Headline
CVE-2022-3817: Some Memory leaks exist in mp4xx · Issue #792 · axiomatic-systems/Bento4
A vulnerability has been found in Axiomatic Bento4 and classified as problematic. Affected by this vulnerability is an unknown functionality of the component mp4mux. The manipulation leads to memory leak. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-212683.
****Summary****
Hi, developers of Bento4,
I tested the binary of bento4 with my fuzzer, and some memory-leak crashes incurred. Among them, Bug3-5 may be different from #771. The operation system is Ubuntu 18.04.6 LTS (docker), these crashes with the following.
****Bug1****
Detected memory leaks in mp4encrypt, the bug may be different from #766.
root@q10s3kl5mn:/fuzz-mp4encrypt/mp4encrypt# ./mp4encrypt --method OMA-PDCF-CBC POC_mp4encrypt_631000973 /dev/null
WARNING: track ID 3 will not be encrypted
WARNING: track ID 4 will not be encrypted
WARNING: track ID 1 will not be encrypted
WARNING: track ID 2 will not be encrypted
WARNING: atom serialized to fewer bytes than declared size
WARNING: atom serialized to fewer bytes than declared size
=================================================================
==586357==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 144 byte(s) in 2 object(s) allocated from:
#0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7f40270a9297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x556c32 in AP4_EsdsAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x556c32)
#3 0x43aae6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x43aae6)
#4 0x449406 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x449406)
#5 0x51be85 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51be85)
#6 0x42e842 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42e842)
#7 0x449406 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x449406)
#8 0x722218 in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x722218)
#9 0x7215b2 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x7215b2)
#10 0x439d76 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x439d76)
#11 0x449406 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x449406)
#12 0x51be85 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51be85)
#13 0x51b62a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51b62a)
#14 0x4438e4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x4438e4)
#15 0x449406 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x449406)
#16 0x51be85 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51be85)
#17 0x51b62a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51b62a)
#18 0x4438e4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x4438e4)
#19 0x449406 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x449406)
#20 0x51be85 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51be85)
#21 0x51b62a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51b62a)
#22 0x4438e4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x4438e4)
#23 0x449406 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x449406)
#24 0x51be85 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51be85)
#25 0x51e13b in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x51e13b)
SUMMARY: AddressSanitizer: 144 byte(s) leaked in 2 allocation(s).
****Bug2****
Detected memory leaks in mp4edit, the bug may be different from #776.
root@q11s3kl5mn:/fuzz-mp4edit/mp4edit# ./mp4edit POC_mp4edit_728838793 /dev/null
WARNING: atom serialized to fewer bytes than declared size
WARNING: atom serialized to fewer bytes than declared size
WARNING: atom serialized to fewer bytes than declared size
WARNING: padding would be too large
WARNING: atom serialized to fewer bytes than declared size
WARNING: padding would be too large
WARNING: atom serialized to fewer bytes than declared size
WARNING: atom serialized to fewer bytes than declared size
WARNING: atom serialized to fewer bytes than declared size
WARNING: padding would be too large
WARNING: atom serialized to fewer bytes than declared size
WARNING: padding would be too large
=================================================================
==91239==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 72 byte(s) in 1 object(s) allocated from:
#0 0x8eaf60 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7f3c0c690297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x4c1886 in AP4_EsdsAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4c1886)
#3 0x4552db in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4552db)
#4 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#5 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#6 0x5d7069 in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x5d7069)
#7 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#8 0x62020e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x62020e)
#9 0x61f694 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x61f694)
#10 0x4546d3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4546d3)
#11 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#12 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#13 0x48d616 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48d616)
#14 0x45cb77 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x45cb77)
#15 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#16 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#17 0x48d616 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48d616)
#18 0x45cb77 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x45cb77)
#19 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#20 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#21 0x48d616 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48d616)
#22 0x45cb77 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x45cb77)
#23 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#24 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#25 0x48fb01 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48fb01)
Direct leak of 72 byte(s) in 1 object(s) allocated from:
#0 0x8eaf60 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7f3c0c690297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x4c1886 in AP4_EsdsAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4c1886)
#3 0x4552db in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4552db)
#4 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#5 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#6 0x5d7069 in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x5d7069)
#7 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#8 0x62020e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x62020e)
#9 0x61f694 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x61f694)
#10 0x4546d3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4546d3)
#11 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#12 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#13 0x48d616 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48d616)
#14 0x45cb77 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x45cb77)
#15 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#16 0x4b6440 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4b6440)
#17 0x4b5af8 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4b5af8)
#18 0x456f8a in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x456f8a)
#19 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#20 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#21 0x48d616 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48d616)
#22 0x45cb77 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x45cb77)
#23 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#24 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#25 0x48d616 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48d616)
#26 0x45cb77 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x45cb77)
#27 0x4618ff in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4edit/mp4edit/mp4edit+0x4618ff)
#28 0x48de17 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4edit/mp4edit/mp4edit+0x48de17)
#29 0x48d616 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4edit/mp4edit/mp4edit+0x48d616)
SUMMARY: AddressSanitizer: 144 byte(s) leaked in 2 allocation(s).
****Bug3****
Detected memory leaks in mp4decrypt.
root@34f1181t281a:/fuzz-mp4decrypt/mp4decrypt# ./mp4decrypt POC_mp4decrypt_477546304 /dev/null
WARNING: atom serialized to fewer bytes than declared size
=================================================================
==203693==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x8f7da0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7fd288f7b297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x42ffef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42ffef)
#3 0x5e6b75 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5e6b75)
#4 0x414e8b in main (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x414e8b)
#5 0x7fd288900c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
Direct leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x8f7da0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7fd288f7b297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x423f9d in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x423f9d)
#3 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#4 0x42ffef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42ffef)
#5 0x5e6b75 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5e6b75)
#6 0x414e8b in main (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x414e8b)
#7 0x7fd288900c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
Indirect leak of 192 byte(s) in 1 object(s) allocated from:
#0 0x8f7da0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7fd288f7b297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x4324cf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4324cf)
#3 0x42ffef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42ffef)
#4 0x5e6b75 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5e6b75)
#5 0x414e8b in main (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x414e8b)
#6 0x7fd288900c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: 328 byte(s) leaked in 3 allocation(s).
****Bug4****
Detected memory leaks in mp4decrypt.
root@34f1181t281a:/fuzz-mp4decrypt/mp4decrypt# ./mp4decrypt POC_mp4decrypt_34393864 /dev/null
WARNING: atom serialized to fewer bytes than declared size
=================================================================
==52857==ERROR: LeakSanitizer: detected memory leaks
Indirect leak of 1376 byte(s) in 1 object(s) allocated from:
#0 0x8f7da0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7fd58b6db297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x6f392d in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x6f392d)
#3 0x423d35 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x423d35)
#4 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#5 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#6 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#7 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#8 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#9 0x42ffef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42ffef)
#10 0x5e6b75 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5e6b75)
#11 0x414e8b in main (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x414e8b)
#12 0x7fd58b060c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
…… ……
Indirect leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x8f7da0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7fd58b6db297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x42aca3 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42aca3)
#3 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#4 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#5 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#6 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#7 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#8 0x42ffef in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42ffef)
#9 0x5e6b75 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x5e6b75)
#10 0x414e8b in main (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x414e8b)
#11 0x7fd58b060c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: 1720 byte(s) leaked in 8 allocation(s).
****Bug5****
Detected memory leaks in mp4decrypt.
root@34f1181t281a:/fuzz-mp4decrypt/mp4decrypt# ./mp4decrypt POC_mp4decrypt_654515280 /dev/null
WARNING: atom serialized to fewer bytes than declared size
WARNING: atom serialized to fewer bytes than declared size
LLVMSymbolizer: error reading file: No such file or directory
=================================================================
==197884==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 264 byte(s) in 3 object(s) allocated from:
#0 0x8f7da0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7f0c66e06297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x51e986 in AP4_EsdsAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x51e986)
#3 0x424e14 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x424e14)
#4 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#5 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#6 0x661689 in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x661689)
#7 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#8 0x6aa85e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x6aa85e)
#9 0x6a9ce4 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x6a9ce4)
#10 0x42420c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42420c)
#11 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#12 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#13 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#14 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#15 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#16 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#17 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#18 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#19 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#20 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#21 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#22 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#23 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#24 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#25 0x4ed071 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4ed071)
…… ……
Direct leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x8f7da0 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
#1 0x7f0c66e06297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
#2 0x51e986 in AP4_EsdsAtom::Create(unsigned int, AP4_ByteStream&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x51e986)
#3 0x424e14 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x424e14)
#4 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#5 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#6 0x661689 in AP4_SampleEntry::Read(AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x661689)
#7 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#8 0x6aa85e in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x6aa85e)
#9 0x6a9ce4 in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x6a9ce4)
#10 0x42420c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42420c)
#11 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#12 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#13 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#14 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#15 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#16 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#17 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#18 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#19 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#20 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#21 0x4eab86 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eab86)
#22 0x42d270 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x42d270)
#23 0x4320af in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4320af)
#24 0x4eb387 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4eb387)
#25 0x4ed071 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/fuzz-mp4decrypt/mp4decrypt/mp4decrypt+0x4ed071)
#26 0x7fff0fa80e9f ([stack]+0x18e9f)
SUMMARY: AddressSanitizer: 352 byte(s) leaked in 4 allocation(s).
****Bug6****
root@34f1181t281a:/fuzz-mp4mux# ./../Bento4-1.6.0-639/cmakebuild/mp4mux --track h264:POC_mp4mux_1729452038 /dev/null
ERROR: no sequence parameter set found in video
=================================================================
==4079790==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 104 byte(s) in 1 object(s) allocated from:
#0 0x4f5ce8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
#1 0x4fdd99 in main (/Bento4-1.6.0-639/cmakebuild/mp4mux+0x4fdd99)
#2 0x7f3d73ac9c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
SUMMARY: AddressSanitizer: 104 byte(s) leaked in 1 allocation(s).
root@26c10857b81a:/fuzz-mp4mux# ./../Bento4-1.6.0-639/cmakebuild/mp4mux --track h265:in/3.mp4 /dev/null
ERROR: no sequence parameter set found in video
****POC****
POC_mp4encrypt_631000973.zip
POC_mp4edit_728838793.zip
POC_mp4decrypt_477546304.zip
POC_mp4decrypt_34393864.zip
POC_mp4decrypt_654515280.zip
POC_mp4mux_1729452038.zip
****Environment****
Ubuntu 18.04.6 LTS (docker)
clang 12.0.1
clang++ 12.0.1
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)
****Credit****
Xudong Cao (NCNIPC of China)
Han Zheng (NCNIPC of China, Hexhive)
Jiayuan Zhang (NCNIPC of China)
Zezhong Ren (NCNIPC of China)
Thank you for your time!