Headline
CVE-2022-40774: SEGV at AP4_StszAtom::GetSampleSize(unsigned int, unsigned int&) in binary mp42ts · Issue #757 · axiomatic-systems/Bento4
An issue was discovered in Bento4 through 1.6.0-639. There is a NULL pointer dereference in AP4_StszAtom::GetSampleSize.
Hi There,
I tested the binary mp42ts with my fuzzer, and a crash incurred, i.e., SEGV on an unknown address error. Here are the details:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6287==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000007021ab bp 0x7fff9e86cb50 sp 0x7fff9e86c5f0 T0)
==6287==The signal is caused by a READ memory access.
==6287==Hint: address points to the zero page.
#0 0x7021ab in AP4_StszAtom::GetSampleSize(unsigned int, unsigned int&) (/fuzztest/mp42ts/mp42ts+0x7021ab)
#1 0x5754fc in AP4_AtomSampleTable::GetSample(unsigned int, AP4_Sample&) (/fuzztest/mp42ts/mp42ts+0x5754fc)
#2 0x40d0cb in TrackSampleReader::ReadSample(AP4_Sample&, AP4_DataBuffer&) (/fuzztest/mp42ts/mp42ts+0x40d0cb)
#3 0x418342 in main (/fuzztest/mp42ts/mp42ts+0x418342)
#4 0x7f9ae1a41c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
#5 0x407c99 in _start (/fuzztest/mp42ts/mp42ts+0x407c99)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/fuzztest/mp42ts/mp42ts+0x7021ab) in AP4_StszAtom::GetSampleSize(unsigned int, unsigned int&)
==6287==ABORTING
System Details
Test Machine: Ubuntu 18.04 (docker)
Project Name: mp42ts (Bento4-1.6.0-639)
Command
./mp42ts mp42ts.demo /dev/null
Poc
mp42ts_Poc.zip
Credit
plcici (NCNIPC)
Han Zheng (NCNIPC, Hexhive)