Certain The MPlayer Project products are vulnerable to Buffer Overflow via read_avi_header() of libmpdemux/aviheader.c . This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2403 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An heap-buffer-overflow is found in fucnction read\_avi\_header () which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000059,sig^%06,src^%001757,time^%15822098,execs^%776566,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==7938==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002db0 at pc 0x55c64191557c bp 0x7ffcdbc68090 sp 0x7ffcdbc68088
READ of size 4 at 0x602000002db0 thread T0
    #0 0x55c64191557b in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #5 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000002db0 is located 31 bytes to the right of 1-byte region \[0x602000002d90,0x602000002d91)
allocated by thread T0 here:
    #0 0x55c6415c81cd in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mplayer+0x3431cd)
    #1 0x55c64190a934 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55c641948cbe in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55c641948cbe in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55c641921f37 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55c6416232ed in main /home/jlx/good\_mplayer/mplayer/mplayer.c:3383:22
    #6 0x7fa5a6c780b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8560: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8570: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8580: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8590: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff85a0: fa fa 00 00 fa fa 00 00 fa fa 06 fa fa fa fd fd
=>0x0c047fff85b0: fa fa 01 fa fa fa\[fa\]fa fa fa fa fa fa fa fa fa
  0x0c047fff85c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff85f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7938==ABORTING

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa3
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
=================================================================
==6848==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000004370 at pc 0x55e9886b95dc bp 0x7fffc79a7df0 sp 0x7fffc79a7de8
READ of size 4 at 0x602000004370 thread T0
    #0 0x55e9886b95db in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12
    #1 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #2 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #3 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #4 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #5 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

0x602000004370 is located 31 bytes to the right of 1-byte region \[0x602000004350,0x602000004351)
allocated by thread T0 here:
    #0 0x55e98843e43d in malloc (/home/jlx/good\_mplayer/asan\_mplayer/mencoder+0x1a643d)
    #1 0x55e9886ae994 in read\_avi\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:358:26
    #2 0x55e9886ecd1e in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:464:3
    #3 0x55e9886ecd1e in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14
    #4 0x55e9886c5f97 in demux\_open /home/jlx/good\_mplayer/mplayer/libmpdemux/demuxer.c:1294:10
    #5 0x55e9884711f3 in main /home/jlx/good\_mplayer/mplayer/mencoder.c:707:11
    #6 0x7f4b98de10b2 in \_\_libc\_start\_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/aviheader.c:364:12 in read\_avi\_header
Shadow bytes around the buggy address:
  0x0c047fff8810: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8820: fa fa 06 fa fa fa 06 fa fa fa 04 fa fa fa 04 fa
  0x0c047fff8830: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8840: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x0c047fff8850: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8860: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa\[fa\]fa
  0x0c047fff8870: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8880: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff88b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6848==ABORTING

CVE-2022-38866: #2403 (A heap-buffer-overflow occurred in function read_avi_header() of libmpdemux/aviheader.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Divide By Zero via the function demux_avi_read_packet of libmpdemux/demux_avi.c. This affects mplyer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2401 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction play() which affects mencoder and mplayer The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2aa8
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AddressSanitizer:DEADLYSIGNAL
=================================================================
==32677==ERROR: AddressSanitizer: FPE on unknown address 0x563dfce77dc4 (pc 0x563dfce77dc4 bp 0x60c000000040 sp 0x7ffda83c4650 T0)
    #0 0x563dfce77dc4 in demux\_avi\_read\_packet /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:161:32 in demux\_avi\_read\_packet
==32677==ABORTING

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000048,sig^%08,src^%000002,time^%8657653,execs^%414593,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

Program received signal SIGFPE, Arithmetic exception.
0x00005637aa590311 in demux\_avi\_read\_packet (demux=0x5637ac1247a0, ds=0x5637ac126050, id=1651978544, len=21, idxpos=<optimized out>, flags=<optimized out>) at libmpdemux/demux\_avi.c:158
158           priv->avi\_audio\_pts=0;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────
 RAX  0x14
 RBX  0x16
 RCX  0x0
 RDX  0x0
 RDI  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 RSI  0x0
 R8   0x1
 R9   0x1
 R10  0x0
 R11  0x5637aa592800 (demux\_open\_hack\_avi+240) ◂— mov    eax, dword ptr \[rbx + 8\]
 R12  0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
 R13  0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
 R14  0x62773130
 R15  0x15
 RBP  0x5637ac126050 ◂— 0x0
 RSP  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
 RIP  0x5637aa590311 (demux\_avi\_read\_packet+657) ◂— div    ecx
─────────────────────────────────────────────────────────────\[ DISASM \]──────────────────────────────────────────────────────────────
 ► 0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx
    ↓
   0x5637aa590311 <demux\_avi\_read\_packet+657>    div    ecx








──────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   153    pts = priv->audio\_block\_no \*
   154      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwScale /
   155      (float)((sh\_audio\_t\*)demux->audio->sh)->audio.dwRate;
   156       } else
   157           pts=priv->avi\_audio\_pts; //+priv->pts\_correction;
 ► 158       priv->avi\_audio\_pts=0;
   159       // update blockcount:
   160       priv->audio\_block\_no+=
   161  (len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   162   } else
   163   if(ds==demux->video){
──────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────
00:0000│ rsp  0x7ffc013e54a0 —▸ 0x5637ac126050 ◂— 0x0
01:0008│      0x7ffc013e54a8 ◂— 0xffffffffffffffff
02:0010│      0x7ffc013e54b0 ◂— 0x1
03:0018│      0x7ffc013e54b8 —▸ 0x5637ac122480 ◂— 0x1062773130
04:0020│      0x7ffc013e54c0 —▸ 0x5637ac1247a0 —▸ 0x5637aa7a3c20 (demuxer\_desc\_avi) —▸ 0x5637aa754dbc ◂— 'AVI demuxer'
05:0028│      0x7ffc013e54c8 ◂— 0x15
06:0030│      0x7ffc013e54d0 —▸ 0x5637ac1260f0 —▸ 0x5637ac122480 ◂— 0x1062773130
07:0038│      0x7ffc013e54d8 ◂— 0xffff00000000
────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────
 ► f 0     5637aa590311 demux\_avi\_read\_packet+657
   f 1     5637aa591962 demux\_avi\_fill\_buffer+1250
   f 2     5637aa584955 ds\_fill\_buffer+341
   f 3     5637aa584955 ds\_fill\_buffer+341
   f 4     5637aa592b1e demux\_open\_hack\_avi+1038
   f 5     5637aa592b1e demux\_open\_hack\_avi+1038
   f 6     5637aa592b1e demux\_open\_hack\_avi+1038
   f 7     5637aa5858f3 demux\_open\_stream+931
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38865: #2401 (A Division by zero occurred in function demux_avi_read_packet of libmpdemux/demux_avi.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Divide By Zero via function demux_open_avi() of libmpdemux/demux_avi.c which affects mencoder. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2402 closed defect (duplicate)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction demux\_open\_avi () which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000056,sig^%08,src^%001688,time^%14273883,execs^%697532,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2ab4
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==19160==ERROR: AddressSanitizer: FPE on unknown address 0x55eacc77d2e7 (pc 0x55eacc77d2e7 bp 0x000000000004 sp 0x7ffce604b120 T0)
    #0 0x55eacc77d2e7 in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42
    #1 0x55eacc77d2e7 in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42 in demux\_open\_avi
==19160==ABORTING

Breakpoint 3, demux\_open\_avi (demuxer=<optimized out>) at libmpdemux/demux\_avi.c:571
571             asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────────────────
 RAX  0x4
 RBX  0x55904d5f8d00 —▸ 0x55904d5f9410 ◂— 0xe1e1e1e1e1e1
 RCX  0x2fb
 RDX  0x4
 RDI  0x0
 RSI  0x55904d5f9440 ◂— 0x1062773130
 R8   0x1
 R9   0x0
 R10  0x55904d5f9470 ◂— 0x0
 R11  0x0
 R12  0x55904d5f73b0 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
 R13  0x55904d5f8c60 ◂— 0x0
 R14  0x55904d5f8d80 —▸ 0x55904d593400 ◂— 0x2fb00000000
 R15  0x0
 RBP  0x4
 RSP  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
 RIP  0x55904bb55aa7 (demux\_open\_hack\_avi+1351) ◂— lea    eax, \[rax + r9 - 1\]
─────────────────────────────────────────────────────────────────────────\[ DISASM \]─────────────────────────────────────────────────────────────────────────
 ► 0x55904bb55aa7 <demux\_open\_hack\_avi+1351>    lea    eax, \[rax + r9 - 1\]
   0x55904bb55aac <demux\_open\_hack\_avi+1356>    xor    edx, edx
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d
    ↓
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d






─────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   566         vsize+=len;
   567         ++vsamples;
   568       }
   569       else if(d\_audio->id == id) {
   570         asize+=len;
 ► 571  asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   572       }
   573     }
   574     mp\_msg(MSGT\_DEMUX, MSGL\_V,
   575            "AVI video size=%"PRId64" (%zu) audio size=%"PRId64" (%zu)\\n",
   576            vsize, vsamples, asize, asamples);
─────────────────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
01:0008│      0x7fff5a391728 —▸ 0x55904d5f9430 ◂— 0x1062773130
02:0010│      0x7fff5a391730 —▸ 0x55904d5f8c60 ◂— 0x0
03:0018│      0x7fff5a391738 ◂— 0xffffffff
04:0020│      0x7fff5a391740 ◂— 0x62773130ffffffff
05:0028│      0x7fff5a391748 ◂— 0x588a634aec56d900
06:0030│      0x7fff5a391750 ◂— 0xffffffff
07:0038│      0x7fff5a391758 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
───────────────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────────────────
 ► f 0     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 1     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 2     55904bb48743 demux\_open\_stream+931
   f 3     55904bb49231 demux\_open+753
   f 4     55904bac0642 main+1042
   f 5     7f7b8118c0b3 \_\_libc\_start\_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38860: #2402 (A Division by zero occurred in function demux_open_avi() of libmpdemux/demux_avi.c) – MPlayer

Certain The MPlayer Project products are vulnerable to Buffer Overflow via function gen_sh_video () of mplayer/libmpdemux/demux_mov.c. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: A heap-buffer-overflow read is found in fucnction gen\_sh\_video() which affects mplayer and mencoder. The attached file can reproduce this issue (ASAN-recompilation is needed) And this vulnerability can cause the crash of mplayer.  

How to reproduce:  

Command: ./mplayer testcase  

Result:  

MPlayer SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/testcase\_2.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fa0616d6600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0
=================================================================
==12558==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d00000fbf3 at pc 0x557c16d634c3 bp 0x7fffa25ba210 sp 0x7fffa25ba208
READ of size 1 at 0x60d00000fbf3 thread T0
    #0 0x557c16d634c2 in gen\_sh\_video /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86
    #1 0x557c16d634c2 in lschunks /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1344:3
    #2 0x557c16d4e88c in mov\_read\_header /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1961:5

Address 0x60d00000fbf3 is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_mov.c:1103:86 in gen\_sh\_video
Shadow bytes around the buggy address:
  0x0c1a7fff9f20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1a7fff9f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa\[fa\]fa
  0x0c1a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a7fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12558==ABORTING

Crash result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000002,sig^%06,src^%000761,time^%3561338,execs^%127552,op^%havoc,rep^%4.
libavformat version 58.29.100 (external)
libavformat file format detected.
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 2 is invalid (first=4 count=14 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 1 is invalid (first=918905090 count=15 id=1)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]STSC entry 0 is invalid (first=1 count=109 id=-894264234)
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]Invalid sample size -16777051
\[mov,mp4,m4a,3gp,3g2,mj2 @ 0x7fe319f34600\]error reading header
LAVF\_header: av\_open\_input\_stream() failed
Quicktime/MOV file format detected.
MOV: durmap and chunkmap sample count differ (90 vs 654)
MOV: durmap or chunkmap bigger than sample count (654 vs 90)
\[mov\] Video stream found, -vid 0


MPlayer interrupted by signal 11 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

CVE-2022-38855: #2392 (A heap-buffer-overflow occurred in function gen_sh_video () of mplayer/libmpdemux/demux_mov.c) – MPlayer

Red Hat Security Advisory 2022-6517-01 - Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Release of containers for OSP 16.2.z director operator tech preview  
Advisory ID:       RHSA-2022:6517-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6517  
Issue date:        2022-09-14  
CVE Names:         CVE-2021-41103 CVE-2022-1292 CVE-2022-1586  
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-30631  
====================================================================  
1. Summary:

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with  
several Important security fixes, are available for technology preview.

2. Description:

Release osp-director-operator images

Security Fix(es):

* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
[important]  
* CVE-2021-41103 golang: containerd: insufficiently restricted permissions  
on container root and plugin directories [medium]

3. Solution:

OSP 16.2.z Release - OSP Director Operator Containers

4. Bugs fixed (https://bugzilla.redhat.com/):

2011007 - CVE-2021-41103 containerd: insufficiently restricted permissions on container root and plugin directories  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2021-41103  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyInxNzjgjWX9erEAQj8iA//ayZQRYHLjJL7czXpd1rCmi7GsmJgEIb3  
UyOJlfr9B/saUH+y1o87j/b5xMtRLHWFV3yEKCy5HNaCNd/qCtr0YlBvxzV+Zk7i  
3q4qA7CDc8JYmc6JIjDqX175u0z4o3KuBNJO+nmQG13h2cGSjRKm7O1ddZGdyCrO  
+fJtz1pGZ+Hwko+4Mkxlaail8AowqK5wTsFfkdaXkuAIjc7ImOox9PR2A+MylnxL  
+fg++DQgDTgMjotQW0TmbsOKEyXmFfQK6c6yjLe/WeJPTdejMrq4m7soFA2d3b1x  
BPN2B7IhT6BYJzTjJ5TZwcbzNJpItS53Et2ZIZT+WVhld39lKqp6fDwGG3crpGrk  
9tdvbbNgn9LZHJvJzAgt8APjjBmzvbo/LUx2mI5/b3VRqDOruRGXp2unseEgCCHK  
fhNrgQHz8Ttlm2ZNOEtkFFEA2wJ7nL0sNnSkorIfDOJOPL9HO0WOn6eAfnle9jDa  
MGs3rG9MIZ1mw+9DfLf+EJW92KS3DM281BWsXofQic/dlZgbI2bpm43Z06aJaSGF  
sdVUS3/hknx/Itpd8tqsZq74qKkF/2t+aRYVzuDf7XqXuO6LDP2NO/AyhoNCe+fZ  
HdE33A1LEQAM7Z4DY/Pl1bzfjTiYn53ZW5i4cEjTS9EbPwnJMpcEkh1p/Gp51Uyt  
2nnxgBoed8A=8PTk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6517-01

Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.

It can cause Denial-of-service attack.

**Version**

    root@ubuntu:~/gpac/.git# cat refs/heads/master
    0102c5d4db7fdbf08b5b591b2a6264de33867a07
    

**system stack size (default)**

    root@ubuntu:~/gpac/bin/gcc# ulimit -s
    8192
    

**POC**

Download POC

**Execute**

    root@ubuntu:~/gpac/bin/gcc# ./MP4Box -info -disox -dump-chap-ogg -dump-cover -drtp -x3dv -out /dev/null ./recursion
    [iso file] Unknown box type FF0000 in parent moov
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80000 in parent moov
    [iso file] Incomplete box mdat - start 11495 size 808395597
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type FF0000 in parent moov
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80000 in parent moov
    [iso file] Incomplete box mdat - start 11495 size 808395597
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Segmentation fault
    

**GDB**

    #1 ...
    #7880 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7881 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7882 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7883 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7884 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7885 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7886 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7887 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7888 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7889 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7890 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7891 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7892 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7893 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7894 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7895 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7896 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7897 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7898 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7899 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7900 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7901 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7902 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7903 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7904 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7905 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7906 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7907 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7908 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7909 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7910 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7911 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7912 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7913 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7914 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7915 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7916 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7917 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7918 0x00007ffff6cdb61c in SFS_CompoundExpression (parser=0x7fffffff6f30) at bifs/script_dec.c:419
    #7919 0x00007ffff6cdaed3 in SFS_IfStatement (parser=0x7fffffff6f30) at bifs/script_dec.c:334
    #7920 0x00007ffff6cdac78 in SFS_Statement (parser=0x7fffffff6f30) at bifs/script_dec.c:303
    #7921 0x00007ffff6cdab2c in SFS_StatementBlock (parser=0x7fffffff6f30, funcBody=GF_TRUE) at bifs/script_dec.c:287
    #7922 0x00007ffff6cd9f01 in SFScript_Parse (codec=<optimized out>, script_field=0x8e1740, bs=0x8cded0, n=<optimized out>) at bifs/script_dec.c:210
    #7923 0x00007ffff6cc5563 in gf_bifs_dec_sf_field (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7060, is_mem_com=GF_FALSE) at bifs/field_decode.c:277
    #7924 0x00007ffff6cc9156 in BD_DecMFFieldVec (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7130, is_mem_com=<optimized out>) at bifs/field_decode.c:427
    #7925 0x00007ffff6cc9a74 in gf_bifs_dec_field (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7130, is_mem_com=GF_FALSE) at bifs/field_decode.c:566
    #7926 0x00007ffff6cca419 in gf_bifs_dec_node_list (codec=0x8de970, bs=0x8cded0, node=0x8e1850, is_proto=<optimized out>) at bifs/field_decode.c:626
    #7927 0x00007ffff6cc8130 in gf_bifs_dec_node (codec=0x51, bs=<optimized out>, NDT_Tag=<optimized out>) at bifs/field_decode.c:928
    #7928 0x00007ffff6cc8daa in BD_DecMFFieldVec (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, field=0x7fffffff7720, is_mem_com=GF_FALSE) at bifs/field_decode.c:436
    #7929 0x00007ffff6cc9a74 in gf_bifs_dec_field (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, field=0x7fffffff7720, is_mem_com=GF_FALSE) at bifs/field_decode.c:566
    #7930 0x00007ffff6cca419 in gf_bifs_dec_node_list (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, is_proto=<optimized out>) at bifs/field_decode.c:626
    #7931 0x00007ffff6cc8130 in gf_bifs_dec_node (codec=0x37, bs=<optimized out>, NDT_Tag=<optimized out>) at bifs/field_decode.c:928
    #7932 0x00007ffff6cb5067 in BD_DecSceneReplace (codec=0x8de970, bs=0x8cded0, proto_list=<optimized out>) at bifs/com_dec.c:1357
    #7933 0x00007ffff6cd6043 in BM_SceneReplace (codec=0x8de970, bs=0x6, com_list=0x8ded30) at bifs/memory_decoder.c:867
    #7934 0x00007ffff6cd6556 in BM_ParseCommand (codec=0x8de970, bs=0x8cded0, com_list=0x8ded30) at bifs/memory_decoder.c:917
    #7935 0x00007ffff6cd7075 in gf_bifs_decode_command_list (codec=0x8de970, ESID=<optimized out>,
        data=0x8dedb0 "\314\314", '\060' <repeats 169 times>, "\020", '\060' <repeats 28 times>..., data_length=0x2010, com_list=0x8ded30) at bifs/memory_decoder.c:1038
    #7936 0x00007ffff70b378e in gf_sm_load_run_isom (load=0x7fffffff8660) at scene_manager/loader_isom.c:303
    #7937 0x00007ffff70765ab in gf_sm_load_run (load=0x7fffffff8660) at scene_manager/scene_manager.c:719
    #7938 0x0000000000443136 in dump_isom_scene (file=<optimized out>, inName=0x7fffffffe754 "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_X3D_VRML,
        do_log=<optimized out>, no_odf_conv=<optimized out>) at filedump.c:203
    #7939 0x0000000000434038 in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6344
    #7940 0x00007ffff657ec87 in __libc_start_main (main=0x4410a0 <main>, argc=0xa, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
        stack_end=0x7fffffffe478) at ../csu/libc-start.c:310
    #7941 0x00000000004103fa in _start
    

**Impact**

DoS

CVE-2022-3222: Segmentation Fault in SFS_Expression in gpac

An issue was discovered in Bento4 through 1.6.0-639. A NULL pointer dereference occurs in AP4_DescriptorListWriter::Action in Core/Ap4Descriptor.h, called from AP4_EsDescriptor::WriteFields and AP4_Expandable::Write.

Hello, I use fuzzer to test bianry mp4split, and found some vulnerabilities,the following is the details.

**Bug1**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000000,sig:06,src:000011,op:flip1,pos:31240,1216870
    =================================================================
    ==2589461==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000cfdb21 at pc 0x0000009a6c6c bp 0x7ffec6ff0d60 sp 0x7ffec6ff0510
    READ of size 237 at 0x000000cfdb21 thread T0
        #0 0x9a6c6b in __interceptor_fwrite.part.57 /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143
        #1 0x7ab8fa in AP4_StdcFileByteStream::WritePartial(void const*, unsigned int, unsigned int&) (/mp4split/mp4split/mp4split+0x7ab8fa)
        #2 0x471cf7 in AP4_ByteStream::Write(void const*, unsigned int) (/mp4split/mp4split/mp4split+0x471cf7)
        #3 0x4d1be1 in AP4_HdlrAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4d1be1)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #11 0x7f7ce8910c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #12 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    0x000000cfdb21 is located 63 bytes to the left of global variable 'AP4_GlobalOptions::g_Entries' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4Utils.cpp:37:56' (0xcfdb60) of size 8
    0x000000cfdb21 is located 0 bytes to the right of global variable 'AP4_String::EmptyString' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4String.cpp:39:18' (0xcfdb20) of size 1
      'AP4_String::EmptyString' is ascii string ''
    SUMMARY: AddressSanitizer: global-buffer-overflow /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143 in __interceptor_fwrite.part.57
    Shadow bytes around the buggy address:
      0x000080197b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
      0x000080197b30: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9
      0x000080197b40: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
      0x000080197b50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
    =>0x000080197b60: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      0x000080197b70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
      0x000080197b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2589461==ABORTING
    

**Bug2**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000001,sig:06,src:000011,op:flip1,pos:31415,1226899
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2659777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000096b50a bp 0x7ffda4354030 sp 0x7ffda4353e70 T0)
    ==2659777==The signal is caused by a READ memory access.
    ==2659777==Hint: address points to the zero page.
        #0 0x96b50a in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const (/mp4split/mp4split/mp4split+0x96b50a)
        #1 0x88e625 in AP4_EsDescriptor::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x88e625)
        #2 0x896a7f in AP4_Expandable::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x896a7f)
        #3 0x4bdbcd in AP4_EsdsAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4bdbcd)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x61dbf8 in AP4_SampleEntry::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x61dbf8)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x676f0b in AP4_StsdAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x676f0b)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #11 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #12 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #13 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #14 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #15 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #16 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #17 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #18 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #19 0x7f1636a2cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #20 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/mp4split/mp4split/mp4split+0x96b50a) in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const
    ==2659777==ABORTING
    

**poc**

crash.zip

**environment**

Ubuntu 18.04(docker)

**credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thansk for your time!

CVE-2022-40738: there are some vulnerabilities in binary mp4split · Issue #756 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There ie excessive memory consumption in AP4_CttsAtom::Create in Core/Ap4CttsAtom.cpp.

**summary**

Hello, I use my fuzzer to fuzz binary mp4tag mp4split and mp42hevc, the three binary all crashede, and shows that allocator is out of memory trying to allocate 0xxxxxxx bytes. The version of Bento4 is the latest and the operation system is Ubuntu 18.04(docker). The following is the details.

**Bug1**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# ./mp42hevc seed.demo out.hevc 
    =================================================================
    ==92089==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x54ba37b78 bytes
        #0 0xa1b020 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fe65b2d6297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x6c1b9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp42hevc/mp42hevc/mp42hevc+0x6c1b9b)
        #3 0x5cf24c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5cf24c)
        #4 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #5 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #6 0x6bc7f9 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bc7f9)
        #7 0x5d5f65 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5f65)
        #8 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #9 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #10 0x6bcf4a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bcf4a)
        #11 0x5d5abc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5abc)
        #12 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #13 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #14 0x6bfa61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bfa61)
    
    ==92089==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==92089==ABORTING
    my test case:
    
    

**Bug2**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# /mp4box/mp4tag/mp4tag /mp4box/mp4tag/seed.demo 
    =================================================================
    ==843687==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x3a35b4320 bytes
        #0 0xa38ee0 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f9f81086297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4ae28b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4box/mp4tag/mp4tag+0x4ae28b)
        #3 0x45f0fc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x45f0fc)
        #4 0x46ca96 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x46ca96)
        #5 0x4a9e92 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4box/mp4tag/mp4tag+0x4a9e92)
        #6 0x4ac151 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4box/mp4tag/mp4tag+0x4ac151)
    
    ==843687==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==843687==ABORTING
    

**Bug3**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000025,sig:06,src:000215,op:flip1,pos:31468,26038495
    =================================================================
    ==3151765==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x400000068 bytes
        #0 0xa19d40 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f8d59cb9297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x48fc9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x48fc9b)
        #3 0x440aec in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x440aec)
        #4 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #5 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #6 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #7 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #8 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #9 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #10 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #11 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #12 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #13 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #14 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #15 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #16 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #17 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #18 0x48db61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48db61)
    
    ==3151765==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==3151765==ABORTING
    
    
    

**POC**

MP42hevc\_crash.zip  
MP4tag\_crash.zip  
mp4split\_crash.zip

**Credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-40736: Out of memory in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) · Issue #755 · axiomatic-systems/Bento4

Buffer overflow vulnerability in function AP4_MemoryByteStream::WritePartial in mp42aac in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\=================================================================  
\==4695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000027a0 at pc 0x7ffff6ef6964 bp 0x7fffffffdea0 sp 0x7fffffffd648  
WRITE of size 4294967288 at 0x6190000027a0 thread T0  
#0 0x7ffff6ef6963 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c963)  
#1 0x409ed4 in AP4\_MemoryByteStream::WritePartial(void const\*, unsigned int, unsigned int&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:785  
#2 0x40d9e3 in AP4\_ByteStream::Write(void const\*, unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77  
#3 0x4eb601 in AP4\_Atom::Write(AP4\_ByteStream&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:229  
#4 0x4eb601 in AP4\_Atom::Clone() /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:316  
#5 0x446d7a in AP4\_SampleDescription::AP4\_SampleDescription(AP4\_SampleDescription::Type, unsigned int, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138  
#6 0x461a8f in AP4\_GenericAudioSampleDescription::AP4\_GenericAudioSampleDescription(unsigned int, unsigned int, unsigned short, unsigned short, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.h:259  
#7 0x461a8f in AP4\_AudioSampleEntry::ToSampleDescription() /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:630  
#8 0x48ca03 in AP4\_StsdAtom::GetSampleDescription(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:181  
#9 0x4040b6 in main /home/ferry/dp/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:268  
#10 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#11 0x408338 in \_start (/home/ferry/dp/Bento4/mp42aac+0x408338)

0x6190000027a0 is located 0 bytes to the right of 1056-byte region \[0x619000002380,0x6190000027a0)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x414c8e in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x414c8e in AP4\_DataBuffer::SetBufferSize(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136  
#3 0x414c8e in AP4\_DataBuffer::Reserve(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:107

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c327fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c327fff84f0: 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==4695==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input2

**Validation steps**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42aac input2 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-40438: Heap-buffer-overflow with ASAN in mp42aac · Issue #751 · axiomatic-systems/Bento4

An memory leak issue was discovered in AP4_StdcFileByteStream::Create in mp42ts in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output:

\=================================================================  
\==18321==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4c871d in AP4\_StdcFileByteStream::Create(AP4\_FileByteStream\*, char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279  
#2 0x4c871d in AP4\_FileByteStream::Create(char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:439

Indirect leak of 72 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x404286 in main /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#2 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4f57d1 in AP4\_RtpAtom::Create(unsigned int, AP4\_ByteStream&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4RtpAtom.h:53  
#2 0x4f57d1 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4d2591 in AP4\_List<AP4\_Atom>::Add(AP4\_Atom\*) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4List.h:160  
#2 0x4d2591 in AP4\_AtomParent::AddChild(AP4\_Atom\*, int) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4Atom.cpp:532

SUMMARY: AddressSanitizer: 208 byte(s) leaked in 4 allocation(s).

****Crash Input****

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input1

**Verification steps：**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42ts input1 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

Tag

#c++