Bento4 v1.6.0-639 was discovered to contain a segmentation violation in the mp4fragment component.

**Summary**

Hi there, I use my fuzzer for fuzzing the binary mp4fragment, the version of Bento4 is the latest (the newest master branch) and the operation system is Ubuntu 18.04.6 LTS (docker) and this binary crashes with the following.

**Details**

    root@4e3b7f9edc0d:/mp4box/mp4fragment# ./mp4fragment ../out/crashes/id\:000000\,sig\:06\,src\:000008\,op\:flip1\,pos\:31325\,4970731 /dev/null
    unable to autodetect fragment duration, using default
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==750986==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f5fc13c0306 bp 0x7ffe16f62f30 sp 0x7ffe16f626c8 T0)
    ==750986==The signal is caused by a READ memory access.
    ==750986==Hint: address points to the zero page.
        #0 0x7f5fc13c0306  (/lib/x86_64-linux-gnu/libc.so.6+0xb1306)
        #1 0x94da2c in __interceptor_strlen.part.36 /llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:370
        #2 0x6ec0c2 in AP4_TrakAtom::AP4_TrakAtom(AP4_SampleTable*, unsigned int, char const*, unsigned int, unsigned long long, unsigned long long, unsigned long long, unsigned int, unsigned long long, unsigned short, char const*, unsigned int, unsigned int, unsigned short, unsigned short, int const*) (/mp4box/mp4fragment/mp4fragment+0x6ec0c2)
        #3 0x432bbc in main (/mp4box/mp4fragment/mp4fragment+0x432bbc)
        #4 0x7f5fc1330c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #5 0x407cd9 in _start (/mp4box/mp4fragment/mp4fragment+0x407cd9)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xb1306) 
    ==750986==ABORTING
    
    

**POC**

POC-Mp4fragment-1.zip

**Environment**

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

**Credit**

Xudong Cao (NCNIPC of China)  
Jiayuan Zhang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-41423: From mp4fragment: SEGV on unknown address 0x000000000000 · Issue #767 · axiomatic-systems/Bento4

Bento4 v1.6.0-639 was discovered to contain a memory leak via the AP4_Processor::Process function in the mp4encrypt binary.

**Summary**

Hi, developers of Bento4:  
I tested the binary mp4encrypt with my fuzzer, and a crash incurred, i.e., memory leaks error. The version of Bento4 is the latest (the newest master branch) and the operation system is Ubuntu 18.04.6 LTS (docker). The following is the details.

**Details**

    root@c08635047aea:/fuzz-mp4encrypt/mp4encrypt# ./mp4encrypt --method MARLIN-IPMP-ACBC ../out/crashes/id\:000007\,sig\:06\,src\:000001\,op\:flip1\,pos\:14136\,934837 /dev/null
    WARNING: track ID 1 will not be encrypted
    WARNING: atom serialized to fewer bytes than declared size
    
    =================================================================
    ==3055140==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 104 byte(s) in 1 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #3 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #4 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 3328 byte(s) in 2 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x5b2921 in AP4_MarlinIpmpEncryptingProcessor::Initialize(AP4_AtomParent&, AP4_ByteStream&, AP4_Processor::ProgressListener*) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x5b2921)
        #3 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #4 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #5 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 1024 byte(s) in 1 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x8b62f9 in AP4_Expandable::Write(AP4_ByteStream&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x8b62f9)
        #3 0x5b2540 in AP4_MarlinIpmpEncryptingProcessor::Initialize(AP4_AtomParent&, AP4_ByteStream&, AP4_Processor::ProgressListener*) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x5b2540)
        #4 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #5 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #6 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 224 byte(s) in 5 object(s) allocated from:
        #0 0x9a1c90 in malloc /llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fda31f4c297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x64923f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x64923f)
        #3 0x42128c in main (/fuzz-mp4encrypt/mp4encrypt/mp4encrypt+0x42128c)
        #4 0x7fda31110c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: 4680 byte(s) leaked in 9 allocation(s).
    
    

**POC**

mp4encrypt\_poc1.zip

**Environment**

Ubuntu 18.04.6 LTS (docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25) && Bento4 release version(1.6.0-639)

**Credit**

Xudong Cao (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-41419: Detected memory leaks in mp4encrypt · Issue #766 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There ie excessive memory consumption in the function AP4_DataBuffer::ReallocateBuffer in Core/Ap4DataBuffer.cpp.

A crafted input will lead to Memory allocation failed in Ap4DataBuffer.cpp at Bento4 1.5.1-627

Triggered by  
./mp42hls crash2.mp4

Poc  
crash2.zip

Bento4 Version 1.5.1-627  
The ASAN information is as follows:

    ==92387==ERROR: AddressSanitizer failed to allocate 0x80003000 (2147495936) bytes of LargeMmapAllocator (errno: 12)
    ==92387==Process memory map follows:
    	0x000000400000-0x0000005aa000	/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
    	0x0000007a9000-0x0000007aa000	/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
    	0x0000007aa000-0x0000007b9000	/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls
    	0x0000007b9000-0x0000007ba000	
    	0x00007fff7000-0x00008fff7000	
    	0x00008fff7000-0x02008fff7000	
    	0x02008fff7000-0x10007fff8000	
    	0x600000000000-0x602000000000	
    	0x602000000000-0x602000010000	
    	0x602000010000-0x603000000000	
    	0x603000000000-0x603000010000	
    	0x603000010000-0x604000000000	
    	0x604000000000-0x604000010000	
    	0x604000010000-0x606000000000	
    	0x606000000000-0x606000010000	
    	0x606000010000-0x607000000000	
    	0x607000000000-0x607000010000	
    	0x607000010000-0x608000000000	
    	0x608000000000-0x608000010000	
    	0x608000010000-0x60b000000000	
    	0x60b000000000-0x60b000010000	
    	0x60b000010000-0x60c000000000	
    	0x60c000000000-0x60c000010000	
    	0x60c000010000-0x60d000000000	
    	0x60d000000000-0x60d000010000	
    	0x60d000010000-0x60e000000000	
    	0x60e000000000-0x60e000010000	
    	0x60e000010000-0x610000000000	
    	0x610000000000-0x610000010000	
    	0x610000010000-0x611000000000	
    	0x611000000000-0x611000010000	
    	0x611000010000-0x613000000000	
    	0x613000000000-0x613000010000	
    	0x613000010000-0x614000000000	
    	0x614000000000-0x614000020000	
    	0x614000020000-0x615000000000	
    	0x615000000000-0x615000020000	
    	0x615000020000-0x616000000000	
    	0x616000000000-0x616000020000	
    	0x616000020000-0x619000000000	
    	0x619000000000-0x619000020000	
    	0x619000020000-0x61c000000000	
    	0x61c000000000-0x61c000020000	
    	0x61c000020000-0x621000000000	
    	0x621000000000-0x621000020000	
    	0x621000020000-0x624000000000	
    	0x624000000000-0x624000020000	
    	0x624000020000-0x626000000000	
    	0x626000000000-0x626000020000	
    	0x626000020000-0x629000000000	
    	0x629000000000-0x629000010000	
    	0x629000010000-0x62d000000000	
    	0x62d000000000-0x62d000020000	
    	0x62d000020000-0x631000000000	
    	0x631000000000-0x631000030000	
    	0x631000030000-0x640000000000	
    	0x640000000000-0x640000003000	
    	0x7fe341500000-0x7fe341600000	
    	0x7fe341700000-0x7fe341800000	
    	0x7fe3418fe000-0x7fe343c50000	
    	0x7fe343c50000-0x7fe343d58000	/lib/x86_64-linux-gnu/libm-2.23.so
    	0x7fe343d58000-0x7fe343f57000	/lib/x86_64-linux-gnu/libm-2.23.so
    	0x7fe343f57000-0x7fe343f58000	/lib/x86_64-linux-gnu/libm-2.23.so
    	0x7fe343f58000-0x7fe343f59000	/lib/x86_64-linux-gnu/libm-2.23.so
    	0x7fe343f59000-0x7fe343f5c000	/lib/x86_64-linux-gnu/libdl-2.23.so
    	0x7fe343f5c000-0x7fe34415b000	/lib/x86_64-linux-gnu/libdl-2.23.so
    	0x7fe34415b000-0x7fe34415c000	/lib/x86_64-linux-gnu/libdl-2.23.so
    	0x7fe34415c000-0x7fe34415d000	/lib/x86_64-linux-gnu/libdl-2.23.so
    	0x7fe34415d000-0x7fe344175000	/lib/x86_64-linux-gnu/libpthread-2.23.so
    	0x7fe344175000-0x7fe344374000	/lib/x86_64-linux-gnu/libpthread-2.23.so
    	0x7fe344374000-0x7fe344375000	/lib/x86_64-linux-gnu/libpthread-2.23.so
    	0x7fe344375000-0x7fe344376000	/lib/x86_64-linux-gnu/libpthread-2.23.so
    	0x7fe344376000-0x7fe34437a000	
    	0x7fe34437a000-0x7fe34453a000	/lib/x86_64-linux-gnu/libc-2.23.so
    	0x7fe34453a000-0x7fe34473a000	/lib/x86_64-linux-gnu/libc-2.23.so
    	0x7fe34473a000-0x7fe34473e000	/lib/x86_64-linux-gnu/libc-2.23.so
    	0x7fe34473e000-0x7fe344740000	/lib/x86_64-linux-gnu/libc-2.23.so
    	0x7fe344740000-0x7fe344744000	
    	0x7fe344744000-0x7fe34475a000	/lib/x86_64-linux-gnu/libgcc_s.so.1
    	0x7fe34475a000-0x7fe344959000	/lib/x86_64-linux-gnu/libgcc_s.so.1
    	0x7fe344959000-0x7fe34495a000	/lib/x86_64-linux-gnu/libgcc_s.so.1
    	0x7fe34495a000-0x7fe344acc000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
    	0x7fe344acc000-0x7fe344ccc000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
    	0x7fe344ccc000-0x7fe344cd6000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
    	0x7fe344cd6000-0x7fe344cd8000	/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.21
    	0x7fe344cd8000-0x7fe344cdc000	
    	0x7fe344cdc000-0x7fe344dd0000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    	0x7fe344dd0000-0x7fe344fd0000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    	0x7fe344fd0000-0x7fe344fd3000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    	0x7fe344fd3000-0x7fe344fd4000	/usr/lib/x86_64-linux-gnu/libasan.so.2.0.0
    	0x7fe344fd4000-0x7fe345c49000	
    	0x7fe345c49000-0x7fe345c6f000	/lib/x86_64-linux-gnu/ld-2.23.so
    	0x7fe345d54000-0x7fe345e58000	
    	0x7fe345e58000-0x7fe345e6e000	
    	0x7fe345e6e000-0x7fe345e6f000	/lib/x86_64-linux-gnu/ld-2.23.so
    	0x7fe345e6f000-0x7fe345e70000	/lib/x86_64-linux-gnu/ld-2.23.so
    	0x7fe345e70000-0x7fe345e71000	
    	0x7fffeaa6e000-0x7fffeaa8f000	[stack]
    	0x7fffeaae9000-0x7fffeaaeb000	[vvar]
    	0x7fffeaaeb000-0x7fffeaaed000	[vdso]
    	0xffffffffff600000-0xffffffffff601000	[vsyscall]
    ==92387==End of process memory map.
    ==92387==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
        #0 0x7fe344d7c631  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa0631)
        #1 0x7fe344d815e3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xa55e3)
        #2 0x7fe344d89611  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0xad611)
        #3 0x7fe344cfec0c  (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x22c0c)
        #4 0x7fe344d7567e in operator new[](unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9967e)
        #5 0x4abb54 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4DataBuffer.cpp:210
        #6 0x4abb54 in AP4_DataBuffer::SetDataSize(unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4DataBuffer.cpp:151
        #7 0x48ba72 in AP4_Sample::ReadData(AP4_DataBuffer&, unsigned int, unsigned int) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4Sample.cpp:147
        #8 0x48ba72 in AP4_Sample::ReadData(AP4_DataBuffer&) /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Core/Ap4Sample.cpp:127
        #9 0x4449dd in ReadSample /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:976
        #10 0x4485af in WriteSamples /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1251
        #11 0x4412a0 in main /home/jas/Downloads/Bento4-SRC-1-5-1-627/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2088
        #12 0x7fe34439a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
        #13 0x4445b8 in _start (/home/jas/Downloads/Bento4-SRC-1-5-1-627/cmakebuild/mp42hls+0x4445b8)
    

FoundBy: yjiiit@aliyun.com

CVE-2022-41846: Allocate for large amounts of memory failed in Ap4DataBuffer.cpp:210 at Bento4 1.5.1-627 when running mp42hls · Issue #342 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There ie excessive memory consumption in the function AP4_Array<AP4_ElstEntry>::EnsureCapacity in Core/Ap4Array.h.

Hi, i find 3 out-of-memory errors in Bento4. I saved all my test files here

Here are the details.

For **mp4audioclip** with test input:

    test_1:
    =================================================================
    ==6930==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xffffff1e0 bytes
        #0 0x4c560d in operator new(unsigned long) (/Bento4/install-asan/bin/mp4audioclip+0x4c560d)
        #1 0x5dce28 in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x5dce28 in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:210:25
        #3 0x5dce28 in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4TrunAtom.cpp:127:15
        #4 0x5dc1f9 in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51:16
        #5 0x50e852 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438:20
        #6 0x50bab9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x5240d7 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #8 0x5231a3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #9 0x5231a3 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #10 0x50dcd2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #11 0x50bab9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #12 0x5240d7 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #13 0x5231a3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #14 0x5231a3 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #15 0x50dcd2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #16 0x50bab9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #17 0x541dd9 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16
        #18 0x5416e8 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16
        #19 0x50e924 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20
        #20 0x50bab9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #21 0x523ea7 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #22 0x5231a3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #23 0x5231a3 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #24 0x50dcd2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #25 0x50bab9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #26 0x5240d7 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #27 0x5231a3 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #28 0x5231a3 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #29 0x50dcd2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #30 0x50bab9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #31 0x541dd9 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16
        #32 0x5416e8 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16
        #33 0x50e924 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20
        #34 0x50bab9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #35 0x523ea7 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
    
    ==6930==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/Bento4/install-asan/bin/mp4audioclip+0x4c560d) in operator new(unsigned long)
    ==6930==ABORTING
    
    test_2:
    =================================================================
    ==56759==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xc5d400b8 bytes
        #0 0x4c571d in operator new[](unsigned long) (/Bento4/install-asan/bin/mp4audioclip+0x4c571d)
        #1 0x53dd69 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
        #2 0x53dd69 in AP4_DataBuffer::SetDataSize(unsigned int) /Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151:33
    
    ==56759==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/Bento4/install-asan/bin/mp4audioclip+0x4c571d) in operator new[](unsigned long)
    ==56759==ABORTING
    
    

For **mp4dump** with test input:

    =================================================================
    ==108091==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xf500000a0 bytes
        #0 0x4c562d in operator new(unsigned long) (/Bento4/install-asan/bin/mp4dump+0x4c562d)
        #1 0x5c35f8 in AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x5c35f8 in AP4_Array<AP4_TrunAtom::Entry>::SetItemCount(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:210:25
        #3 0x5c35f8 in AP4_TrunAtom::AP4_TrunAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4TrunAtom.cpp:127:15
        #4 0x5c29c9 in AP4_TrunAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4TrunAtom.cpp:51:16
        #5 0x4e5252 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:438:20
        #6 0x4e24b9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x4f8667 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #8 0x4f7733 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #9 0x4f7733 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #10 0x4e46d2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #11 0x4e24b9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #12 0x4f8667 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #13 0x4f7733 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #14 0x4f7733 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #15 0x4e46d2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #16 0x4e24b9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #17 0x516429 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16
        #18 0x515d38 in AP4_DrefAtom::Create(unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16
        #19 0x4e5324 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20
        #20 0x4e24b9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #21 0x4f8437 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #22 0x4f7733 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #23 0x4f7733 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #24 0x4e46d2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #25 0x4e24b9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #26 0x4f8667 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #27 0x4f7733 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #28 0x4f7733 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #29 0x4e46d2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #30 0x4e24b9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #31 0x4f8667 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
        #32 0x4f7733 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
        #33 0x4f7733 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
        #34 0x4e46d2 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
        #35 0x4e24b9 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #36 0x516429 in AP4_DrefAtom::AP4_DrefAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&, AP4_AtomFactory&) /Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16
    
    ==108091==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory (/Bento4/install-asan/bin/mp4dump+0x4c562d) in operator new(unsigned long)
    ==108091==ABORTING
    

You can use the following setp to reproduce all the problems.

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check && cd check
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j
    git clone https://github.com/WorldExecute/files.git
    ./mp4audioclip ./files/Bento4/mp4audioclip/out-of-memory/test_1 /dev/null
    ./mp4dump ./files/Bento4/mp4dump/out-of-memory/test_1
    

Thanks for your time!

CVE-2022-41845: out-of-memory · Issue #747 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. A memory leak exists in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) in System/StdC/Ap4StdCFileByteStream.cpp.

Hello, I use fuzer to test binary acc2mp4, and found some carshes, which can result binary mp4split crash too. Here are the details.

**Bug1**

    root@d5f4647d38bd:/aac2mp4/aac2mp4# /Bento4/build/aac2mp4 crash1 /dev/null
    AAC frame [000000]: size = -7, 96000 kHz, 0 ch
    =================================================================
    ==813117==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000008400 at pc 0x0000004ad912 bp 0x7ffe2c57b390 sp 0x7ffe2c57ab40
    READ of size 4294967287 at 0x62d000008400 thread T0
        #0 0x4ad911 in __asan_memcpy /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
        #1 0x4facae in AP4_BitStream::ReadBytes(unsigned char*, unsigned int) /Bento4/Source/C++/Codecs/Ap4BitStream.cpp:192:10
        #2 0x4f8485 in main /Bento4/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:142:29
        #3 0x7fec98881c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
        #4 0x41c349 in _start (/Bento4/build/aac2mp4+0x41c349)
    
    0x62d000008400 is located 0 bytes to the right of 32768-byte region [0x62d000000400,0x62d000008400)
    allocated by thread T0 here:
        #0 0x4f4638 in operator new[](unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:102
        #1 0x4fa30d in AP4_BitStream::AP4_BitStream() /Bento4/Source/C++/Codecs/Ap4BitStream.cpp:45:16
        #2 0x7fec98881c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow /llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
    Shadow bytes around the buggy address:
      0x0c5a7fff9030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5a7fff9070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x0c5a7fff9080:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c5a7fff90d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==813117==ABORTING
    
    

**Bug2**

    root@d5f4647d38bd:/aac2mp4/aac2mp4# ./mp4split crash2
    no movie found in file
    
    =================================================================
    ==888268==ERROR: LeakSanitizer: detected memory leaks
    
    Direct leak of 48 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x5de94f in AP4_StdcFileByteStream::Create(AP4_FileByteStream*, char const*, AP4_FileByteStream::Mode, AP4_ByteStream*&) /Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14
    
    Indirect leak of 256 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x536495 in AP4_Array<unsigned int>::EnsureCapacity(unsigned int) /Bento4/Source/C++/Core/Ap4Array.h:172:25
        #2 0x536495 in AP4_Array<unsigned int>::Append(unsigned int const&) /Bento4/Source/C++/Core/Ap4Array.h:252:29
        #3 0x536495 in AP4_FtypAtom::AP4_FtypAtom(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4FtypAtom.cpp:57:28
        #4 0x50966b in AP4_FtypAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4FtypAtom.h:66:20
        #5 0x50966b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:630:20
        #6 0x507ec4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #7 0x5076ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #8 0x5350be in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #9 0x5357ed in AP4_File::AP4_File(AP4_ByteStream&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #10 0x4f841f in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:26
        #11 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 88 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x507f57 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:242:16
        #2 0x5076ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #3 0x5350be in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #4 0x5357ed in AP4_File::AP4_File(AP4_ByteStream&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #5 0x4f841f in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:26
        #6 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 72 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x4f83f7 in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:22
        #2 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 72 byte(s) in 1 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x509659 in AP4_FtypAtom::Create(unsigned int, AP4_ByteStream&) /Bento4/Source/C++/Core/Ap4FtypAtom.h:66:16
        #2 0x509659 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:630:20
        #3 0x507ec4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
        #4 0x5076ee in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
        #5 0x5350be in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:104:12
        #6 0x5357ed in AP4_File::AP4_File(AP4_ByteStream&, bool) /Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #7 0x4f841f in main /Bento4/Source/C++/Apps/Mp4Split/Mp4Split.cpp:258:26
        #8 0x7f11ba50dc86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    
    Indirect leak of 48 byte(s) in 2 object(s) allocated from:
        #0 0x4f45d8 in operator new(unsigned long) /llvm-project/compiler-rt/lib/asan/asan_new_delete.cpp:99
        #1 0x4fd2d3 in AP4_List<AP4_Atom>::Add(AP4_Atom*) /Bento4/Source/C++/Core/Ap4List.h:160:16
        #2 0x4fd2d3 in AP4_AtomParent::AddChild(AP4_Atom*, int) /Bento4/Source/C++/Core/Ap4Atom.cpp:532:29
    
    SUMMARY: AddressSanitizer: 584 byte(s) leaked in 7 allocation(s).
    

**Environment**

Ubuntu 18.04(docker)  
clang 12.0.1  
clang++ 12.0.1  
Bento4 master branch(5b7cc25)

**How to reproduce**

    export CC=clang
    export CXX=clang++
    export CFLAGS="-fsanitize=address -g"
    export CXXFLAGS="-fsanitize=address -g"
    mkdir build
    cd build
    cmake -DCMAKE_BUILD_TYPE=Release ..
    make
    
    

**POC**

crash.zip

**Credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)  
Yin li,Jiayu Zhao(NCNIPC of China)

**Notice**

I find the two bugs not only exist in latest branch but also exist in latest release version Bento4-1.6.0-639.  
The bug1 is similar to the issuse#363(CVE-2019-8378),which means this bug hasn't been fixed now.

Thanks for your time!

CVE-2022-41847: there are some bugs in Bento4 · Issue #775 · axiomatic-systems/Bento4

An issue was discovered in Bento4 through 1.6.0-639. A NULL pointer dereference occurs in AP4_File::ParseStream in Core/Ap4File.cpp, which is called from AP4_File::AP4_File.

Hello, I use my fuzzer to fuzz binary mp4tag and binary mp42hevc , and found some crashes. The bug1 is different from issue #295, because i run the test-001.mp4 finding it useless. Here are the details.

**Bug1**

    ┌──(kali㉿kali)-[~/Desktop/Bento4/cmakebuild]
    └─$ ./mp4tag mp4tag_poc                                                                
    ERROR: cannot open input file
    
    =================================================================
    ==2376684==ERROR: LeakSanitizer: detected memory leaks
                                                                                                                                                           
    Direct leak of 40 byte(s) in 1 object(s) allocated from:
        #0 0x4c93dd in operator new(unsigned long) (/home/kali/Desktop/Bento4/cmakebuild/mp4tag+0x4c93dd)                                                  
        #1 0x4ccf5e in ParseCommandLine(int, char**) /home/kali/Desktop/Bento4/Source/C++/Apps/Mp4Tag/Mp4Tag.cpp:207:34
        #2 0x4ccf5e in main /home/kali/Desktop/Bento4/Source/C++/Apps/Mp4Tag/Mp4Tag.cpp:783:5
        #3 0x7f1b3ea14209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: 40 byte(s) leaked in 1 allocation(s).
    
    

**Bug2**

    ┌──(kali㉿kali)-[~/Desktop/Bento4/cmakebuild]
    └─$ ./mp42hevc mp42hevc_poc /dev/null                                                                                                              1 ⨯
    ERROR: cannot open input (-5)
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2392528==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004d52c3 bp 0x7fff8ac3ad90 sp 0x7fff8ac3ac40 T0)
    ==2392528==The signal is caused by a READ memory access.                                                                                               
    ==2392528==Hint: address points to the zero page.
        #0 0x4d52c3 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /home/kali/Desktop/Bento4/Source/C++/Core/Ap4File.cpp:103:12
        #1 0x4d5aea in AP4_File::AP4_File(AP4_ByteStream&, bool) /home/kali/Desktop/Bento4/Source/C++/Core/Ap4File.cpp:78:5
        #2 0x4cbea4 in main /home/kali/Desktop/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:374:32
        #3 0x7fd8587a8209 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #4 0x7fd8587a82bb in __libc_start_main csu/../csu/libc-start.c:389:3
        #5 0x41f600 in _start (/home/kali/Desktop/Bento4/cmakebuild/mp42hevc+0x41f600)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /home/kali/Desktop/Bento4/Source/C++/Core/Ap4File.cpp:103:12 in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool)
    ==2392528==ABORTING
    
    

**Environment**

    clang 11.0.1
    clang++ 11.0.1
    version:master branch(commit[5b7cc25](https://github.com/axiomatic-systems/Bento4/commit/5b7cc2500d514717a64675fcf631939494c074ce))+Bento4-1.6.0-639
    

**Platform**

    └─$ uname -a                                                                                                                                       1 ⨯
    Linux kali 5.10.0-kali9-amd64 #1 SMP Debian 5.10.46-4kali1 (2021-08-09) x86_64 GNU/Linux
    
    

**How to reproduce**

    export CC=clang
    export CXX=clang++
    export CFLAGS="-fsanitize=address -g"
    export CXXFLAGS="-fsanitize=address -g"
    mkdir cmakebuild
    cd cmakebuild
    cmake -DCMAKE_BUILD_TYPE=Release ..
    make
    

**Note**

    I find the two bugs not only exist in latest branch but also exist in latest release version Bento4-1.6.0-639.
    

**POC**

poc\_Bento4.zip

**Credit**

    Yuhang Huang ([NCNIPC of China](http://www.nipc.org.cn/))
    Han Zheng ([NCNIPC of China](http://www.nipc.org.cn/), [Hexhive](http://hexhive.epfl.ch/))
    Wanying Cao, Mengyue Feng([NCNIPC of China](http://www.nipc.org.cn/))
    
    Thansk for your time!

CVE-2022-41841: There are some vulnerabilities in Bento4 · Issue #779 · axiomatic-systems/Bento4

A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread allocation can lead to memory corruption. An attacker can create threads to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread allocation can lead to memory corruption. An attacker can create threads to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

uClibC 0.9.33.2  
uClibC-ng 1.0.40  
Anker Eufy Homebase 2 2.1.8.8h

**PRODUCT URLS**

uClibC-ng - https://uclibc-ng.org Eufy Homebase 2 - https://us.eufylife.com/products/t88411d1 uClibC - https://www.uclibc.org/

**CVSSv3 SCORE**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

**DETAILS**

uClibC and uClibC-ng are both standalone replacements for glibc. uClibC and uClibC-ng are significantly smaller and easily portable to various architectures and embedded environments.

Libpthread is an extremely common library in a very large subset of unix-based devices, providing lightweight threading for processes. Libpthread built with uClibC using the linuxthreads.old implementation, or with uClibC-ng using the linuxthreads implementation, are both vulnerable to a memory corruption that occurs when a large number of threads are created. Both of these libraries have been used extensively in the Buildroot project with the uClibC option of linuxthreads(stable/old) and the uClibC-ng option of linuxthreads for threading implementation within the Buildroot menuconfig.

When a call to pthread_create occurs, pthread_handle_create is called during the initialization of the thread.

    static int pthread_handle_create(pthread_t *thread, const pthread_attr_t *attr,
                     void * (*start_routine)(void *), void *arg,
                     sigset_t * mask, int father_pid,
                     int report_events,
                     td_thr_events_t *event_maskp)
    {
      size_t sseg;
      int pid;
      pthread_descr new_thread;
      char * new_thread_bottom;
      char * new_thread_top;
      pthread_t new_thread_id;
      char *guardaddr = NULL;
      size_t guardsize = 0;
      int pagesize = getpagesize();
      int saved_errno = 0;
    
      /* First check whether we have to change the policy and if yes, whether
         we can  do this.  Normally this should be done by examining the
         return value of the sched_setscheduler call in pthread_start_thread
         but this is hard to implement.  FIXME  */
      if (attr != NULL && attr->__schedpolicy != SCHED_OTHER && geteuid () != 0)
        return EPERM;
      /* Find a free segment for the thread, and allocate a stack if needed */
      for (sseg = 2; ; sseg++)                                                         [1]
        {
          if (sseg >= PTHREAD_THREADS_MAX)
        return EAGAIN;
          if (__pthread_handles[sseg].h_descr != NULL)
        continue;
          if (pthread_allocate_stack(attr, thread_segment(sseg), pagesize,               [2]
                                     &new_thread, &new_thread_bottom,
                                     &guardaddr, &guardsize) == 0)     
          break;
          ...
    

At [1] the segments incremented as threads are created. Threads can be created up to the PTHREAD_THREADS_MAX limit, and for each thread being created the stack will be allocated using pthread_allocate_stack at [2]. thread_segment is an inlined function that is responsible for decrementing the starting address of the stack

    static __inline__ pthread_descr thread_segment(int seg)
    {
      return (pthread_descr)(THREAD_STACK_START_ADDRESS - (seg - 1) * STACK_SIZE)
             - 1;
    }
    

In both of these code bases THREAD_STACK_START_ADDRESS is 0x40000000000m, but is a machine specific variable, and STACK_SIZE is 2 MB by default for all machines. This means that this condition is far more likely to be seen in 32-bit memory spaces. Once the pointer has been calculated it is passed on to pthread_allocate_stack.

      static int pthread_allocate_stack(const pthread_attr_t *attr,
                                      pthread_descr default_new_thread,
                                      int pagesize,
                                      pthread_descr * out_new_thread,
                                      char ** out_new_thread_bottom,
                                      char ** out_guardaddr,
                                      size_t * out_guardsize)
    {
      pthread_descr new_thread;
      char * new_thread_bottom;
      char * guardaddr;
      size_t stacksize, guardsize;
    
        ...
        else {
          stacksize = STACK_SIZE - pagesize;
          if (attr != NULL)
            stacksize = MIN(stacksize, roundup(attr->__stacksize, pagesize));
          /* Allocate space for stack and thread descriptor at default address */
          new_thread = default_new_thread;
          new_thread_bottom = (char *) (new_thread + 1) - stacksize;
          if (mmap((caddr_t)((char *)(new_thread + 1) - INITIAL_STACK_SIZE),               [3]
                   INITIAL_STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_GROWSDOWN,
                   -1, 0) == MAP_FAILED)     
            return -1;
    

Within pthread_allocate_stack as long as a stack hasn’t been provided (already allocated), new allocations occur using the mmap call at [3]. This call includes the flag MAP_FIXED which forces mmap to take the address provided as the required address of the allocation, instead of as a hint. As sseg is incremented, the allocation moves to lower memory addresses for each allocation, eventually overwriting loaded libraries or even the code of the application itself.

Both vulnerabilities center around an issue while creating thread stacks using mmap with the MAP_FIXED flag. The manual page of mmap has the following information on MAP_FIXED

    MAP_FIXED
                  Don't interpret addr as a hint: place the mapping at
                  exactly that address.  addr must be suitably aligned: for
                  most architectures a multiple of the page size is
                  sufficient; however, some architectures may impose
                  additional restrictions.  If the memory region specified
                  by addr and length overlaps pages of any existing
                  mapping(s), then the overlapped part of the existing
                  mapping(s) will be discarded.  If the specified address
                  cannot be used, mmap() will fail.
    

By using MAP_FIXED, creating a large number of threads will remap any memory for use by the thread. This generally will first remap libraries loaded into the memory space of an application.

The vulnerable code within the latest version of uClibC is based on the linuxthreads.old implementation. A newer implementation based on linuxthreads is also present, and aptly named linuxthreads. The linuxthreads.old implementation is present in older versions of Buildroot and presented as linuxthreads (stable/old), compared to just linuxthreads. All images built based on the stable/old implementation are vulnerable. Since uClibC-ng is a fork of the original uClibC code, it stands that the vulnerability was present at the time of the code fork,. Since that time, the code has diverged into unique codebases.uClibC-ng only has a single linuxthreads implementation within the codebase, and as such, any linuxthreads\-based implementation of libpthread is vulnerable. All new versions of Buildroot that rely upon uClibC-ng will present this vulnerable implementation as a possible option for the threading implementation in the image.

**TIMELINE**

2022-05-04 - Vendor Disclosure  
2022-05-17 - Vendor Disclosure  
2022-05-17 - Initial Vendor Contact  
2022-09-22 - Public Release

Discovered by Lilith &gt;\_&gt; of Cisco Talos.

CVE-2022-29503: TALOS-2022-1517 || Cisco Talos Intelligence Group

There is a use-after-free issue in JBIG2Stream::close() located in JBIG2Stream.cc in Xpdf 4.04. It can be triggered by sending a crafted PDF file to (for example) the pdfimages binary. It allows an attacker to cause Denial of Service or possibly have unspecified other impact.

Hello, I was testing my fuzzer and found a use-after-free in xpdf-4.04, can be triggered via a crafted pdf file.

\## Environment  
Ubuntu 22.04 (docker)  
gcc-11.2.0  
xpdf-4.04

\## step to reporduce  
\`\`\`  
cd $PATH\_TO\_XPDF && mkdir build && pushd build  
cmake -DCMAKE\_BUILD\_TYPE=Release -DCMAKE\_C\_FLAGS="-fsanitize=address -g" -DCMAKE\_CXX\_FLAGS="-fsanitize=address -g" ../  
./xpdf/pdfimages $POC /dev/null  
\`\`\`  
\## ASan Log  
\`\`\`  
\=================================================================  
\==1164636==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000012970 at pc 0x55c1c290fa1a bp 0x7ffc26bd4430 sp 0x7ffc26bd4420  
READ of size 8 at 0x603000012970 thread T0  
#0 0x55c1c290fa19 in JBIG2Stream::close() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1216  
#1 0x55c1c290fa84 in JBIG2Stream::~JBIG2Stream() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1180  
#2 0x55c1c290ffdc in JBIG2Stream::~JBIG2Stream() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1202  
#3 0x55c1c293642a in Object::free() /validate/xpdf/xpdf-4.04/xpdf/Object.cc:138  
#4 0x55c1c280217d in Gfx::opXObject(Object\*, int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:4136  
#5 0x55c1c2868ab3 in Gfx::execOp(Object\*, Object\*, int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:862  
#6 0x55c1c2868f88 in Gfx::go(int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:747  
#7 0x55c1c28695a6 in Gfx::display(Object\*, int) /validate/xpdf/xpdf-4.04/xpdf/Gfx.cc:669  
#8 0x55c1c2943025 in Page::displaySlice(OutputDev\*, double, double, int, int, int, int, int, int, int, int, int (\*)(void\*), void\*) /validate/xpdf/xpdf-4.04/xpdf/Page.cc:422  
#9 0x55c1c2943882 in Page::display(OutputDev\*, double, double, int, int, int, int, int (\*)(void\*), void\*) /validate/xpdf/xpdf-4.04/xpdf/Page.cc:368  
#10 0x55c1c294d4a3 in PDFDoc::displayPages(OutputDev\*, int, int, double, double, int, int, int, int, int (\*)(void\*), void\*) /validate/xpdf/xpdf-4.04/xpdf/PDFDoc.cc:460  
#11 0x55c1c280656d in main /validate/xpdf/xpdf-4.04/xpdf/pdfimages.cc:156  
#12 0x7efd8b7e7d8f in \_\_libc\_start\_call\_main ../sysdeps/nptl/libc\_start\_call\_main.h:58  
#13 0x7efd8b7e7e3f in \_\_libc\_start\_main\_impl ../csu/libc-start.c:392  
#14 0x55c1c28070b4 in \_start (/validate/xpdf/xpdf-4.04/build/xpdf/pdfimages+0x1280b4)

0x603000012970 is located 0 bytes inside of 32-byte region \[0x603000012970,0x603000012990)  
freed by thread T0 here:  
#0 0x7efd8bdd022f in operator delete(void\*, unsigned long) ../../../../src/libsanitizer/asan/asan\_new\_delete.cpp:172  
#1 0x55c1c290b19f in JBIG2Bitmap::~JBIG2Bitmap() /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:740  
#2 0x55c1c290b19f in JBIG2Stream::readPageInfoSeg(unsigned int) /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:3960

previously allocated by thread T0 here:  
#0 0x7efd8bdcf1c7 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan\_new\_delete.cpp:99  
#1 0x55c1c290b1fd in JBIG2Stream::readPageInfoSeg(unsigned int) /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:3969

SUMMARY: AddressSanitizer: heap-use-after-free /validate/xpdf/xpdf-4.04/xpdf/JBIG2Stream.cc:1216 in JBIG2Stream::close()  
Shadow bytes around the buggy address:  
0x0c067fffa4d0: fd fd fa fa fd fd fd fa fa fa 00 00 01 fa fa fa  
0x0c067fffa4e0: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd  
0x0c067fffa4f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa 00 00  
0x0c067fffa500: 01 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fffa510: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 00  
\=>0x0c067fffa520: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa\[fd\]fd  
0x0c067fffa530: fd fd fa fa fd fd fd fd fa fa fa fa fa fa fa fa  
0x0c067fffa540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fffa550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fffa560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fffa570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1164636==ABORTING  
\`\`\`  
\## Credit  
Han Zheng, NCNIPC of China, Hexhive

\## POC

CVE-2022-38222: [BUG] use-after-free in pdfimages,xpdf-4.04 - forum.xpdfreader.com

Zyxel CloudCNM SecuManager 3.1.0 and 3.1.1 has a hardcoded APP_KEY in /opt/axess/etc/default/axess.

CVE-2020-15330: Multiple vulnerabilities found in Zyxel CNM SecuManager

Red Hat Security Advisory 2022-6703-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 102.3.0 ESR. Issues addressed include a bypass vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: firefox security update  
Advisory ID:       RHSA-2022:6703-01  
Product:           Red Hat Enterprise Linux  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6703  
Issue date:        2022-09-26  
CVE Names:         CVE-2022-40956 CVE-2022-40957 CVE-2022-40958   
                   CVE-2022-40959 CVE-2022-40960 CVE-2022-40962   
=====================================================================

1. Summary:

An update for firefox is now available for Red Hat Enterprise Linux 8.1  
Update Services for SAP Solutions.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream E4S (v. 8.1) - ppc64le, x86_64

3. Description:

Mozilla Firefox is an open-source web browser, designed for standards  
compliance, performance, and portability.

This update upgrades Firefox to version 102.3.0 ESR.

Security Fix(es):

* Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
(CVE-2022-40959)

* Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
(CVE-2022-40960)

* Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3  
(CVE-2022-40962)

* Mozilla: Bypassing Secure Context restriction for cookies with __Host and  
__Secure prefix (CVE-2022-40958)

* Mozilla: Content-Security-Policy base-uri bypass (CVE-2022-40956)

* Mozilla: Incoherent instruction cache when building WASM on ARM64  
(CVE-2022-40957)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes  
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Firefox must be restarted for the changes to  
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

2128792 - CVE-2022-40959 Mozilla: Bypassing FeaturePolicy restrictions on transient pages  
2128793 - CVE-2022-40960 Mozilla: Data-race when parsing non-UTF-8 URLs in threads  
2128794 - CVE-2022-40958 Mozilla: Bypassing Secure Context restriction for cookies with __Host and __Secure prefix  
2128795 - CVE-2022-40956 Mozilla: Content-Security-Policy base-uri bypass  
2128796 - CVE-2022-40957 Mozilla: Incoherent instruction cache when building WASM on ARM64  
2128797 - CVE-2022-40962 Mozilla: Memory safety bugs fixed in Firefox 105 and Firefox ESR 102.3

6. Package List:

Red Hat Enterprise Linux AppStream E4S (v. 8.1):

Source:  
firefox-102.3.0-6.el8_1.src.rpm

ppc64le:  
firefox-102.3.0-6.el8_1.ppc64le.rpm  
firefox-debuginfo-102.3.0-6.el8_1.ppc64le.rpm  
firefox-debugsource-102.3.0-6.el8_1.ppc64le.rpm

x86_64:  
firefox-102.3.0-6.el8_1.x86_64.rpm  
firefox-debuginfo-102.3.0-6.el8_1.x86_64.rpm  
firefox-debugsource-102.3.0-6.el8_1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and  
details on how to verify the signature are available from  
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-40956  
https://access.redhat.com/security/cve/CVE-2022-40957  
https://access.redhat.com/security/cve/CVE-2022-40958  
https://access.redhat.com/security/cve/CVE-2022-40959  
https://access.redhat.com/security/cve/CVE-2022-40960  
https://access.redhat.com/security/cve/CVE-2022-40962  
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0YtzjgjWX9erEAQiFCg/6A22FZMDDiBFcw5xxNzawSZ7L4bdBC/QX  
CnYtzed0BFF4irQctN2nkvYJV3E6mWYKUnO1brqyixlnZtk8mjo97CgNoijEM6JP  
mA2qNRleC6KNU4mmz0GWwkJqz/iIWQ78X6CV7AnZSOQQrMh0cT743jO/+/bf/QW8  
NGSlLtYDdAkv6u/Nwdzp3VnzCO8IJFz2kQ7txIATnyw2eEUAlEXfkkPPGCCtIVuL  
23eVFQndO1rB1qblx3jsO/43xtyBoiMsf5UKJGitRLhWOV6/Z4w2Hk+L7i55N7sy  
FRFyvmJ76TefD5ymIoKDi3EN7tIEdOs1ousR6rbNljH1DF/czQliMRm/u2WdKUkL  
UfBEDT924UABK5wPOg6uaponT9GlOTW1jXaQsyDi+nLmxHV6I1l8kuY+d63VHeOs  
N0kcV00oq4FRPURc99wJAjo0uosY0Wm6elQJBTT0F20UMoaPtXDWFka+bp35lT02  
ufWuxsN8550DL/6lx6TePGQ0Z84NKY4FUnmy59Xbct7lCUyBewnZwme0VMK57a4+  
8WfDgLdk/rc0eLPjvwuEIoh6wqfocEh63Wy62imzo1QeDm25NAnH7VXzpXH2PMwF  
BSyUNzdVl2icVGFbXi9u7eU1b30sm7MsA7PvqzJiwpmA9eu8bky23zDGO3TKIEup  
CDxPUlXH9ys=  
=G7Tz  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Tag

#c++