Memory leaks in mp42aac on adding / deleting AP4_Track::AP4_Tracks
mirusu400 opened this issue · comments
Envrionment
ubuntu ~/lab/Bento4-clean/cmakebuild ◈ v1.5.1-628 lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.2 LTS
Release: 22.04
Codename: jammyCompiler
ubuntu ~/lab/Bento4-clean/cmakebuild ◈ v1.5.1-628 clang -v
Ubuntu clang version 14.0.0-1ubuntu1.1
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/11
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/11
Candidate multilib: .;@m64
Selected multilib: .;@m64Step to reproduce
git clone https://github.com/axiomatic-systems/Bento4.git -b v1.5.1-628
pushd Bento4
mkdir cmakebuild
pushd cmakebuild
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_CXX_FLAGS_RELEASE="-fsanitize=address -fno-inline" ..
make
mp4aac poc.mp4 outAffected Version
Bento4 v1.5.1-628 (https://github.com/axiomatic-systems/Bento4/tree/v1.5.1-628)
Contents of PoC file
Current Behavior
- stderr (Given by ASAN)
ERROR: no audio track found
=================================================================
==29053==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x55cf6ec8723d in operator new(unsigned long) (/home/ubuntu/lab/Bento4_AFL/cmakebuild/mp42aac+0x16223d) (BuildId: ffe7bbaa2d49eb5a6b20555c850617a61dc43049)
#1 0x55cf6ec9a341 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/ubuntu/lab/Bento4_AFL/Source/C++/Core/Ap4File.cpp:108:27
#2 0x55cf6ec9aa78 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/ubuntu/lab/Bento4_AFL/Source/C++/Core/Ap4File.cpp:78:5
#3 0x55cf6ec89c8e in main /home/ubuntu/lab/Bento4_AFL/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
#4 0x7f3f8e9ddd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 176 byte(s) in 2 object(s) allocated from:
#0 0x55cf6ec8723d in operator new(unsigned long) (/home/ubuntu/lab/Bento4_AFL/cmakebuild/mp42aac+0x16223d) (BuildId: ffe7bbaa2d49eb5a6b20555c850617a61dc43049)
#1 0x55cf6ecdcff5 in AP4_Track::AP4_Track(AP4_TrakAtom&, AP4_ByteStream&, unsigned int) /home/ubuntu/lab/Bento4_AFL/Source/C++/Core/Ap4Track.cpp:242:25
Indirect leak of 48 byte(s) in 2 object(s) allocated from:
#0 0x55cf6ec8723d in operator new(unsigned long) (/home/ubuntu/lab/Bento4_AFL/cmakebuild/mp42aac+0x16223d) (BuildId: ffe7bbaa2d49eb5a6b20555c850617a61dc43049)
#1 0x55cf6eca4bec in AP4_List<AP4_Track>::Add(AP4_Track*) /home/ubuntu/lab/Bento4_AFL/Source/C++/Core/Ap4List.h:160:16
Indirect leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x55cf6ec8723d in operator new(unsigned long) (/home/ubuntu/lab/Bento4_AFL/cmakebuild/mp42aac+0x16223d) (BuildId: ffe7bbaa2d49eb5a6b20555c850617a61dc43049)
#1 0x55cf6ed1eac1 in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) /home/ubuntu/lab/Bento4_AFL/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:175:14
#2 0x55cf6ec89b79 in main /home/ubuntu/lab/Bento4_AFL/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:236:14
#3 0x7f3f8e9ddd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x55cf6ec8723d in operator new(unsigned long) (/home/ubuntu/lab/Bento4_AFL/cmakebuild/mp42aac+0x16223d) (BuildId: ffe7bbaa2d49eb5a6b20555c850617a61dc43049)
#1 0x55cf6eca3029 in AP4_Movie::AP4_Movie(AP4_MoovAtom*, AP4_ByteStream&, bool) /home/ubuntu/lab/Bento4_AFL/Source/C++/Core/Ap4Movie.cpp:114:28
Indirect leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x55cf6ec8723d in operator new(unsigned long) (/home/ubuntu/lab/Bento4_AFL/cmakebuild/mp42aac+0x16223d) (BuildId: ffe7bbaa2d49eb5a6b20555c850617a61dc43049)
#1 0x55cf6eca3029 in AP4_Movie::AP4_Movie(AP4_MoovAtom*, AP4_ByteStream&, bool) /home/ubuntu/lab/Bento4_AFL/Source/C++/Core/Ap4Movie.cpp:114:28
#2 0x55cf6ec9aa78 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/ubuntu/lab/Bento4_AFL/Source/C++/Core/Ap4File.cpp:78:5
#3 0x55cf6ec89c8e in main /home/ubuntu/lab/Bento4_AFL/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
#4 0x7f3f8e9ddd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
SUMMARY: AddressSanitizer: 416 byte(s) leaked in 8 allocation(s).
- stderr (valgrind)
==8898== Memcheck, a memory error detector
==8898== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==8898== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==8898== Command: ./mp42aac /home/ubuntu/lab/Bento4/crashes/id_000006,sig_06,src_000004,time_55114263,execs_1191083,op_flip1,pos_1217 out
==8898==
ERROR: no audio track found
==8898==
==8898== HEAP SUMMARY:
==8898== in use at exit: 888 bytes in 9 blocks
==8898== total heap usage: 200 allocs, 191 frees, 93,975 bytes allocated
==8898==
==8898== 48 bytes in 1 blocks are indirectly lost in loss record 1 of 6
==8898== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==8898== by 0x192D1E: AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x193178: AP4_FileByteStream::Create(char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x16FE68: main (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898==
==8898== 48 bytes in 2 blocks are indirectly lost in loss record 2 of 6
==8898== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==8898== by 0x175298: AP4_List<AP4_Track>::Add(AP4_Track*) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x174AED: AP4_Movie::AP4_Movie(AP4_MoovAtom*, AP4_ByteStream&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x172FC7: AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x172DE6: AP4_File::AP4_File(AP4_ByteStream&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x16FF07: main (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898==
==8898== 80 bytes in 2 blocks are indirectly lost in loss record 3 of 6
==8898== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==8898== by 0x174AB8: AP4_Movie::AP4_Movie(AP4_MoovAtom*, AP4_ByteStream&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x172FC7: AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x172DE6: AP4_File::AP4_File(AP4_ByteStream&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x16FF07: main (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898==
==8898== 176 bytes in 2 blocks are indirectly lost in loss record 4 of 6
==8898== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==8898== by 0x184E1D: AP4_Track::AP4_Track(AP4_TrakAtom&, AP4_ByteStream&, unsigned int) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x174AD2: AP4_Movie::AP4_Movie(AP4_MoovAtom*, AP4_ByteStream&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x172FC7: AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x172DE6: AP4_File::AP4_File(AP4_ByteStream&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x16FF07: main (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898==
==8898== 416 (64 direct, 352 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 6
==8898== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==8898== by 0x172FAD: AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x172DE6: AP4_File::AP4_File(AP4_ByteStream&, bool) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x16FF07: main (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898==
==8898== 472 bytes in 1 blocks are still reachable in loss record 6 of 6
==8898== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==8898== by 0x4B2C64D: __fopen_internal (iofopen.c:65)
==8898== by 0x4B2C64D: fopen@@GLIBC_2.2.5 (iofopen.c:86)
==8898== by 0x192B2A: fopen_s(_IO_FILE**, char const*, char const*) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x192C58: AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x193178: AP4_FileByteStream::Create(char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898== by 0x16FE68: main (in /home/ubuntu/lab/Bento4-clean/cmakebuild/mp42aac)
==8898==
==8898== LEAK SUMMARY:
==8898== definitely lost: 64 bytes in 1 blocks
==8898== indirectly lost: 352 bytes in 7 blocks
==8898== possibly lost: 0 bytes in 0 blocks
==8898== still reachable: 472 bytes in 1 blocks
==8898== suppressed: 0 bytes in 0 blocks
==8898==
==8898== For lists of detected and suppressed errors, rerun with: -s
==8898== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Analysis
Bento4/Source/C++/Core/Ap4Movie.cpp
Lines 117 to 123 in 1529b83
On AP4_Movie::AP4_Movie, parsing tracks and added into m_Tracks list, but it seems that mp42aac cannot correctly delete when we got an no audio track found error. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted mp4 file.
Cannot reproduce this on the master branch. Closing. Please re-open if you can repro on master.