Skip to content

[security] Ap4SgpdAtom.cpp:108 OOM in AP4_SgpdAtom::AP4_SgpdAtom #1042

New issue
New issue
Open
Open
[security] Ap4SgpdAtom.cpp:108 OOM in AP4_SgpdAtom::AP4_SgpdAtom#1042
@sigdevel

Description

@sigdevel
sigdevel
opened on Sep 23, 2025

Ap4SgpdAtom.cpp:108 OOM in AP4_SgpdAtom::AP4_SgpdAtom

Description:

When mp4info parses a crafted sgpd (Sample Group Description) atom, probably constructor AP4_SgpdAtom::AP4_SgpdAtom computes/accepts an invalid description length (ex., 0xFFFFFFFC, i.e, -4 in 32-bit) and forwards it to a data buffer without proper bounds checking. This leads to a giant allocation request and immediate abort under ASan (or std::bad_alloc / OOM in non-sanitized builds)

To Reproduce:

Steps to reproduce the behavior:

./mp4info ./4_bento4_mp4info_sgpd_AP4_SgpdAtom_cpp_108

Output:

asan-build:

show full -click to expand 
=================================================================
==2522959==ERROR: AddressSanitizer: out of memory: allocator is trying to allocate 0xfffffffc bytes
    #0 0x7f27bdef58d8 in operator new[](unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:98                                             
    #1 0x555fe55a526c in AP4_DataBuffer::ReallocateBuffer(unsigned int) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4DataBuffer.cpp:210
    #2 0x555fe55a4f77 in AP4_DataBuffer::SetDataSize(unsigned int) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4DataBuffer.cpp:151
    #3 0x555fe560f700 in AP4_SgpdAtom::AP4_SgpdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4SgpdAtom.cpp:108
    #4 0x555fe560f08e in AP4_SgpdAtom::Create(unsigned int, AP4_ByteStream&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4SgpdAtom.cpp:54
    #5 0x555fe5581b73 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:749
    #6 0x555fe557df78 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:234
    #7 0x555fe55909ae in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:196
    #8 0x555fe5590317 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:140
    #9 0x555fe558fe8f in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:88
    #10 0x555fe5581efd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:816
    #11 0x555fe557df78 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:234
    #12 0x555fe55909ae in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:196
    #13 0x555fe5590317 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:140
    #14 0x555fe558fe8f in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:88
    #15 0x555fe5581efd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:816
    #16 0x555fe557df78 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:234
    #17 0x555fe55909ae in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:196
    #18 0x555fe5590317 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:140
    #19 0x555fe558fe8f in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:88
    #20 0x555fe5581efd in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:816
    #21 0x555fe557df78 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:234
    #22 0x555fe55909ae in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:196
    #23 0x555fe5590317 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:140
    #24 0x555fe562e022 in AP4_TrakAtom::AP4_TrakAtom(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4TrakAtom.cpp:165
    #25 0x555fe5582f74 in AP4_TrakAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/build-asan/mp4info+0x358f74) (BuildId: c6ef45bfb4781b1d914f8529c6654c5953559193)
    #26 0x555fe55801a4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:413
    #27 0x555fe557df78 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4AtomFactory.cpp:234
    #28 0x555fe55909ae in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:196
    #29 0x555fe5590317 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /media/user/8ed8205b-4114-4c2a-b2d0-e2ad6640262d/bento4/runtime/bento4_asan/Source/C++/Core/Ap4ContainerAtom.cpp:140

==2522959==HINT: if you don't care about these errors you may set allocator_may_return_null=1
SUMMARY: AddressSanitizer: out-of-memory ../../../../src/libsanitizer/asan/asan_new_delete.cpp:98 in operator new[](unsigned long)
==2522959==ABORTING

Environment

OS: tested at 6.12.25-1kali1 (2025-04-30) x86_64 GNU/Linux ;
Compiler version: GCC 14.2.0-19 ;
Build-opts: `CC="gcc -fsanitize=address -g" CXX="g++ -fsanitize=address -g"` ;
CPU type: x86_64 ;
Bento4 - commit hash becafe8a77302ca930e98028ddefe9e186ec21dd ;
MP4 File Info - Version 1.3.4 (Bento4 Version 1.6.0.0) ;

Additional context

link to the sample (github-url):

4_bento4_mp4info_sgpd_AP4_SgpdAtom_cpp_108

Screenshots

screen

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions