0x555d839431c9 in AP4_Sample::ReadData(AP4_DataBuffer&, unsigned int, unsigned int) /Bento4-1529b83/Source/C++/Core/Ap4Sample.cpp:156
    #4 0x555d83942f50 in AP4_Sample::ReadData(AP4_DataBuffer&) /Bento4-1529b83/Source/C++/Core/Ap4Sample.cpp:127
    #5 0x555d8395d49c in AP4_Track::ReadSample(unsigned int, AP4_Sample&, AP4_DataBuffer&) /Bento4-1529b83/Source/C++/Core/Ap4Track.cpp:475
    #6 0x555d839282e3 in WriteSamples /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:325
    #7 0x555d83928a6f in main /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406
    #8 0x7f8da8c39082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-buffer-overflow /Bento4-1529b83/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:96 in WriteSample
Shadow bytes around the buggy address:
  0x0c0e7fff8090: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa 00 00
  0x0c0e7fff80a0: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0e7fff80b0: fd fd fd fd fd fd fa fa fa fa 00 00 00 00 00 00
  0x0c0e7fff80c0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0e7fff80d0: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
=>0x0c0e7fff80e0: fa fa fa fa 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x0c0e7fff80f0: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0e7fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4816==ABORTING

Affected Version

v1.5.1-628-v1.6.0-641

PoC

The PoC is available at mp42hevc_poc1.zip

Thanks for your time !

commented

Sorry, it is a duplicate of #678.