Heap-buffer-overflow in Bento4/Source/C++/Core/Ap4ByteStream.cpp:785 #1021
Description
Heap-buffer-overflow in Bento4/Source/C++/Core/Ap4ByteStream.cpp:785
Environment:
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Compiler:
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
Compiling:
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS_RELEASE="-fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g" ..
makeVersion:
commit 3bdc891
PoCfile:
Unzip the following file.
Behavior:
./mp42hevc poc/bento4_002.poc /dev/nullOutput:
=================================================================
==938961==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000eb0 at pc 0x5624da7852ae bp 0x7ffc558e5da0 sp 0x7ffc558e5570
WRITE of size 4294967288 at 0x619000000eb0 thread T0
#0 0x5624da7852ad in __asan_memcpy (/home/exp/bin/asan_ubsan/mp42hevc+0x2b62ad) (BuildId: 72913d137b17319d7173795b406f1ca606be691a)
#1 0x5624da7d8ec9 in AP4_MemoryByteStream::WritePartial(void const*, unsigned int, unsigned int&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ByteStream.cpp:785:5
#2 0x5624da7cef87 in AP4_ByteStream::Write(void const*, unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77:29
#3 0x5624da9d1b58 in AP4_CencSampleEncryption::DoWriteFields(AP4_ByteStream&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4CommonEncryption.cpp:3569:16
#4 0x5624daae95da in AP4_PiffSampleEncryptionAtom::WriteFields(AP4_ByteStream&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4Piff.cpp:185:12
#5 0x5624da91cf1c in AP4_Atom::Write(AP4_ByteStream&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4Atom.cpp:229:14
#6 0x5624da91e2cd in AP4_Atom::Clone() /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4Atom.cpp:316:9
#7 0x5624da837f03 in AP4_SampleDescription::AP4_SampleDescription(AP4_SampleDescription::Type, unsigned int, AP4_AtomParent*) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138:41
#8 0x5624da840904 in AP4_HevcSampleDescription::AP4_HevcSampleDescription(unsigned int, unsigned short, unsigned short, unsigned short, char const*, AP4_AtomParent*) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:519:5
#9 0x5624da873667 in AP4_HevcSampleEntry::ToSampleDescription() /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1190:16
#10 0x5624da8843ed in AP4_StsdAtom::GetSampleDescription(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:182:53
#11 0x5624da95c2b3 in AP4_AtomSampleTable::GetSampleDescription(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomSampleTable.cpp:207:37
#12 0x5624da88e9e1 in AP4_Track::GetSampleDescription(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4Track.cpp:447:43
#13 0x5624da7c528c in main /home/exp/src/bento4/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:393:39
#14 0x7f4b5ee2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7f4b5ee2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#16 0x5624da702514 in _start (/home/exp/bin/asan_ubsan/mp42hevc+0x233514) (BuildId: 72913d137b17319d7173795b406f1ca606be691a)
0x619000000eb0 is located 0 bytes to the right of 1072-byte region [0x619000000a80,0x619000000eb0)
allocated by thread T0 here:
#0 0x5624da7c2051 in operator new[](unsigned long) (/home/exp/bin/asan_ubsan/mp42hevc+0x2f3051) (BuildId: 72913d137b17319d7173795b406f1ca606be691a)
#1 0x5624da7e1a23 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x5624da7e141e in AP4_DataBuffer::SetBufferSize(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136:16
#3 0x5624da7e123c in AP4_DataBuffer::Reserve(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:107:12
#4 0x5624da7d827f in AP4_MemoryByteStream::WritePartial(void const*, unsigned int, unsigned int&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ByteStream.cpp:765:35
#5 0x5624da7cef87 in AP4_ByteStream::Write(void const*, unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77:29
#6 0x5624da7cff5d in AP4_ByteStream::WriteUI08(unsigned char) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ByteStream.cpp:184:12
#7 0x5624dab9875a in AP4_UuidAtom::WriteHeader(AP4_ByteStream&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4UuidAtom.cpp:108:25
#8 0x5624da91cde8 in AP4_Atom::Write(AP4_ByteStream&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4Atom.cpp:225:14
#9 0x5624da91e2cd in AP4_Atom::Clone() /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4Atom.cpp:316:9
#10 0x5624da837f03 in AP4_SampleDescription::AP4_SampleDescription(AP4_SampleDescription::Type, unsigned int, AP4_AtomParent*) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138:41
#11 0x5624da840904 in AP4_HevcSampleDescription::AP4_HevcSampleDescription(unsigned int, unsigned short, unsigned short, unsigned short, char const*, AP4_AtomParent*) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:519:5
#12 0x5624da873667 in AP4_HevcSampleEntry::ToSampleDescription() /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1190:16
#13 0x5624da8843ed in AP4_StsdAtom::GetSampleDescription(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:182:53
#14 0x5624da95c2b3 in AP4_AtomSampleTable::GetSampleDescription(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomSampleTable.cpp:207:37
#15 0x5624da88e9e1 in AP4_Track::GetSampleDescription(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4Track.cpp:447:43
#16 0x5624da7c528c in main /home/exp/src/bento4/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:393:39
#17 0x7f4b5ee2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#18 0x7f4b5ee2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#19 0x5624da702514 in _start (/home/exp/bin/asan_ubsan/mp42hevc+0x233514) (BuildId: 72913d137b17319d7173795b406f1ca606be691a)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/exp/bin/asan_ubsan/mp42hevc+0x2b62ad) (BuildId: 72913d137b17319d7173795b406f1ca606be691a) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff81d0: 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa
0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==938961==ABORTING