You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems.
To debug a program built with ASan, here is some output
=================================================================
==3304149==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000160 at pc 0x00000055f635 bp 0x7ffce575b390 sp 0x7ffce575b388
READ of size 1 at 0x602000000160 thread T0
#0 0x55f634 in AP4_BitReader::ReadCache() const /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40
#1 0x55f634 in AP4_BitReader::ReadBits(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:467:40
#2 0x689547 in AP4_Dac4Atom::AP4_Dac4Atom(unsigned int, unsigned char const*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:238:75
#3 0x68023a in AP4_Dac4Atom::Create(unsigned int, AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Dac4Atom.cpp:58:16
#4 0x5e0d23 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:776:24
#5 0x5dbfaf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#6 0x66f83f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#7 0x5282fe in AP4_AudioSampleEntry::AP4_AudioSampleEntry(unsigned int, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleEntry.cpp:420:5
#8 0x4eea5d in AP4_EncaSampleEntry::AP4_EncaSampleEntry(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Protection.cpp:74:5
#9 0x5df5d5 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:298:24
#10 0x5dbfaf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#11 0x5424ae in AP4_StsdAtom::AP4_StsdAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:101:13
#12 0x53f61b in AP4_StsdAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:57:16
#13 0x5df866 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:458:20
#14 0x5dbfaf in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#15 0x5dafb8 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#16 0x4dac06 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:104:12
#17 0x4db68f in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4File.cpp:78:5
#18 0x4c7733 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250:22
#19 0x7f0af5948082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#20 0x41c8ed in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x41c8ed)
0x602000000160 is located 0 bytes to the right of 16-byte region [0x602000000150,0x602000000160)
allocated by thread T0 here:
#0 0x4c48ad in operator new[](unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x4c48ad)
#1 0x4d7ec3 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x4d7ec3 in AP4_DataBuffer::SetBufferSize(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:136:16
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Utils.cpp:447:40 in AP4_BitReader::ReadCache() const
Shadow bytes around the buggy address:
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x0c047fff8010: fa fa 04 fa fa fa fd fa fa fa 01 fa fa fa 00 fa
=>0x0c047fff8020: fa fa 00 07 fa fa 00 07 fa fa 00 00[fa]fa fa fa
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3304149==ABORTING
=================================================================
==72210==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000009a0 at pc 0x000000494530 bp 0x7fffba3cc440 sp 0x7fffba3cbc08
WRITE of size 4294967280 at 0x6190000009a0 thread T0
#0 0x49452f in __asan_memcpy (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x49452f)
#1 0x4d2f73 in AP4_MemoryByteStream::WritePartial(void const*, unsigned int, unsigned int&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:785:5
#2 0x4ca625 in AP4_ByteStream::Write(void const*, unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4ByteStream.cpp:77:29
#3 0x66a336 in AP4_CencSampleEncryption::DoWriteFields(AP4_ByteStream&) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4CommonEncryption.cpp:3569:16
#4 0x5ae219 in AP4_Atom::Clone() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4Atom.cpp:316:9
#5 0x509fd4 in AP4_SampleDescription::AP4_SampleDescription(AP4_SampleDescription::Type, unsigned int, AP4_AtomParent*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleDescription.cpp:138:41
#6 0x52a4d0 in AP4_GenericAudioSampleDescription::AP4_GenericAudioSampleDescription(unsigned int, unsigned int, unsigned short, unsigned short, AP4_AtomParent*) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleDescription.h:258:9
#7 0x52a4d0 in AP4_AudioSampleEntry::ToSampleDescription() /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4SampleEntry.cpp:625:16
#8 0x547f18 in AP4_StsdAtom::GetSampleDescription(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4StsdAtom.cpp:181:53
#9 0x4c77b8 in main /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:268:39
#10 0x7fe70ea9d082 in __libc_start_main /build/glibc-wuryBv/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x41c8ed in _start (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x41c8ed)
0x6190000009a0 is located 0 bytes to the right of 1056-byte region [0x619000000580,0x6190000009a0)
allocated by thread T0 here:
#0 0x4c48ad in operator new[](unsigned long) (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x4c48ad)
#1 0x4d7b67 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x4d7b67 in AP4_DataBuffer::SetBufferSize(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:136:16
#3 0x4d7b67 in AP4_DataBuffer::Reserve(unsigned int) /home/zt/cnvd/Bento4/Bento4-fuzzer/Source/C++/Core/Ap4DataBuffer.cpp:107:12
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/zt/cnvd/Bento4/Bento4-fuzzer/build/mp42aac+0x49452f) in __asan_memcpy
Shadow bytes around the buggy address:
0x0c327fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c327fff8120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8130: 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c327fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==72210==ABORTING
Dear Bento4 developers, I used AFL++ to fuzz test Bento4 and found some problems.
To debug a program built with ASan, here is some output
Crash input:
poc.zip
poc1.zip
Validation steps
环境
The text was updated successfully, but these errors were encountered: