Headline
CVE-2021-40943: Null pointer reference in Ap4Descriptor.h:124 · Issue #643 · axiomatic-systems/Bento4
In Bento4 1.6.0-638, there is a null pointer reference in the function AP4_DescriptorListInspector::Action function in Ap4Descriptor.h:124 , as demonstrated by GPAC. This can cause a denial of service (DOS).
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
AntsKnows opened this issue
Aug 25, 2021
· 0 comments
Comments
How to reproduce:
1.check out latest code, 5922ba762a
2.compile with asan,
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -g")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -g")
3.run ./mp4dump --verbosity 3 --format text poc
You can see the asan information below:
=================================================================
==633802==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000003c3e48 bp 0x7ffcbc9d4550 sp 0x7ffcbc9d4470 T0)
==633802==The signal is caused by a READ memory access.
==633802==Hint: address points to the zero page.
#0 0x3c3e48 in AP4_DescriptorListInspector::Action(AP4_Descriptor*) const /home/lly/pro/Bento4/Source/C++/Core/Ap4Descriptor.h:124:21
#1 0x40bdc2 in AP4_List<AP4_Descriptor>::Apply(AP4_List<AP4_Descriptor>::Item::Operator const&) const /home/lly/pro/Bento4/Source/C++/Core/Ap4List.h:353:12
#2 0x40bdc2 in AP4_InitialObjectDescriptor::Inspect(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ObjectDescriptor.cpp:327:22
#3 0x3e0485 in AP4_IodsAtom::InspectFields(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4IodsAtom.cpp:112:29
#4 0x37117e in AP4_Atom::Inspect(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4Atom.cpp:263:5
#5 0x39f0a2 in AP4_AtomListInspector::Action(AP4_Atom*) const /home/lly/pro/Bento4/Source/C++/Core/Ap4Atom.h:601:15
#6 0x39d3b1 in AP4_List<AP4_Atom>::Apply(AP4_List<AP4_Atom>::Item::Operator const&) const /home/lly/pro/Bento4/Source/C++/Core/Ap4List.h:353:12
#7 0x39d3b1 in AP4_ContainerAtom::InspectChildren(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:220:16
#8 0x37117e in AP4_Atom::Inspect(AP4_AtomInspector&) /home/lly/pro/Bento4/Source/C++/Core/Ap4Atom.cpp:263:5
#9 0x359b43 in main /home/lly/pro/Bento4/Source/C++/Apps/Mp4Dump/Mp4Dump.cpp:350:15
#10 0x7f899655d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#11 0x2a2b1d in _start (/home/lly/pro/Bento4/cmakebuild/mp4dump+0x2a2b1d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/lly/pro/Bento4/Source/C++/Core/Ap4Descriptor.h:124:21 in AP4_DescriptorListInspector::Action(AP4_Descriptor*) const
==633802==ABORTING
poc.zip
1 participant