Heap overflow in File_Mpeg4_Elements.cpp when parsing mpeg4 files

A unified display of relevant technical and tag data for A/V files

Brought to you by: guillaumeroques, zenitram
#1135 Heap overflow in File_Mpeg4_Elements.cpp when parsing mpeg4 files
Milestone: Crash
Status: open
Owner: nobody
Labels: None
Priority: 5
Updated: 2020-10-06
Created: 2020-10-06
Creator: casperslei
Private: No
result:
=================================================================
==89833==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000027600 at pc 0x0000010e5f84 bp 0x7ffdb14afa30 sp 0x7ffdb14afa28
READ of size 8 at 0x607000027600 thread T0
    #0 0x10e5f83 in std::vector<unsigned int, std::allocator<unsigned int> >::size() const /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_vector.h:671:40
    #1 0x10e5f83 in MediaInfoLib::File_Mpeg4::meta_iprp_ipco_ispe() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2423:5
    #2 0x10b3106 in MediaInfoLib::File_Mpeg4::Data_Parse() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:1005:17
    #3 0x1b1a27e in MediaInfoLib::File__Analyze::Data_Manage() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:2389:9
    #4 0x1b0e4ad in MediaInfoLib::File__Analyze::Buffer_Parse() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1540:10
    #5 0x1b03c45 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1107:14
    #6 0x1afec2e in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:719:16
    #7 0x10ee918 in MediaInfoLib::File_Mpeg4::meta_iprp_ipma() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:2553:9
    #8 0x10b030c in MediaInfoLib::File_Mpeg4::Data_Parse() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Multiple/File_Mpeg4_Elements.cpp:1013:13
    #9 0x1b1a27e in MediaInfoLib::File__Analyze::Data_Manage() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:2389:9
    #10 0x1b0e4ad in MediaInfoLib::File__Analyze::Buffer_Parse() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1540:10
    #11 0x1b03c45 in MediaInfoLib::File__Analyze::Open_Buffer_Continue_Loop() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:1107:14
    #12 0x1afec2e in MediaInfoLib::File__Analyze::Open_Buffer_Continue(unsigned char const*, unsigned long) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/File__Analyze.cpp:719:16
    #13 0x6b8bbb in MediaInfoLib::MediaInfo_Internal::Open_Buffer_Continue(unsigned char const*, unsigned long) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1375:11
    #14 0x1747173 in MediaInfoLib::Reader_File::Format_Test_PerParser_Continue(MediaInfoLib::MediaInfo_Internal*) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:759:24
    #15 0x17423d3 in MediaInfoLib::Reader_File::Format_Test_PerParser(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:313:12
    #16 0x5c6ad6 in MediaInfoLib::MediaInfo_Internal::ListFormats(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_File.cpp:863:86
    #17 0x173f2ef in MediaInfoLib::Reader_File::Format_Test(MediaInfoLib::MediaInfo_Internal*, std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> >) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/Reader/Reader_File.cpp:230:25
    #18 0x683427 in MediaInfoLib::MediaInfo_Internal::Entry() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:1121:29
    #19 0x6562f6 in MediaInfoLib::MediaInfo_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfo_Internal.cpp:877:9
    #20 0x702f03 in MediaInfoLib::MediaInfoList_Internal::Entry() /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:215:17
    #21 0x6fefe4 in MediaInfoLib::MediaInfoList_Internal::Open(std::__cxx11::basic_string<wchar_t, std::char_traits<wchar_t>, std::allocator<wchar_t> > const&, MediaInfoLib::fileoptions_t) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfoLib/Project/GNU/Library/../../../Source/MediaInfo/MediaInfoList_Internal.cpp:151:9
    #22 0x4fd13d in fuzztest(int, char**) /home/casper/targets/struct/mediainfo/aflllvm/MediaInfo/Project/GNU/CLI/../../../Source/CLI/CLI_Main.cpp:154:25
    #23 0x4fec3f in main /home/casper/targets/struct/mediainfo/aflllvm/MediaInfo/Project/GNU/CLI/../../../Source/CLI/CLI_Main.cpp:170:9
    #24 0x7f1ed871cb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #25 0x426469 in _start (/home/casper/targets/struct/mediainfo/aflllvm/fuzzrun/mediainfodbg+0x426469)

0x607000027600 is located 8 bytes to the right of 72-byte region [0x6070000275b0,0x6070000275f8)
allocated by thread T0 here:
    #0 0x4f7278 in operator new(unsigned long) /home/casper/fuzz/fuzzdeps/llvm-9.0.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:99
    #1 0x121f842 in __gnu_cxx::new_allocator<std::vector<unsigned int, std::allocator<unsigned int> > >::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/ext/new_allocator.h:111:27
    #2 0x121f842 in std::allocator_traits<std::allocator<std::vector<unsigned int, std::allocator<unsigned int> > > >::allocate(std::allocator<std::vector<unsigned int, std::allocator<unsigned int> > >&, unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/alloc_traits.h:436:20
    #3 0x121f842 in std::_Vector_base<std::vector<unsigned int, std::allocator<unsigned int> >, std::allocator<std::vector<unsigned int, std::allocator<unsigned int> > > >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_vector.h:172:20
    #4 0x121f842 in std::vector<std::vector<unsigned int, std::allocator<unsigned int> >, std::allocator<std::vector<unsigned int, std::allocator<unsigned int> > > >::_M_default_append(unsigned long) /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/vector.tcc:571:34

SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/lib/gcc/x86_64-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/stl_vector.h:671:40 in std::vector<unsigned int, std::allocator<unsigned int> >::size() const
Shadow bytes around the buggy address:
  0x0c0e7fffce70: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c0e7fffce80: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0e7fffce90: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fffcea0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0e7fffceb0: fd fa fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
=>0x0c0e7fffcec0:[fa]fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0e7fffced0: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0e7fffcee0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
  0x0c0e7fffcef0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0e7fffcf00: fd fd fd fd fd fd fa fa fa fa fd fd fd fd fd fd
  0x0c0e7fffcf10: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==89833==ABORTING
1 Attachments
poc
Heap overflow in File_Mpeg4_Elements.cpp when parsing mpeg4 files

A unified display of relevant technical and tag data for A/V files

Group

Searches

Help

#1135 Heap overflow in File_Mpeg4_Elements.cpp when parsing mpeg4 files

Discussion
