Certain The MPlayer Project products are vulnerable to Divide By Zero via function demux_open_avi() of libmpdemux/demux_avi.c which affects mencoder. This affects mplayer SVN-r38374-13.0.1 and mencoder SVN-r38374-13.0.1.

**#2402 closed defect (duplicate)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

undetermined

Version:

HEAD

Severity:

major

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Version: SVN-r38374-13.0.1  

Build command: ../configure --disable-ffmpeg\_a && make (compiling with asan)  

Summary of the bug: An division by zero is found in fucnction demux\_open\_avi () which affects mencoder and mplayer. The attached file can reproduce this issue (ASAN-recompilation is needed).  

How to reproduce:  

1.Command: ./mencoder -ovc lavc -oac lavc -o /dev/null ./testcase  

> ./mplayer ./testcase  

2.Result:  

MPlayer SVN-r38374-9 (C) 2000-2022 MPlayer Team

Playing /home/jlx/crashes/id^%000056,sig^%08,src^%001688,time^%14273883,execs^%697532,op^%havoc,rep^%2.
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.


MPlayer interrupted by signal 8 in module: demux\_open
- MPlayer crashed by bad usage of CPU/FPU/RAM.
  Recompile MPlayer with --enable-debug and make a 'gdb' backtrace and
  disassembly. Details in DOCS/HTML/en/bugreports\_what.html#bugreports\_crash.
- MPlayer crashed. This shouldn't happen.
  It can be a bug in the MPlayer code \_or\_ in your drivers \_or\_ in your
  gcc version. If you think it's MPlayer's fault, please read
  DOCS/HTML/en/bugreports.html and follow the instructions there. We can't and
  won't help unless you provide this information when reporting a possible bug.

MEncoder SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team
success: format: 0  data: 0x0 - 0x2ab4
libavformat version 58.29.100 (external)
AVI file format detected.
\[aviheader\] Video stream found, -vid 0
\[aviheader\] Audio stream found, -aid 1
AVI: No audio stream found -> no sound.
AddressSanitizer:DEADLYSIGNAL
=================================================================
==19160==ERROR: AddressSanitizer: FPE on unknown address 0x55eacc77d2e7 (pc 0x55eacc77d2e7 bp 0x000000000004 sp 0x7ffce604b120 T0)
    #0 0x55eacc77d2e7 in demux\_open\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42
    #1 0x55eacc77d2e7 in demux\_open\_hack\_avi /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:885:14

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c:571:42 in demux\_open\_avi
==19160==ABORTING

Breakpoint 3, demux\_open\_avi (demuxer=<optimized out>) at libmpdemux/demux\_avi.c:571
571             asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA
───────────────────────────────────────────────────────────────────────\[ REGISTERS \]────────────────────────────────────────────────────────────────────────
 RAX  0x4
 RBX  0x55904d5f8d00 —▸ 0x55904d5f9410 ◂— 0xe1e1e1e1e1e1
 RCX  0x2fb
 RDX  0x4
 RDI  0x0
 RSI  0x55904d5f9440 ◂— 0x1062773130
 R8   0x1
 R9   0x0
 R10  0x55904d5f9470 ◂— 0x0
 R11  0x0
 R12  0x55904d5f73b0 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
 R13  0x55904d5f8c60 ◂— 0x0
 R14  0x55904d5f8d80 —▸ 0x55904d593400 ◂— 0x2fb00000000
 R15  0x0
 RBP  0x4
 RSP  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
 RIP  0x55904bb55aa7 (demux\_open\_hack\_avi+1351) ◂— lea    eax, \[rax + r9 - 1\]
─────────────────────────────────────────────────────────────────────────\[ DISASM \]─────────────────────────────────────────────────────────────────────────
 ► 0x55904bb55aa7 <demux\_open\_hack\_avi+1351>    lea    eax, \[rax + r9 - 1\]
   0x55904bb55aac <demux\_open\_hack\_avi+1356>    xor    edx, edx
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d
    ↓
   0x55904bb55aae <demux\_open\_hack\_avi+1358>    div    r9d






─────────────────────────────────────────────────────────────────────\[ SOURCE (CODE) \]──────────────────────────────────────────────────────────────────────
In file: /home/jlx/good\_mplayer/mplayer/libmpdemux/demux\_avi.c
   566         vsize+=len;
   567         ++vsamples;
   568       }
   569       else if(d\_audio->id == id) {
   570         asize+=len;
 ► 571  asamples+=(len+priv->audio\_block\_size-1)/priv->audio\_block\_size;
   572       }
   573     }
   574     mp\_msg(MSGT\_DEMUX, MSGL\_V,
   575            "AVI video size=%"PRId64" (%zu) audio size=%"PRId64" (%zu)\\n",
   576            vsize, vsamples, asize, asamples);
─────────────────────────────────────────────────────────────────────────\[ STACK \]──────────────────────────────────────────────────────────────────────────
00:0000│ rsp  0x7fff5a391720 —▸ 0x55904d593400 ◂— 0x2fb00000000
01:0008│      0x7fff5a391728 —▸ 0x55904d5f9430 ◂— 0x1062773130
02:0010│      0x7fff5a391730 —▸ 0x55904d5f8c60 ◂— 0x0
03:0018│      0x7fff5a391738 ◂— 0xffffffff
04:0020│      0x7fff5a391740 ◂— 0x62773130ffffffff
05:0028│      0x7fff5a391748 ◂— 0x588a634aec56d900
06:0030│      0x7fff5a391750 ◂— 0xffffffff
07:0038│      0x7fff5a391758 —▸ 0x55904bcf5ec0 (demuxer\_desc\_avi) —▸ 0x55904bccffcc ◂— 'AVI demuxer'
───────────────────────────────────────────────────────────────────────\[ BACKTRACE \]────────────────────────────────────────────────────────────────────────
 ► f 0     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 1     55904bb55aa7 demux\_open\_hack\_avi+1351
   f 2     55904bb48743 demux\_open\_stream+931
   f 3     55904bb49231 demux\_open+753
   f 4     55904bac0642 main+1042
   f 5     7f7b8118c0b3 \_\_libc\_start\_main+243
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

CVE-2022-38860: #2402 (A Division by zero occurred in function demux_open_avi() of libmpdemux/demux_avi.c) – MPlayer

Red Hat Security Advisory 2022-6517-01 - Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Important: Release of containers for OSP 16.2.z director operator tech preview  
Advisory ID:       RHSA-2022:6517-01  
Product:           Red Hat OpenStack Platform  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6517  
Issue date:        2022-09-14  
CVE Names:         CVE-2021-41103 CVE-2022-1292 CVE-2022-1586  
                   CVE-2022-2068 CVE-2022-2097 CVE-2022-30631  
====================================================================  
1. Summary:

Red Hat OpenStack Platform 16.2 (Train) director operator containers, with  
several Important security fixes, are available for technology preview.

2. Description:

Release osp-director-operator images

Security Fix(es):

* CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read  
[important]  
* CVE-2021-41103 golang: containerd: insufficiently restricted permissions  
on container root and plugin directories [medium]

3. Solution:

OSP 16.2.z Release - OSP Director Operator Containers

4. Bugs fixed (https://bugzilla.redhat.com/):

2011007 - CVE-2021-41103 containerd: insufficiently restricted permissions on container root and plugin directories  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. References:

https://access.redhat.com/security/cve/CVE-2021-41103  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/updates/classification/#important

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYyInxNzjgjWX9erEAQj8iA//ayZQRYHLjJL7czXpd1rCmi7GsmJgEIb3  
UyOJlfr9B/saUH+y1o87j/b5xMtRLHWFV3yEKCy5HNaCNd/qCtr0YlBvxzV+Zk7i  
3q4qA7CDc8JYmc6JIjDqX175u0z4o3KuBNJO+nmQG13h2cGSjRKm7O1ddZGdyCrO  
+fJtz1pGZ+Hwko+4Mkxlaail8AowqK5wTsFfkdaXkuAIjc7ImOox9PR2A+MylnxL  
+fg++DQgDTgMjotQW0TmbsOKEyXmFfQK6c6yjLe/WeJPTdejMrq4m7soFA2d3b1x  
BPN2B7IhT6BYJzTjJ5TZwcbzNJpItS53Et2ZIZT+WVhld39lKqp6fDwGG3crpGrk  
9tdvbbNgn9LZHJvJzAgt8APjjBmzvbo/LUx2mI5/b3VRqDOruRGXp2unseEgCCHK  
fhNrgQHz8Ttlm2ZNOEtkFFEA2wJ7nL0sNnSkorIfDOJOPL9HO0WOn6eAfnle9jDa  
MGs3rG9MIZ1mw+9DfLf+EJW92KS3DM281BWsXofQic/dlZgbI2bpm43Z06aJaSGF  
sdVUS3/hknx/Itpd8tqsZq74qKkF/2t+aRYVzuDf7XqXuO6LDP2NO/AyhoNCe+fZ  
HdE33A1LEQAM7Z4DY/Pl1bzfjTiYn53ZW5i4cEjTS9EbPwnJMpcEkh1p/Gp51Uyt  
2nnxgBoed8A=8PTk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6517-01

Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.

It can cause Denial-of-service attack.

**Version**

    root@ubuntu:~/gpac/.git# cat refs/heads/master
    0102c5d4db7fdbf08b5b591b2a6264de33867a07
    

**system stack size (default)**

    root@ubuntu:~/gpac/bin/gcc# ulimit -s
    8192
    

**POC**

Download POC

**Execute**

    root@ubuntu:~/gpac/bin/gcc# ./MP4Box -info -disox -dump-chap-ogg -dump-cover -drtp -x3dv -out /dev/null ./recursion
    [iso file] Unknown box type FF0000 in parent moov
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80000 in parent moov
    [iso file] Incomplete box mdat - start 11495 size 808395597
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type FF0000 in parent moov
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80000 in parent moov
    [iso file] Incomplete box mdat - start 11495 size 808395597
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Segmentation fault
    

**GDB**

    #1 ...
    #7880 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7881 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7882 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7883 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7884 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7885 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7886 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7887 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7888 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7889 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7890 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7891 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7892 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7893 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7894 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7895 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7896 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7897 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7898 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7899 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7900 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7901 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7902 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7903 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7904 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7905 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7906 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7907 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7908 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7909 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7910 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7911 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7912 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7913 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7914 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7915 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7916 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7917 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7918 0x00007ffff6cdb61c in SFS_CompoundExpression (parser=0x7fffffff6f30) at bifs/script_dec.c:419
    #7919 0x00007ffff6cdaed3 in SFS_IfStatement (parser=0x7fffffff6f30) at bifs/script_dec.c:334
    #7920 0x00007ffff6cdac78 in SFS_Statement (parser=0x7fffffff6f30) at bifs/script_dec.c:303
    #7921 0x00007ffff6cdab2c in SFS_StatementBlock (parser=0x7fffffff6f30, funcBody=GF_TRUE) at bifs/script_dec.c:287
    #7922 0x00007ffff6cd9f01 in SFScript_Parse (codec=<optimized out>, script_field=0x8e1740, bs=0x8cded0, n=<optimized out>) at bifs/script_dec.c:210
    #7923 0x00007ffff6cc5563 in gf_bifs_dec_sf_field (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7060, is_mem_com=GF_FALSE) at bifs/field_decode.c:277
    #7924 0x00007ffff6cc9156 in BD_DecMFFieldVec (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7130, is_mem_com=<optimized out>) at bifs/field_decode.c:427
    #7925 0x00007ffff6cc9a74 in gf_bifs_dec_field (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7130, is_mem_com=GF_FALSE) at bifs/field_decode.c:566
    #7926 0x00007ffff6cca419 in gf_bifs_dec_node_list (codec=0x8de970, bs=0x8cded0, node=0x8e1850, is_proto=<optimized out>) at bifs/field_decode.c:626
    #7927 0x00007ffff6cc8130 in gf_bifs_dec_node (codec=0x51, bs=<optimized out>, NDT_Tag=<optimized out>) at bifs/field_decode.c:928
    #7928 0x00007ffff6cc8daa in BD_DecMFFieldVec (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, field=0x7fffffff7720, is_mem_com=GF_FALSE) at bifs/field_decode.c:436
    #7929 0x00007ffff6cc9a74 in gf_bifs_dec_field (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, field=0x7fffffff7720, is_mem_com=GF_FALSE) at bifs/field_decode.c:566
    #7930 0x00007ffff6cca419 in gf_bifs_dec_node_list (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, is_proto=<optimized out>) at bifs/field_decode.c:626
    #7931 0x00007ffff6cc8130 in gf_bifs_dec_node (codec=0x37, bs=<optimized out>, NDT_Tag=<optimized out>) at bifs/field_decode.c:928
    #7932 0x00007ffff6cb5067 in BD_DecSceneReplace (codec=0x8de970, bs=0x8cded0, proto_list=<optimized out>) at bifs/com_dec.c:1357
    #7933 0x00007ffff6cd6043 in BM_SceneReplace (codec=0x8de970, bs=0x6, com_list=0x8ded30) at bifs/memory_decoder.c:867
    #7934 0x00007ffff6cd6556 in BM_ParseCommand (codec=0x8de970, bs=0x8cded0, com_list=0x8ded30) at bifs/memory_decoder.c:917
    #7935 0x00007ffff6cd7075 in gf_bifs_decode_command_list (codec=0x8de970, ESID=<optimized out>,
        data=0x8dedb0 "\314\314", '\060' <repeats 169 times>, "\020", '\060' <repeats 28 times>..., data_length=0x2010, com_list=0x8ded30) at bifs/memory_decoder.c:1038
    #7936 0x00007ffff70b378e in gf_sm_load_run_isom (load=0x7fffffff8660) at scene_manager/loader_isom.c:303
    #7937 0x00007ffff70765ab in gf_sm_load_run (load=0x7fffffff8660) at scene_manager/scene_manager.c:719
    #7938 0x0000000000443136 in dump_isom_scene (file=<optimized out>, inName=0x7fffffffe754 "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_X3D_VRML,
        do_log=<optimized out>, no_odf_conv=<optimized out>) at filedump.c:203
    #7939 0x0000000000434038 in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6344
    #7940 0x00007ffff657ec87 in __libc_start_main (main=0x4410a0 <main>, argc=0xa, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
        stack_end=0x7fffffffe478) at ../csu/libc-start.c:310
    #7941 0x00000000004103fa in _start
    

**Impact**

DoS

CVE-2022-3222: Segmentation Fault in SFS_Expression in gpac

An issue was discovered in Bento4 through 1.6.0-639. A NULL pointer dereference occurs in AP4_DescriptorListWriter::Action in Core/Ap4Descriptor.h, called from AP4_EsDescriptor::WriteFields and AP4_Expandable::Write.

Hello, I use fuzzer to test bianry mp4split, and found some vulnerabilities,the following is the details.

**Bug1**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000000,sig:06,src:000011,op:flip1,pos:31240,1216870
    =================================================================
    ==2589461==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000cfdb21 at pc 0x0000009a6c6c bp 0x7ffec6ff0d60 sp 0x7ffec6ff0510
    READ of size 237 at 0x000000cfdb21 thread T0
        #0 0x9a6c6b in __interceptor_fwrite.part.57 /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143
        #1 0x7ab8fa in AP4_StdcFileByteStream::WritePartial(void const*, unsigned int, unsigned int&) (/mp4split/mp4split/mp4split+0x7ab8fa)
        #2 0x471cf7 in AP4_ByteStream::Write(void const*, unsigned int) (/mp4split/mp4split/mp4split+0x471cf7)
        #3 0x4d1be1 in AP4_HdlrAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4d1be1)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #11 0x7f7ce8910c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #12 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    0x000000cfdb21 is located 63 bytes to the left of global variable 'AP4_GlobalOptions::g_Entries' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4Utils.cpp:37:56' (0xcfdb60) of size 8
    0x000000cfdb21 is located 0 bytes to the right of global variable 'AP4_String::EmptyString' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4String.cpp:39:18' (0xcfdb20) of size 1
      'AP4_String::EmptyString' is ascii string ''
    SUMMARY: AddressSanitizer: global-buffer-overflow /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143 in __interceptor_fwrite.part.57
    Shadow bytes around the buggy address:
      0x000080197b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
      0x000080197b30: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9
      0x000080197b40: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
      0x000080197b50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
    =>0x000080197b60: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      0x000080197b70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
      0x000080197b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2589461==ABORTING
    

**Bug2**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000001,sig:06,src:000011,op:flip1,pos:31415,1226899
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2659777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000096b50a bp 0x7ffda4354030 sp 0x7ffda4353e70 T0)
    ==2659777==The signal is caused by a READ memory access.
    ==2659777==Hint: address points to the zero page.
        #0 0x96b50a in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const (/mp4split/mp4split/mp4split+0x96b50a)
        #1 0x88e625 in AP4_EsDescriptor::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x88e625)
        #2 0x896a7f in AP4_Expandable::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x896a7f)
        #3 0x4bdbcd in AP4_EsdsAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4bdbcd)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x61dbf8 in AP4_SampleEntry::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x61dbf8)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x676f0b in AP4_StsdAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x676f0b)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #11 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #12 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #13 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #14 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #15 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #16 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #17 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #18 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #19 0x7f1636a2cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #20 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/mp4split/mp4split/mp4split+0x96b50a) in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const
    ==2659777==ABORTING
    

**poc**

crash.zip

**environment**

Ubuntu 18.04(docker)

**credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thansk for your time!

CVE-2022-40738: there are some vulnerabilities in binary mp4split · Issue #756 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There ie excessive memory consumption in AP4_CttsAtom::Create in Core/Ap4CttsAtom.cpp.

**summary**

Hello, I use my fuzzer to fuzz binary mp4tag mp4split and mp42hevc, the three binary all crashede, and shows that allocator is out of memory trying to allocate 0xxxxxxx bytes. The version of Bento4 is the latest and the operation system is Ubuntu 18.04(docker). The following is the details.

**Bug1**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# ./mp42hevc seed.demo out.hevc 
    =================================================================
    ==92089==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x54ba37b78 bytes
        #0 0xa1b020 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fe65b2d6297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x6c1b9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp42hevc/mp42hevc/mp42hevc+0x6c1b9b)
        #3 0x5cf24c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5cf24c)
        #4 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #5 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #6 0x6bc7f9 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bc7f9)
        #7 0x5d5f65 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5f65)
        #8 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #9 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #10 0x6bcf4a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bcf4a)
        #11 0x5d5abc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5abc)
        #12 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #13 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #14 0x6bfa61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bfa61)
    
    ==92089==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==92089==ABORTING
    my test case:
    
    

**Bug2**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# /mp4box/mp4tag/mp4tag /mp4box/mp4tag/seed.demo 
    =================================================================
    ==843687==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x3a35b4320 bytes
        #0 0xa38ee0 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f9f81086297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4ae28b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4box/mp4tag/mp4tag+0x4ae28b)
        #3 0x45f0fc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x45f0fc)
        #4 0x46ca96 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x46ca96)
        #5 0x4a9e92 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4box/mp4tag/mp4tag+0x4a9e92)
        #6 0x4ac151 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4box/mp4tag/mp4tag+0x4ac151)
    
    ==843687==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==843687==ABORTING
    

**Bug3**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000025,sig:06,src:000215,op:flip1,pos:31468,26038495
    =================================================================
    ==3151765==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x400000068 bytes
        #0 0xa19d40 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f8d59cb9297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x48fc9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x48fc9b)
        #3 0x440aec in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x440aec)
        #4 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #5 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #6 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #7 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #8 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #9 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #10 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #11 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #12 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #13 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #14 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #15 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #16 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #17 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #18 0x48db61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48db61)
    
    ==3151765==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==3151765==ABORTING
    
    
    

**POC**

MP42hevc\_crash.zip  
MP4tag\_crash.zip  
mp4split\_crash.zip

**Credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-40736: Out of memory in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) · Issue #755 · axiomatic-systems/Bento4

Buffer overflow vulnerability in function AP4_MemoryByteStream::WritePartial in mp42aac in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\=================================================================  
\==4695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000027a0 at pc 0x7ffff6ef6964 bp 0x7fffffffdea0 sp 0x7fffffffd648  
WRITE of size 4294967288 at 0x6190000027a0 thread T0  
#0 0x7ffff6ef6963 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c963)  
#1 0x409ed4 in AP4\_MemoryByteStream::WritePartial(void const\*, unsigned int, unsigned int&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:785  
#2 0x40d9e3 in AP4\_ByteStream::Write(void const\*, unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77  
#3 0x4eb601 in AP4\_Atom::Write(AP4\_ByteStream&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:229  
#4 0x4eb601 in AP4\_Atom::Clone() /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:316  
#5 0x446d7a in AP4\_SampleDescription::AP4\_SampleDescription(AP4\_SampleDescription::Type, unsigned int, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138  
#6 0x461a8f in AP4\_GenericAudioSampleDescription::AP4\_GenericAudioSampleDescription(unsigned int, unsigned int, unsigned short, unsigned short, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.h:259  
#7 0x461a8f in AP4\_AudioSampleEntry::ToSampleDescription() /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:630  
#8 0x48ca03 in AP4\_StsdAtom::GetSampleDescription(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:181  
#9 0x4040b6 in main /home/ferry/dp/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:268  
#10 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#11 0x408338 in \_start (/home/ferry/dp/Bento4/mp42aac+0x408338)

0x6190000027a0 is located 0 bytes to the right of 1056-byte region \[0x619000002380,0x6190000027a0)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x414c8e in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x414c8e in AP4\_DataBuffer::SetBufferSize(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136  
#3 0x414c8e in AP4\_DataBuffer::Reserve(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:107

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c327fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c327fff84f0: 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==4695==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input2

**Validation steps**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42aac input2 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-40438: Heap-buffer-overflow with ASAN in mp42aac · Issue #751 · axiomatic-systems/Bento4

An memory leak issue was discovered in AP4_StdcFileByteStream::Create in mp42ts in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output:

\=================================================================  
\==18321==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4c871d in AP4\_StdcFileByteStream::Create(AP4\_FileByteStream\*, char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279  
#2 0x4c871d in AP4\_FileByteStream::Create(char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:439

Indirect leak of 72 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x404286 in main /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#2 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4f57d1 in AP4\_RtpAtom::Create(unsigned int, AP4\_ByteStream&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4RtpAtom.h:53  
#2 0x4f57d1 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4d2591 in AP4\_List<AP4\_Atom>::Add(AP4\_Atom\*) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4List.h:160  
#2 0x4d2591 in AP4\_AtomParent::AddChild(AP4\_Atom\*, int) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4Atom.cpp:532

SUMMARY: AddressSanitizer: 208 byte(s) leaked in 4 allocation(s).

****Crash Input****

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input1

**Verification steps：**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42ts input1 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-40439: Memory leaks with ASAN in mp42ts · Issue #750 · axiomatic-systems/Bento4

A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant. 
Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed SparklingGoblin. The unnamed university is said to have been already targeted by the

A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant.

Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed **SparklingGoblin**. The unnamed university is said to have been already targeted by the group in May 2020 during the student protests.

"The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," ESET said in a report shared with The Hacker News.

SparklingGoblin is the name given to a Chinese advanced persistent threat (APT) group with connections to the Winnti umbrella (aka APT41, Barium, or Wicked Panda). It's primarily known for its attacks targeting various entities in East and Southeast Asia at least since 2019, with a specific focus on the academic sector.

In August 2021, ESET unearthed a new piece of custom Windows malware codenamed SideWalk that was exclusively leveraged by the actor to strike an unnamed computer retail company based in the U.S.

Subsequent findings from Symantec, part of Broadcom software, have linked the use of SideWalk to an espionage attack group it tracks under the moniker Grayfly, while pointing out the malware's similarities to that of Crosswalk.

"SparklingGoblin's Tactics, Techniques and Procedures (TTPs) partially overlap with APT41 TTPs," Mathieu Tartare, malware researcher at ESET, told The Hacker News. "Grayfly's definition given by Symantec seems to (at least partially) overlap with SparklingGoblin."

The latest research from ESET dives into SideWalk's Linux counterpart (originally called StageClient in July 2021), with the analysis also uncovering that Specter RAT, a Linux botnet that came to light in September 2020, is in fact a Linux variant of SideWalk as well.

Aside from multiple code similarities between the SideWalk Linux and various SparklingGoblin tools, one of the Linux samples has been found using a command-and-control address (66.42.103\[.\]222) that was previously used by SparklingGoblin.

Other commonalities include the use of the same bespoke ChaCha20 implementation, multiple threads to execute one particular task, ChaCha20 algorithm for decrypting its configuration, and an identical dead drop resolver payload.

Despite these overlaps, there are some significant changes, the most notable being the switch from C to C++, addition of new built-in modules to execute scheduled tasks and gather system information, and changes to four commands that are not handled in the Linux version.

"Since we have seen the Linux variant only once in our telemetry (deployed at a Hong Kong university in February 2021) one can consider the Linux variant to be less prevalent -- but we also have less visibility on Linux systems which could explain this," Tartare said.

"On the other hand, the Specter Linux variant is used against IP cameras and NVR and DVR devices (on which we have no visibility) and is mass spread by exploiting a vulnerability on such devices."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor

LIEF commit 5d1d643 was discovered to contain a heap-buffer overflow in the component /core/CorePrPsInfo.tcc.

**version**

    latest master [5d1d643](https://github.com/lief-project/LIEF/commit/5d1d643a0c46437b57d35654690e03d26d189070)
    

**Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step**

    cmake .. -DCMAKE_CXX_FLAGS="-fsanitize=address -g" -DCMAKE_C_FLAGS="-fsanitize=address -g" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address"
    

**Run**

    ./build/examples/c/elf_reader poc
    

poc.zip

**AddressSanitizer output**

    Can't access the content of section #0
    Can't access the content of section #1
    Can't access the content of section #2
    =================================================================
    ==2292604==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000000268 at pc 0x7f5b35470a7d bp 0x7ffe10d8f4c0 sp 0x7ffe10d8ec68
    READ of size 109 at 0x60d000000268 thread T0
        #0 0x7f5b35470a7c in __interceptor_strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354
        #1 0x55a087822aa7 in std::char_traits<char>::length(char const*) /usr/include/c++/9/bits/char_traits.h:342
        #2 0x55a087822aa7 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign(char const*) /usr/include/c++/9/bits/basic_string.h:1443
        #3 0x55a087822aa7 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(char const*) /usr/include/c++/9/bits/basic_string.h:709
        #4 0x55a087822aa7 in void LIEF::ELF::CorePrPsInfo::parse_<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.tcc:41
        #5 0x55a087822aa7 in LIEF::ELF::CorePrPsInfo::parse() /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.cpp:156
        #6 0x55a0878260de in LIEF::ELF::CorePrPsInfo::make(LIEF::ELF::Note&) /home/wcc/LIEF/src/ELF/NoteDetails/core/CorePrPsInfo.cpp:44
        #7 0x55a0877383f3 in LIEF::ELF::Note::details() /home/wcc/LIEF/src/ELF/Note.cpp:150
        #8 0x55a08773bbe0 in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:92
        #9 0x55a08767077d in std::_MakeUniq<LIEF::ELF::Note>::__single_object std::make_unique<LIEF::ELF::Note, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> >, LIEF::ELF::Binary*>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE&&, std::vector<unsigned char, std::allocator<unsigned char> >&&, LIEF::ELF::Binary*&&) /usr/include/c++/9/bits/unique_ptr.h:857
        #10 0x55a08767077d in LIEF::ELF::Parser::parse_notes(unsigned long, unsigned long) /home/wcc/LIEF/src/ELF/Parser.cpp:568
        #11 0x55a0876ec34e in boost::leaf::result<LIEF::ok_t> LIEF::ELF::Parser::parse_binary<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/Parser.tcc:296
        #12 0x55a08767371e in LIEF::ELF::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/wcc/LIEF/src/ELF/Parser.cpp:323
        #13 0x55a087674f03 in LIEF::ELF::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::DYNSYM_COUNT_METHODS) /home/wcc/LIEF/src/ELF/Parser.cpp:342
        #14 0x55a087383c06 in elf_parse /home/wcc/LIEF/api/c/ELF/Binary.cpp:67
        #15 0x55a087342c96 in main /home/wcc/LIEF/examples/c/elf_reader.c:16
        #16 0x7f5b34eef0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #17 0x55a08738373d in _start (/home/wcc/LIEF/build/examples/c/elf_reader+0x31c73d)
    
    0x60d000000268 is located 0 bytes to the right of 136-byte region [0x60d0000001e0,0x60d000000268)
    allocated by thread T0 here:
        #0 0x7f5b35518587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
        #1 0x55a08773b79b in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
        #2 0x55a08773b79b in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:443
        #3 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
        #4 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/9/bits/stl_vector.h:358
        #5 0x55a08773b79b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/9/bits/stl_vector.h:302
        #6 0x55a08773b79b in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/include/c++/9/bits/stl_vector.h:552
        #7 0x55a08773b79b in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:89
    
    SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:354 in __interceptor_strlen
    Shadow bytes around the buggy address:
      0x0c1a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x0c1a7fff8010: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
      0x0c1a7fff8020: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c1a7fff8030: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00
    =>0x0c1a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
      0x0c1a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c1a7fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2292604==ABORTING

CVE-2022-38306: heap-buffer-overflow in elf_reader · Issue #763 · lief-project/LIEF

LIEF commit 365a16a was discovered to contain a segmentation violation via the component CoreFile.tcc:69.

**version****Build platform**

Ubuntu 20.04.3 LTS (Linux 5.13.0-52-generic x86\_64)

**Build step****Run**

    ./build/examples/c/elf_reader poc
    

poc.zip

**Output**

    Can't access the content of section #0
      Can't parse section #01
    Binary doesn't have a program header
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==3230843==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x559aec0a79de bp 0x0fffef333808 sp 0x7fff7999c000 T0)
    ==3230843==The signal is caused by a WRITE memory access.
    ==3230843==Hint: address points to the zero page.
        #0 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long) /usr/include/c++/9/bits/basic_string.h:187
        #1 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_set_length(unsigned long) /usr/include/c++/9/bits/basic_string.h:220
        #2 0x559aec0a79dd in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator=(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&&) /usr/include/c++/9/bits/basic_string.h:756
        #3 0x559aec0a79dd in void LIEF::ELF::CoreFile::parse_<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.tcc:69
        #4 0x559aec09aa70 in LIEF::ELF::CoreFile::parse() /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.cpp:114
        #5 0x559aec09aa8d in LIEF::ELF::CoreFile::make(LIEF::ELF::Note&) /home/wcc/LIEF/src/ELF/NoteDetails/core/CoreFile.cpp:38
        #6 0x559aebfdeb66 in LIEF::ELF::Note::details() /home/wcc/LIEF/src/ELF/Note.cpp:156
        #7 0x559aebfe14ee in LIEF::ELF::Note::Note(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> > const&, LIEF::ELF::Binary*) /home/wcc/LIEF/src/ELF/Note.cpp:92
        #8 0x559aebf183ac in std::_MakeUniq<LIEF::ELF::Note>::__single_object std::make_unique<LIEF::ELF::Note, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE, std::vector<unsigned char, std::allocator<unsigned char> >, LIEF::ELF::Binary*>(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >&, LIEF::ELF::NOTE_TYPES_CORE&&, std::vector<unsigned char, std::allocator<unsigned char> >&&, LIEF::ELF::Binary*&&) /usr/include/c++/9/bits/unique_ptr.h:857
        #9 0x559aebf183ac in LIEF::ELF::Parser::parse_notes(unsigned long, unsigned long) /home/wcc/LIEF/src/ELF/Parser.cpp:568
        #10 0x559aebf8c11c in boost::leaf::result<LIEF::ok_t> LIEF::ELF::Parser::parse_binary<LIEF::ELF::details::ELF32>() /home/wcc/LIEF/src/ELF/Parser.tcc:296
        #11 0x559aebf1bad5 in LIEF::ELF::Parser::init(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/wcc/LIEF/src/ELF/Parser.cpp:323
        #12 0x559aebf1bf8d in LIEF::ELF::Parser::parse(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, LIEF::ELF::DYNSYM_COUNT_METHODS) /home/wcc/LIEF/src/ELF/Parser.cpp:342
        #13 0x559aebc1f3ae in elf_parse /home/wcc/LIEF/api/c/ELF/Binary.cpp:67
        #14 0x559aebc1ce4f in main /home/wcc/LIEF/examples/c/elf_reader.c:16
        #15 0x7f49b9b990b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x240b2)
        #16 0x559aebc1cc3d in _start (/home/wcc/LIEF/build/examples/c/elf_reader+0x281c3d)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /usr/include/c++/9/bits/basic_string.h:187 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_length(unsigned long)
    ==3230843==ABORTING

Tag

#c++