Giters

axiomatic-systems / Bento4

Full-featured MP4 format, MPEG DASH, HLS, CMAF SDK and tools

Home Page:http://www.bento4.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] OOB Write Bug in mp4decrypt, SetDataOffset, Ap4TrunAtom.h:80

iskindar opened this issue · comments

commented

Hello, there.

There is an out-of-bound write in SetDataOffset, Ap4TrunAtom.h:80 in the latest commit 1529b83, which also affects versions ranging from v1.4.2-590 to v1.6.0-641.

How to reproduce

Here is the detailed reproduction steps using docker.

docker pull ubuntu:20.04 && docker run -it ubuntu:20.04 bash
## now step into the container
apt update && apt install wget git unzip gcc g++ make cmake libgc-dev -y
git clone https://github.com/axiomatic-systems/Bento4.git && pushd Bento4
## build binary mp4decrypt
export CC="gcc" 
export CXX="g++"
export CFLAGS="-fsanitize=address -g"
export CXXFLAGS="-fsanitize=address -g"
cmake . && make -j
## obtain poc
wget https://github.com/axiomatic-systems/Bento4/files/13471353/mp4decrypt_poc2.zip
unzip mp4decrypt_poc2.zip
## reproducing command
./mp4decrypt mp4decrypt_poc2 /dev/null

Platform

  • OS : ubuntu 20.04 (docker)
  • gcc version 9.4.0 (default)

ASAN

Here is the reproduce trace reported by ASAN:

root@d3932adedebb:/Bento4# ./mp4decrypt ./mp4decrypt_poc2  /dev/null
AddressSanitizer:DEADLYSIGNAL
=================================================================
==31102==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x555b2eccb539 bp 0x7fff0b8cdc00 sp 0x7fff0b8cdbf0 T0)
==31102==The signal is caused by a WRITE memory access.
==31102==Hint: address points to the zero page.
    #0 0x555b2eccb538 in AP4_TrunAtom::SetDataOffset(int) /Bento4/Source/C++/Core/Ap4TrunAtom.h:80
    #1 0x555b2ecc6ac0 in AP4_Processor::ProcessFragments(AP4_MoovAtom*, AP4_List<AP4_AtomLocator>&, AP4_ContainerAtom*, AP4_SidxAtom*, unsigned long long, AP4_ByteStream&, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4Processor.cpp:285
    #2 0x555b2ecca874 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4Processor.cpp:721
    #3 0x555b2eccb32e in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4Processor.cpp:771
    #4 0x555b2ec43c3e in main /Bento4/Source/C++/Apps/Mp4Decrypt/Mp4Decrypt.cpp:258
    #5 0x7f949d32f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #6 0x555b2ec4286d in _start (/Bento4/mp4decrypt+0x31286d)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /Bento4/Source/C++/Core/Ap4TrunAtom.h:80 in AP4_TrunAtom::SetDataOffset(int)
==31102==ABORTING

Affected Version

v1.4.2-590-v1.6.0-641

PoC

The PoC is available at mp4decrypt_poc2.zip

Thanks for your time!

commented

It seems the bug is the same as #844, but is triggered in different binaries.