Headline
CVE-2022-40885: CVE/CVE-2022-40885.md at main · yangfar/CVE
Bento4 v1.6.0-639 has a memory allocation issue that can cause denial of service.
CVE-2022-40885****Out of memory in Ap4DataBuffer:new AP4_Byte[buffer_size]
Hello,I use the fuzzer(AFL) to fuzz binary mp42avc and got some crashes which show that allocator is out of memory trying to allocate 0xXXXXXXXX bytes when method new is called.
There are two functions occur the crashes.
The following is the details.****Bug1
./mp42avc ~/out/crashes/id:000017,sig:06,src:000925+000617,op:splice,rep:128 3.avc
================================================================= ==4126303==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xc4b26d23 bytes #0 0x549287 in operator new[](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x558418 in AP4_DataBuffer::AP4_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16 #2 0x5ec12a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513:20 #3 0x5e7b66 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #4 0x6563c0 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16 #5 0x6559d7 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16 #6 0x5ec3a5 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20 #7 0x5e7b66 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #8 0x62e6b0 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12 #9 0x62e48b in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
==4126303==HINT: if you don’t care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new[](unsigned long) ==4126303==ABORTING
Bug 2
[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild]# ./mp42avc ~/out/crashes/id:000018,sig:06,src:000606,op:havoc,rep:4 3.avc
================================================================= ==4126299==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7d727b02 bytes #0 0x549287 in operator new[](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x6637c0 in AP4_HdlrAtom::AP4_HdlrAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /root/Bento4/Source/C++/Core/Ap4HdlrAtom.cpp:88:18
==4126299==HINT: if you don’t care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new[](unsigned long) ==4126299==ABORTING
Ap4HdlrAtom.cpp:88 and Ap4HdlrAtom.cpp will call new[Big size] and then crash.
Bug3
./AFL/afl-fuzz -i ./seed2/ -o ./out3 -d -m none ./Bento4/cmakebuild/aac2mp4 @@ 3.mp4
After testing, the above problems also occur in acc2mp4 function.
The following is the details.
[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild]# ./aac2mp4 ~/out3/crashes/id:000008,sig:06,src:000074,op:havoc,rep:4 3.mp4
AAC frame [000000]: size = -7, 96000 kHz, 0 ch
================================================================= ==3788615==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xfffffff9 bytes #0 0x54a287 in operator new[](unsigned long) (/root/Bento4/cmakebuild/aac2mp4+0x54a287) #1 0x55b578 in AP4_DataBuffer::AP4_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16
==3788615==HINT: if you don’t care about these errors you may set allocator_may_return_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/aac2mp4+0x54a287) in operator new[](unsigned long) ==3788615==ABORTING
input
input.zip
Crashes
crashes.zip