An issue was discovered in Bento4 through 1.6.0-639. A NULL pointer dereference occurs in AP4_DescriptorListWriter::Action in Core/Ap4Descriptor.h, called from AP4_EsDescriptor::WriteFields and AP4_Expandable::Write.

Hello, I use fuzzer to test bianry mp4split, and found some vulnerabilities,the following is the details.

**Bug1**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000000,sig:06,src:000011,op:flip1,pos:31240,1216870
    =================================================================
    ==2589461==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000cfdb21 at pc 0x0000009a6c6c bp 0x7ffec6ff0d60 sp 0x7ffec6ff0510
    READ of size 237 at 0x000000cfdb21 thread T0
        #0 0x9a6c6b in __interceptor_fwrite.part.57 /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143
        #1 0x7ab8fa in AP4_StdcFileByteStream::WritePartial(void const*, unsigned int, unsigned int&) (/mp4split/mp4split/mp4split+0x7ab8fa)
        #2 0x471cf7 in AP4_ByteStream::Write(void const*, unsigned int) (/mp4split/mp4split/mp4split+0x471cf7)
        #3 0x4d1be1 in AP4_HdlrAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4d1be1)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #11 0x7f7ce8910c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #12 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    0x000000cfdb21 is located 63 bytes to the left of global variable 'AP4_GlobalOptions::g_Entries' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4Utils.cpp:37:56' (0xcfdb60) of size 8
    0x000000cfdb21 is located 0 bytes to the right of global variable 'AP4_String::EmptyString' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4String.cpp:39:18' (0xcfdb20) of size 1
      'AP4_String::EmptyString' is ascii string ''
    SUMMARY: AddressSanitizer: global-buffer-overflow /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143 in __interceptor_fwrite.part.57
    Shadow bytes around the buggy address:
      0x000080197b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
      0x000080197b30: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9
      0x000080197b40: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
      0x000080197b50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
    =>0x000080197b60: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      0x000080197b70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
      0x000080197b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2589461==ABORTING
    

**Bug2**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000001,sig:06,src:000011,op:flip1,pos:31415,1226899
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2659777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000096b50a bp 0x7ffda4354030 sp 0x7ffda4353e70 T0)
    ==2659777==The signal is caused by a READ memory access.
    ==2659777==Hint: address points to the zero page.
        #0 0x96b50a in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const (/mp4split/mp4split/mp4split+0x96b50a)
        #1 0x88e625 in AP4_EsDescriptor::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x88e625)
        #2 0x896a7f in AP4_Expandable::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x896a7f)
        #3 0x4bdbcd in AP4_EsdsAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4bdbcd)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x61dbf8 in AP4_SampleEntry::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x61dbf8)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x676f0b in AP4_StsdAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x676f0b)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #11 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #12 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #13 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #14 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #15 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #16 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #17 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #18 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #19 0x7f1636a2cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #20 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/mp4split/mp4split/mp4split+0x96b50a) in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const
    ==2659777==ABORTING
    

**poc**

crash.zip

**environment**

Ubuntu 18.04(docker)

**credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thansk for your time!

CVE-2022-40738: there are some vulnerabilities in binary mp4split · Issue #756 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There ie excessive memory consumption in AP4_CttsAtom::Create in Core/Ap4CttsAtom.cpp.

**summary**

Hello, I use my fuzzer to fuzz binary mp4tag mp4split and mp42hevc, the three binary all crashede, and shows that allocator is out of memory trying to allocate 0xxxxxxx bytes. The version of Bento4 is the latest and the operation system is Ubuntu 18.04(docker). The following is the details.

**Bug1**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# ./mp42hevc seed.demo out.hevc 
    =================================================================
    ==92089==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x54ba37b78 bytes
        #0 0xa1b020 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fe65b2d6297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x6c1b9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp42hevc/mp42hevc/mp42hevc+0x6c1b9b)
        #3 0x5cf24c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5cf24c)
        #4 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #5 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #6 0x6bc7f9 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bc7f9)
        #7 0x5d5f65 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5f65)
        #8 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #9 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #10 0x6bcf4a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bcf4a)
        #11 0x5d5abc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5abc)
        #12 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #13 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #14 0x6bfa61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bfa61)
    
    ==92089==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==92089==ABORTING
    my test case:
    
    

**Bug2**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# /mp4box/mp4tag/mp4tag /mp4box/mp4tag/seed.demo 
    =================================================================
    ==843687==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x3a35b4320 bytes
        #0 0xa38ee0 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f9f81086297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4ae28b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4box/mp4tag/mp4tag+0x4ae28b)
        #3 0x45f0fc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x45f0fc)
        #4 0x46ca96 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x46ca96)
        #5 0x4a9e92 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4box/mp4tag/mp4tag+0x4a9e92)
        #6 0x4ac151 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4box/mp4tag/mp4tag+0x4ac151)
    
    ==843687==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==843687==ABORTING
    

**Bug3**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000025,sig:06,src:000215,op:flip1,pos:31468,26038495
    =================================================================
    ==3151765==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x400000068 bytes
        #0 0xa19d40 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f8d59cb9297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x48fc9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x48fc9b)
        #3 0x440aec in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x440aec)
        #4 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #5 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #6 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #7 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #8 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #9 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #10 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #11 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #12 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #13 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #14 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #15 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #16 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #17 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #18 0x48db61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48db61)
    
    ==3151765==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==3151765==ABORTING
    
    
    

**POC**

MP42hevc\_crash.zip  
MP4tag\_crash.zip  
mp4split\_crash.zip

**Credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-40736: Out of memory in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) · Issue #755 · axiomatic-systems/Bento4

Buffer overflow vulnerability in function AP4_MemoryByteStream::WritePartial in mp42aac in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\=================================================================  
\==4695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000027a0 at pc 0x7ffff6ef6964 bp 0x7fffffffdea0 sp 0x7fffffffd648  
WRITE of size 4294967288 at 0x6190000027a0 thread T0  
#0 0x7ffff6ef6963 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c963)  
#1 0x409ed4 in AP4\_MemoryByteStream::WritePartial(void const\*, unsigned int, unsigned int&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:785  
#2 0x40d9e3 in AP4\_ByteStream::Write(void const\*, unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77  
#3 0x4eb601 in AP4\_Atom::Write(AP4\_ByteStream&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:229  
#4 0x4eb601 in AP4\_Atom::Clone() /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:316  
#5 0x446d7a in AP4\_SampleDescription::AP4\_SampleDescription(AP4\_SampleDescription::Type, unsigned int, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138  
#6 0x461a8f in AP4\_GenericAudioSampleDescription::AP4\_GenericAudioSampleDescription(unsigned int, unsigned int, unsigned short, unsigned short, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.h:259  
#7 0x461a8f in AP4\_AudioSampleEntry::ToSampleDescription() /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:630  
#8 0x48ca03 in AP4\_StsdAtom::GetSampleDescription(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:181  
#9 0x4040b6 in main /home/ferry/dp/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:268  
#10 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#11 0x408338 in \_start (/home/ferry/dp/Bento4/mp42aac+0x408338)

0x6190000027a0 is located 0 bytes to the right of 1056-byte region \[0x619000002380,0x6190000027a0)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x414c8e in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x414c8e in AP4\_DataBuffer::SetBufferSize(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136  
#3 0x414c8e in AP4\_DataBuffer::Reserve(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:107

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c327fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c327fff84f0: 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==4695==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input2

**Validation steps**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42aac input2 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-40438: Heap-buffer-overflow with ASAN in mp42aac · Issue #751 · axiomatic-systems/Bento4

An memory leak issue was discovered in AP4_StdcFileByteStream::Create in mp42ts in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output:

\=================================================================  
\==18321==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4c871d in AP4\_StdcFileByteStream::Create(AP4\_FileByteStream\*, char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279  
#2 0x4c871d in AP4\_FileByteStream::Create(char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:439

Indirect leak of 72 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x404286 in main /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#2 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4f57d1 in AP4\_RtpAtom::Create(unsigned int, AP4\_ByteStream&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4RtpAtom.h:53  
#2 0x4f57d1 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4d2591 in AP4\_List<AP4\_Atom>::Add(AP4\_Atom\*) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4List.h:160  
#2 0x4d2591 in AP4\_AtomParent::AddChild(AP4\_Atom\*, int) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4Atom.cpp:532

SUMMARY: AddressSanitizer: 208 byte(s) leaked in 4 allocation(s).

****Crash Input****

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input1

**Verification steps：**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42ts input1 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-40439: Memory leaks with ASAN in mp42ts · Issue #750 · axiomatic-systems/Bento4

Ubuntu Security Notice 5611-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

    ==========================================================================Ubuntu Security Notice USN-5611-1September 14, 2022webkit2gtk vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTSSummary:Several security issues were fixed in WebKitGTK.Software Description:- webkit2gtk: Web content engine library for GTK+Details:Several security issues were discovered in the WebKitGTK Web and JavaScriptengines. If a user were tricked into viewing a malicious website, a remoteattacker could exploit a variety of issues related to web browser security,including cross-site scripting attacks, denial of service attacks, andarbitrary code execution.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.7-0ubuntu0.22.04.1  libjavascriptcoregtk-4.1-0      2.36.7-0ubuntu0.22.04.1  libwebkit2gtk-4.0-37            2.36.7-0ubuntu0.22.04.1  libwebkit2gtk-4.1-0             2.36.7-0ubuntu0.22.04.1Ubuntu 20.04 LTS:  libjavascriptcoregtk-4.0-18     2.36.7-0ubuntu0.20.04.1  libwebkit2gtk-4.0-37            2.36.7-0ubuntu0.20.04.1This update uses a new upstream release, which includes additional bugfixes. After a standard system update you need to restart any applicationsthat use WebKitGTK, such as Epiphany, to make all the necessary changes.References:  https://ubuntu.com/security/notices/USN-5611-1  CVE-2022-32893Package Information:  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.7-0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/webkit2gtk/2.36.7-0ubuntu0.20.04.1

Ubuntu Security Notice USN-5611-1

Ubuntu Security Notice 5610-1 - Addison Crump discovered that rust-regex did not properly limit the complexity of the regular expressions it parses. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5610-1  
September 14, 2022

rust-regex vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

rust-regex could be made to crash if it received specially crafted  
input.

Software Description:  
- rust-regex: Regular expressions for Rust

Details:

Addison Crump discovered that rust-regex did not properly limit  
the complexity of the regular expressions (regex) it parses.  
An attacker could possibly use this issue to cause a denial of  
service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
   librust-regex-dev               1.5.4-1ubuntu0.1

Ubuntu 20.04 LTS:  
   librust-regex-dev               1.2.1-3ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-5610-1  
   CVE-2022-24713

Package Information:  
   https://launchpad.net/ubuntu/+source/rust-regex/1.5.4-1ubuntu0.1  
   https://launchpad.net/ubuntu/+source/rust-regex/1.2.1-3ubuntu0.1

Ubuntu Security Notice USN-5610-1

Ubuntu Security Notice 5583-2 - USN-5583-1 fixed vulnerabilities in systemd. Unfortunately this caused a regression by introducing networking problems for some users. This update fixes the problem. It was discovered that systemd incorrectly handled certain DNS requests, which leads to user-after-free vulnerability. An attacker could possibly use this issue to cause a crash or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5583-2  
September 14, 2022

systemd regression  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS

Summary:

USN-5583-1 caused a regression in systemd

Software Description:  
- systemd: system and service manager

Details:

USN-5583-1 fixed vulnerabilities in systemd. Unfortunately this caused a   
regression by introducing netowrking problems for some users. This update fixes  
the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that systemd incorrectly handled certain DNS requests,   
 which leads to user-after-free vulnerability. An attacker could possibly use   
 this issue to cause a crash or execute arbitrary code. (CVE-2022-2526)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
  systemd                         237-3ubuntu10.56

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5583-2  
  https://ubuntu.com/security/notices/USN-5583-1  
  https://launchpad.net/bugs/1988119

Package Information:  
  https://launchpad.net/ubuntu/+source/systemd/237-3ubuntu10.56

Ubuntu Security Notice USN-5583-2

Ubuntu Security Notice 5609-1 - Graham Esau discovered that .NET 6 incorrectly parsed certain payloads during model binding. An attacker could possibly use this issue to cause a denial of service.

    ==========================================================================Ubuntu Security Notice USN-5609-1September 13, 2022dotnet6 vulnerability==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTSSummary:.NET 6 could be made to crash if it parsed a specially crafted file.Software Description:- dotnet6: dotNET CLI tools and runtimeDetails:Graham Esau discovered that .NET 6 incorrectly parsed certain payloadsduring model binding. An attacker could possibly use this issue tocause a denial of service.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:   aspnetcore-runtime-6.0          6.0.109-0ubuntu1~22.04.1   dotnet-host                             6.0.109-0ubuntu1~22.04.1   dotnet-hostfxr-6.0                   6.0.109-0ubuntu1~22.04.1   dotnet-runtime-6.0                  6.0.109-0ubuntu1~22.04.1   dotnet-sdk-6.0                        6.0.109-0ubuntu1~22.04.1   dotnet6                                   6.0.109-0ubuntu1~22.04.1In general, a standard system update will make all the necessary changes. A restart may be required after the update if any affected files are being used.References:   https://ubuntu.com/security/notices/USN-5609-1   CVE-2022-38013Package Information:   https://launchpad.net/ubuntu/+source/dotnet6/6.0.109-0ubuntu1~22.04.1

Ubuntu Security Notice USN-5609-1

Ubuntu Security Notice 5608-1 - It was discovered that DPDK incorrectly handled certain Vhost headers. A remote attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-5608-1  
September 13, 2022

dpdk vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

DPDK could be made to stop responding if it received specially crafted  
network traffic.

Software Description:  
- dpdk: set of libraries for fast packet processing

Details:

It was discovered that DPDK incorrectly handled certain Vhost headers. A  
remote attacker could possibly use this issue to cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  dpdk                            21.11.2-0ubuntu0.22.04.1

Ubuntu 20.04 LTS:  
  dpdk                            19.11.13-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  dpdk                            17.11.10-0ubuntu0.2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5608-1  
  CVE-2022-2132

Package Information:  
  https://launchpad.net/ubuntu/+source/dpdk/21.11.2-0ubuntu0.22.04.1  
  https://launchpad.net/ubuntu/+source/dpdk/19.11.13-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/dpdk/17.11.10-0ubuntu0.2

Ubuntu Security Notice USN-5608-1

Ubuntu Security Notice 5607-1 - It was discovered that GDK-PixBuf incorrectly handled certain images. An attacker could possibly use this issue to execute arbitrary code or cause a crash.

=========================================================================  
Ubuntu Security Notice USN-5607-1  
September 13, 2022

gdk-pixbuf vulnerability  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS

Summary:

GDK-PixBuf could be made do execute arbitrary code or  
crash if it received a specially crafted image.

Software Description:  
- gdk-pixbuf: GDK Pixbuf library

Details:

It was discovered that GDK-PixBuf incorrectly handled certain images.  
An attacker could possibly use this issue to execute arbitrary code  
or cause a crash.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libgdk-pixbuf-2.0-0             2.42.8+dfsg-1ubuntu0.1

Ubuntu 20.04 LTS:  
  libgdk-pixbuf2.0-0              2.40.0+dfsg-3ubuntu0.4

After a standard system update you need to restart your session to make all  
the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5607-1  
  CVE-2021-44648

Package Information:  
  https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.42.8+dfsg-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/gdk-pixbuf/2.40.0+dfsg-3ubuntu0.4

Tag

#ubuntu