Headline
CVE-2022-41846: Allocate for large amounts of memory failed in Ap4DataBuffer.cpp:210 at Bento4 1.5.1-627 when running mp42hls · Issue #342 · axiomatic-systems/Bento4
An issue was discovered in Bento4 1.6.0-639. There ie excessive memory consumption in the function AP4_DataBuffer::ReallocateBuffer in Core/Ap4DataBuffer.cpp.
A crafted input will lead to Memory allocation failed in Ap4DataBuffer.cpp at Bento4 1.5.1-627
Triggered by
./mp42hls crash2.mp4
Poc
crash2.zip
Bento4 Version 1.5.1-627
The ASAN information is as follows:
==92387==ERROR: AddressSanitizer failed to allocate 0x80003000 (2147495936) bytes of LargeMmapAllocator (errno: 12)
==92387==Process memory map follows:
0x000000400000-0x0000005aa000 /home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
0x0000007a9000-0x0000007aa000 /home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
0x0000007aa000-0x0000007b9000 /home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
0x0000007b9000-0x0000007ba000
0x00007fff7000-0x00008fff7000
0x00008fff7000-0x02008fff7000
0x02008fff7000-0x10007fff8000
0x600000000000-0x602000000000
0x602000000000-0x602000010000
0x602000010000-0x603000000000
0x603000000000-0x603000010000
0x603000010000-0x604000000000
0x604000000000-0x604000010000
0x604000010000-0x606000000000
0x606000000000-0x606000010000
0x606000010000-0x607000000000
0x607000000000-0x607000010000
0x607000010000-0x608000000000
0x608000000000-0x608000010000
0x608000010000-0x60b000000000
0x60b000000000-0x60b000010000
0x60b000010000-0x60c000000000
0x60c000000000-0x60c000010000
0x60c000010000-0x60d000000000
0x60d000000000-0x60d000010000
0x60d000010000-0x60e000000000
0x60e000000000-0x60e000010000
0x60e000010000-0x610000000000
0x610000000000-0x610000010000
0x610000010000-0x611000000000
0x611000000000-0x611000010000
0x611000010000-0x613000000000
0x613000000000-0x613000010000
0x613000010000-0x614000000000
0x614000000000-0x614000020000
0x614000020000-0x615000000000
0x615000000000-0x615000020000
0x615000020000-0x616000000000
0x616000000000-0x616000020000
0x616000020000-0x619000000000
0x619000000000-0x619000020000
0x619000020000-0x61c000000000
0x61c000000000-0x61c000020000
0x61c000020000-0x621000000000
0x621000000000-0x621000020000
0x621000020000-0x624000000000
0x624000000000-0x624000020000
0x624000020000-0x626000000000
0x626000000000-0x626000020000
0x626000020000-0x629000000000
0x629000000000-0x629000010000
0x629000010000-0x62d000000000
0x62d000000000-0x62d000020000
0x62d000020000-0x631000000000
0x631000000000-0x631000030000
0x631000030000-0x640000000000
0x640000000000-0x640000003000
0x7fe341500000-0x7fe341600000
0x7fe341700000-0x7fe341800000
0x7fe3418fe000-0x7fe343c50000
0x7fe343c50000-0x7fe343d58000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fe343d58000-0x7fe343f57000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fe343f57000-0x7fe343f58000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fe343f58000-0x7fe343f59000 /lib/x86_64-linux-gnu/libm-2.23.so
0x7fe343f59000-0x7fe343f5c000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fe343f5c000-0x7fe34415b000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fe34415b000-0x7fe34415c000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fe34415c000-0x7fe34415d000 /lib/x86_64-linux-gnu/libdl-2.23.so
0x7fe34415d000-0x7fe344175000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fe344175000-0x7fe344374000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fe344374000-0x7fe344375000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fe344375000-0x7fe344376000 /lib/x86_64-linux-gnu/libpthread-2.23.so
0x7fe344376000-0x7fe34437a000
0x7fe34437a000-0x7fe34453a000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fe34453a000-0x7fe34473a000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fe34473a000-0x7fe34473e000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fe34473e000-0x7fe344740000 /lib/x86_64-linux-gnu/libc-2.23.so
0x7fe344740000-0x7fe344744000
0x7fe344744000-0x7fe34475a000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fe34475a000-0x7fe344959000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fe344959000-0x7fe34495a000 /lib/x86_64-linux-gnu/libgcc_s.so.1
0x7fe34495a000-0x7fe344acc000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
0x7fe344acc000-0x7fe344ccc000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
0x7fe344ccc000-0x7fe344cd6000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
0x7fe344cd6000-0x7fe344cd8000 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
0x7fe344cd8000-0x7fe344cdc000
0x7fe344cdc000-0x7fe344dd0000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fe344dd0000-0x7fe344fd0000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fe344fd0000-0x7fe344fd3000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fe344fd3000-0x7fe344fd4000 /usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
0x7fe344fd4000-0x7fe345c49000
0x7fe345c49000-0x7fe345c6f000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fe345d54000-0x7fe345e58000
0x7fe345e58000-0x7fe345e6e000
0x7fe345e6e000-0x7fe345e6f000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fe345e6f000-0x7fe345e70000 /lib/x86_64-linux-gnu/ld-2.23.so
0x7fe345e70000-0x7fe345e71000
0x7fffeaa6e000-0x7fffeaa8f000 [stack]
0x7fffeaae9000-0x7fffeaaeb000 [vvar]
0x7fffeaaeb000-0x7fffeaaed000 [vdso]
0xffffffffff600000-0xffffffffff601000 [vsyscall]
==92387==End of process memory map.
==92387==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
#0 0x7fe344d7c631 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
#1 0x7fe344d815e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
#2 0x7fe344d89611 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad611)
#3 0x7fe344cfec0c (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22c0c)
#4 0x7fe344d7567e in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9967e)
#5 0x4abb54 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4DataBuffer.cpp:210
#6 0x4abb54 in AP4_DataBuffer::SetDataSize(unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4DataBuffer.cpp:151
#7 0x48ba72 in AP4_Sample::ReadData(AP4_DataBuffer&, unsigned int, unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4Sample.cpp:147
#8 0x48ba72 in AP4_Sample::ReadData(AP4_DataBuffer&) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4Sample.cpp:127
#9 0x4449dd in ReadSample /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:976
#10 0x4485af in WriteSamples /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1251
#11 0x4412a0 in main /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2088
#12 0x7fe34439a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#13 0x4445b8 in _start (/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls+0x4445b8)
FoundBy: [email protected]