Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-buffer-overflow in mp42aac #958

Open
gpriamo opened this issue May 8, 2024 · 0 comments
Open

AddressSanitizer: heap-buffer-overflow in mp42aac #958

gpriamo opened this issue May 8, 2024 · 0 comments

Comments

@gpriamo
Copy link

gpriamo commented May 8, 2024

Describe the bug

AddressSanitizer: heap-buffer-overflow in mp42aac.

To Reproduce

Built Bento4 main branch and release v1.6.0-641 according to the instructions in the README.md file.

ASAN Output

./mp42aaac <testcase> /dev/null

=================================================================
==270550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000b1 at pc 0x000000434dee bp 0x7fff1e043750 sp 0x7fff1e042f18
WRITE of size 11 at 0x6020000000b1 thread T0
    #0 0x434ded in fread /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1029:16
    #1 0x54362b in AP4_StdcFileByteStream::ReadPartial(void*, unsigned int, unsigned int&) BUILD/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:341:14
    #2 0x4d161f in AP4_ByteStream::Read(void*, unsigned int) BUILD/Source/C++/Core/Ap4ByteStream.cpp:54:29
    #3 0x53f424 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:1637:12
    #4 0x533c10 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:428:24
    #5 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #6 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #7 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #8 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #9 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #10 0x533a7c in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:419:20
    #11 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #12 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #13 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #14 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #15 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #16 0x55ae35 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #17 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #18 0x55542e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #19 0x4da683 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) BUILD/Source/C++/Core/Ap4File.cpp:104:12
    #20 0x4dad7d in AP4_File::AP4_File(AP4_ByteStream&, bool) BUILD/Source/C++/Core/Ap4File.cpp:78:5
    #21 0x4cf8ee in main BUILD/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
    #22 0x7f8063b77082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
    #23 0x41d5ed in _start (target+0x41d5ed)

0x6020000000b1 is located 0 bytes to the right of 1-byte region [0x6020000000b0,0x6020000000b1)
allocated by thread T0 here:
    #0 0x4c94ad in operator new[](unsigned long) /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:102:3
    #1 0x50ab25 in AP4_String::AP4_String(unsigned int) BUILD/Source/C++/Core/Ap4String.cpp:85:15
    #2 0x53f3c1 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:1634:5
    #3 0x533c10 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:428:24
    #4 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #5 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #6 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #7 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #8 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #9 0x533a7c in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) BUILD/Source/C++/MetaData/Ap4MetaData.cpp:419:20
    #10 0x55b04d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:844:21
    #11 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #12 0x590b19 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #13 0x590926 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #14 0x5901ac in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) BUILD/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #15 0x55ae35 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #16 0x5562c1 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #17 0x55542e in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) BUILD/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #18 0x4da683 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) BUILD/Source/C++/Core/Ap4File.cpp:104:12
    #19 0x4dad7d in AP4_File::AP4_File(AP4_ByteStream&, bool) BUILD/Source/C++/Core/Ap4File.cpp:78:5
    #20 0x4cf8ee in main BUILD/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
    #21 0x7f8063b77082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1029:16 in fread
Shadow bytes around the buggy address:
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8010: fa fa 01 fa fa fa[01]fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==270550==ABORTING

Environment info

OS: Ubuntu 20.04.6
Bento v1.6.0-641 (and main branch)

Crashing file

Please find the file provoking the crash inside the testcase.zip archive
testcase.zip
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@gpriamo