Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-43037: Memory leaks with ASAN in mp42aac · Issue #788 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There is a memory leak in the function AP4_File::ParseStream in /Core/Ap4File.cpp.

CVE
#ubuntu#linux#git#c++

Hi, developers of Bento4:
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output. The output is different from #763.

=================================================================
==6659==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x7f8d891f0592 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99592)
#1 0x418dff in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:108
#2 0x418dff in AP4_File::AP4_File(AP4_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).

Crash Input

https://github.com/17ssDP/fuzzer_crashes/blob/main/Bento4/mp42aac-ml-01

Verification steps:

git clone https://github.com/axiomatic-systems/Bento4
cd Bento4/
mkdir check_build && cd check_build
cmake …/ -DCMAKE_C_COMPILER=clang -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
make -j
./mp42aac mp42aac-ml-01 /dev/null

Environment

Ubuntu 16.04
Clang 10.0.1
gcc 5.5

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907