Headline
CVE-2021-40941: allocator is out of memory in Ap4Array.h:172 · Issue #644 · axiomatic-systems/Bento4
In Bento4 1.6.0-638, there is an allocator is out of memory in the function AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity in Ap4Array.h:172, as demonstrated by GPAC. This can cause a denial of service (DOS).
How to reproduce:
1.check out latest code, 5922ba762a
2.compile with asan,
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fsanitize=address -g")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -g")
3.run ./mp4dump --verbosity 3 --format text poc1
poc1.zip
You can see the asan information below:
==634578==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x8000000f0 bytes
#0 0x34eabd in operator new(unsigned long) (/home/lly/pro/Bento4/cmakebuild/mp4dump+0x34eabd)
#1 0x54535c in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) /home/lly/pro/Bento4/Source/C++/Core/Ap4Array.h:172:25
#2 0x54535c in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /home/lly/pro/Bento4/Source/C++/Core/Ap4Array.h:210:25
#3 0x54535c in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /home/lly/pro/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:127:15
#4 0x5445a4 in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /home/lly/pro/Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51:16
#5 0x37cc25 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438:20
#6 0x383d06 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#7 0x3a062f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#8 0x39f40a in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#9 0x39f40a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#10 0x37c5ac in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#11 0x383d06 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#12 0x3a062f in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#13 0x39f40a in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#14 0x39f40a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/lly/pro/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#15 0x37c5ac in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#16 0x383d06 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#17 0x38333b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/lly/pro/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#18 0x359a7e in main /home/lly/pro/Bento4/Source/C++/Apps/Mp4Dump/Mp4Dump.cpp:342:25
#19 0x7f6cf702a0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16