Heap-buffer-overflow in Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:341 #1022
Description
Heap-buffer-overflow in Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:341
Environment:
Distributor ID: Ubuntu
Description: Ubuntu 24.04.1 LTS
Release: 24.04
Compiler:
Ubuntu clang version 14.0.6
Target: x86_64-pc-linux-gnu
Thread model: posix
Compiling:
mkdir build && cd build
cmake -DCMAKE_CXX_FLAGS_RELEASE="-fsanitize=address -fsanitize=undefined -fno-omit-frame-pointer -g" ..
makeVersion:
commit 3bdc891
PoCfile:
Unzip the following file.
Behavior:
./mp42hevc poc/bento4_003.poc /dev/nullOutput:
=================================================================
==951472==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000091 at pc 0x563a50d3b232 bp 0x7fff885461f0 sp 0x7fff885459c0
WRITE of size 10293 at 0x602000000091 thread T0
#0 0x563a50d3b231 in __interceptor_fread (/home/exp/bin/asan_ubsan/mp42hevc+0x24f231) (BuildId: 72913d137b17319d7173795b406f1ca606be691a)
#1 0x563a50f312b1 in AP4_StdcFileByteStream::ReadPartial(void*, unsigned int, unsigned int&) /home/exp/src/bento4/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:341:14
#2 0x563a50debac7 in AP4_ByteStream::Read(void*, unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ByteStream.cpp:54:29
#3 0x563a50f25f36 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) /home/exp/src/bento4/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:1637:12
#4 0x563a50f09165 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:428:24
#5 0x563a50f6e7e6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844:21
#6 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#7 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#8 0x563a51000617 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
#9 0x563a50fff856 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#10 0x563a50f08cc7 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:419:20
#11 0x563a50f6e7e6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844:21
#12 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#13 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#14 0x563a51000617 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
#15 0x563a50fff856 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#16 0x563a50f6df66 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#17 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#18 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#19 0x563a5100152e in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:156:5
#20 0x563a50fff6d9 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:86:20
#21 0x563a50f6e308 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:830:20
#22 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#23 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#24 0x563a51000617 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
#25 0x563a50e1deb6 in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:79:5
#26 0x563a50f710ad in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
#27 0x563a50f67407 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
#28 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#29 0x563a50f61e75 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#30 0x563a50e0092c in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4File.cpp:104:12
#31 0x563a50e01819 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4File.cpp:78:5
#32 0x563a50de1e53 in main /home/exp/src/bento4/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:374:32
#33 0x7f026fa2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#34 0x7f026fa2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#35 0x563a50d1f514 in _start (/home/exp/bin/asan_ubsan/mp42hevc+0x233514) (BuildId: 72913d137b17319d7173795b406f1ca606be691a)
0x602000000091 is located 0 bytes to the right of 1-byte region [0x602000000090,0x602000000091)
allocated by thread T0 here:
#0 0x563a50ddf051 in operator new[](unsigned long) (/home/exp/bin/asan_ubsan/mp42hevc+0x2f3051) (BuildId: 72913d137b17319d7173795b406f1ca606be691a)
#1 0x563a50e9b145 in AP4_String::AP4_String(unsigned int) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4String.cpp:85:15
#2 0x563a50f25b11 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) /home/exp/src/bento4/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:1634:5
#3 0x563a50f09165 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:428:24
#4 0x563a50f6e7e6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844:21
#5 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#6 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#7 0x563a51000617 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
#8 0x563a50fff856 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#9 0x563a50f08cc7 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:419:20
#10 0x563a50f6e7e6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844:21
#11 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#12 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#13 0x563a51000617 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
#14 0x563a50fff856 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#15 0x563a50f6df66 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#16 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#17 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#18 0x563a5100152e in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:156:5
#19 0x563a50fff6d9 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:86:20
#20 0x563a50f6e308 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:830:20
#21 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#22 0x563a51000adc in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
#23 0x563a51000617 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
#24 0x563a50e1deb6 in AP4_MoovAtom::AP4_MoovAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:79:5
#25 0x563a50f710ad in AP4_MoovAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4MoovAtom.h:56:20
#26 0x563a50f67407 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393:20
#27 0x563a50f63576 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#28 0x563a50f61e75 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#29 0x563a50e0092c in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/exp/src/bento4/Bento4/Source/C++/Core/Ap4File.cpp:104:12
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/exp/bin/asan_ubsan/mp42hevc+0x24f231) (BuildId: 72913d137b17319d7173795b406f1ca606be691a) in __interceptor_fread
Shadow bytes around the buggy address:
0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8010: fa fa[01]fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==951472==ABORTING