SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVE-2022-38108: Published | Zero Day Initiative

Bento4 1.6.0 has memory leaks via the mp4fragment.

**CVE-2022-40884**

**I use AFL when fuzzing and got some crashes.**

**Following is the detail.**

\==3780==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from: #0 0x4c470d in operator new(unsigned long) (/home/hjsz/Bento4/cmakebuild/mp4fragment+0x4c470d) #1 0x653b06 in AP4\_StdcFileByteStream::Create(AP4\_FileByteStream\*, char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/hjsz/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279:14

SUMMARY: AddressSanitizer: 48 byte(s) leaked in 1 allocation(s).

crash

**Command**

*   ./mp4fragment ./POC

**Environment**

Ubuntu 20.04

CLang 10.0.1

Bento4 Version 1.6.0.0

MP4 Fragmenter - Version 1.7.0

CVE-2022-40884: CVE/CVE-2022-40884.md at main · yangfar/CVE

Bento4 v1.6.0-639 has a memory allocation issue that can cause denial of service.

**CVE-2022-40885****Out of memory in Ap4DataBuffer:new AP4\_Byte\[buffer\_size\]**

Hello,I use the fuzzer(AFL) to fuzz binary mp42avc and got some crashes which show that allocator is out of memory trying to allocate 0xXXXXXXXX bytes when method new is called.

There are two functions occur the crashes.

**The following is the details.****Bug1**

./mp42avc ~/out/crashes/id:000017,sig:06,src:000925+000617,op:splice,rep:128 3.avc

\================================================================= ==4126303==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xc4b26d23 bytes #0 0x549287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x558418 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16 #2 0x5ec12a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:513:20 #3 0x5e7b66 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #4 0x6563c0 in AP4\_DrefAtom::AP4\_DrefAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84:16 #5 0x6559d7 in AP4\_DrefAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50:16 #6 0x5ec3a5 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580:20 #7 0x5e7b66 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14 #8 0x62e6b0 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12 #9 0x62e48b in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5

\==4126303==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new\[\](unsigned long) ==4126303==ABORTING

**Bug 2**

\[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild\]# ./mp42avc ~/out/crashes/id:000018,sig:06,src:000606,op:havoc,rep:4 3.avc

\================================================================= ==4126299==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x7d727b02 bytes #0 0x549287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/mp42avc+0x549287) #1 0x6637c0 in AP4\_HdlrAtom::AP4\_HdlrAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4HdlrAtom.cpp:88:18

\==4126299==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/mp42avc+0x549287) in operator new\[\](unsigned long) ==4126299==ABORTING

**Ap4HdlrAtom.cpp:88 and Ap4HdlrAtom.cpp will call new\[Big size\] and then crash.**

**Bug3**

./AFL/afl-fuzz -i ./seed2/ -o ./out3 -d -m none ./Bento4/cmakebuild/aac2mp4 @@ 3.mp4

After testing, the above problems also occur in acc2mp4 function.

**The following is the details.**

\[root@iZ8vb29flmohv2ga6wdtfbZ cmakebuild\]# ./aac2mp4 ~/out3/crashes/id:000008,sig:06,src:000074,op:havoc,rep:4 3.mp4

AAC frame \[000000\]: size = -7, 96000 kHz, 0 ch

\================================================================= ==3788615==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0xfffffff9 bytes #0 0x54a287 in operator new\[\](unsigned long) (/root/Bento4/cmakebuild/aac2mp4+0x54a287) #1 0x55b578 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55:16

\==3788615==HINT: if you don't care about these errors you may set allocator\_may\_return\_null=1 SUMMARY: AddressSanitizer: out-of-memory (/root/Bento4/cmakebuild/aac2mp4+0x54a287) in operator new\[\](unsigned long) ==3788615==ABORTING

**input**

input.zip

**Crashes**

crashes.zip

CVE-2022-40885: CVE/CVE-2022-40885.md at main · yangfar/CVE

jsonlint 1.0 is vulnerable to heap-buffer-overflow via /home/hjsz/jsonlint/src/lexer.

Hi, developers of jsonlint.  
I fuzz the jsonlint with AFL,and some crashes incurred—heap-buffer-overflow.The following is the details.  
**Commond: ./jsonlint input**

**Bug**

\=1492403==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e0000000df at pc 0x000000508ea7 bp 0x7ffc32b00ef0 sp 0x7ffc32b00ee8  
READ of size 1 at 0x60e0000000df thread T0  
#0 0x508ea6 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool) /home/hjsz/jsonlint/src/lexer.cpp:18:15  
#1 0x509c58 in jsonlint::details::PeekCharacterabi:cxx11 /home/hjsz/jsonlint/src/lexer.cpp:27:52  
#2 0x509c58 in jsonlint::details::ReadString(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:48:12  
#3 0x512b99 in jsonlint::Tokenize(jsonlint::Lexer&) /home/hjsz/jsonlint/src/lexer.cpp:256:26  
#4 0x4cb5b1 in main /home/hjsz/jsonlint/src/main.cpp:26:21  
#5 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16  
#6 0x41fced in \_start (/home/hjsz/jsonlint/build/jsonlint+0x41fced)

0x60e0000000df is located 0 bytes to the right of 159-byte region \[0x60e000000040,0x60e0000000df)  
allocated by thread T0 here:  
#0 0x4c7b9d in operator new(unsigned long) (/home/hjsz/jsonlint/build/jsonlint+0x4c7b9d)  
#1 0x52d49c in void std::\_\_cxx11::basic\_string<char, std::char\_traits, std::allocator >::\_M\_construct<char\*>(char\*, char\*, std::forward\_iterator\_tag) /usr/bin/../lib/gcc/x86\_64-linux-gnu/9/../../../../include/c++/9/bits/basic\_string.tcc:219:14  
#2 0x4cb40f in main /home/hjsz/jsonlint/src/main.cpp:25:19  
#3 0x7f1da2c68082 in \_\_libc\_start\_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hjsz/jsonlint/src/lexer.cpp:18:15 in jsonlint::details::ReadCharacter\[abi:cxx11\](jsonlint::Lexer&, bool)  
Shadow bytes around the buggy address:  
0x0c1c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c1c7fff8000: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00  
\=>0x0c1c7fff8010: 00 00 00 00 00 00 00 00 00 00 00\[07\]fa fa fa fa  
0x0c1c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c1c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
Left alloca redzone: ca  
Right alloca redzone: cb  
Shadow gap: cc  
\==1492403==ABORTING

**Crashes**

crashes.zip

**Environment**

Ubuntu 20.04.5 LTS  
master

Thanks for your time.

CVE-2022-42227: Heap-buffer-overflow in jsonlint/src/lexer.cpp:18:15 · Issue #2 · p-ranav/jsonlint

An issue was discovered in Bento4 v1.6.0-639. There is a heap buffer overflow vulnerability in the AP4_BitReader::SkipBits(unsigned int) function in mp42ts.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\==10897==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ec3c at pc 0x0000004a9771 bp 0x7fffffffb150 sp 0x7fffffffb140  
READ of size 4 at 0x60300000ec3c thread T0  
#0 0x4a9770 in AP4\_BitReader::SkipBits(unsigned int) /root/Bento4/Source/C++/Core/Ap4Utils.cpp:564  
#1 0x53f5c5 in AP4\_Dac4Atom::AP4\_Dac4Atom(unsigned int, unsigned char const\*) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:396  
#2 0x543230 in AP4\_Dac4Atom::Create(unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:58  
#3 0x4f7503 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:776  
#4 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#5 0x51cd08 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#6 0x4826d1 in AP4\_SampleEntry::Read(AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115  
#7 0x4826d1 in AP4\_AudioSampleEntry::AP4\_AudioSampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420  
#8 0x5d736d in AP4\_EncaSampleEntry::AP4\_EncaSampleEntry(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4Protection.cpp:74  
#9 0x4f4a3c in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:298  
#10 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#11 0x614618 in AP4\_StsdAtom::AP4\_StsdAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101  
#12 0x615fc0 in AP4\_StsdAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57  
#13 0x4f838e in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458  
#14 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#15 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#16 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#17 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#18 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#19 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#20 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#21 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#22 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#23 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#24 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#25 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#26 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#27 0x51b986 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#28 0x4f5833 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#29 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#30 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#31 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#32 0x49cfb2 in AP4\_TrakAtom::AP4\_TrakAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4TrakAtom.cpp:165  
#33 0x4f7709 in AP4\_TrakAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4TrakAtom.h:58  
#34 0x4f7709 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:413  
#35 0x4fc596 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#36 0x51ac42 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#37 0x51ac42 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#38 0x430fac in AP4\_MoovAtom::AP4\_MoovAtom(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4MoovAtom.cpp:80  
#39 0x4f5430 in AP4\_MoovAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4MoovAtom.h:56  
#40 0x4f5430 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:393  
#41 0x4fb65a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#42 0x4fb65a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154  
#43 0x41c6af in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:104  
#44 0x41c6af in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78  
#45 0x404446 in main /root/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#46 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#47 0x40ae38 in \_start (/root/Bento4/mp42ts+0x40ae38)

0x60300000ec3c is located 0 bytes to the right of 28-byte region \[0x60300000ec20,0x60300000ec3c)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x419645 in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x419645 in AP4\_DataBuffer::SetBufferSize(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Bento4/Source/C++/Core/Ap4Utils.cpp:564 AP4\_BitReader::SkipBits(unsigned int)  
Shadow bytes around the buggy address:  
0x0c067fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c067fff9d80: fa fa fa fa 00 00 00\[04\]fa fa 00 00 00 02 fa fa  
0x0c067fff9d90: 00 00 00 02 fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9da0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
0x0c067fff9db0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fff9dc0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9dd0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==10897==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42ts-hbo-00

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42ts mp42ts-hbo-00 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43034: Heap-buffer-overflow with ASAN in mp42ts · Issue #764 · axiomatic-systems/Bento4

An issue was discovered in Bento4 v1.6.0-639. There is a heap-buffer-overflow in AP4_Dec3Atom::AP4_Dec3Atom at Ap4Dec3Atom.cpp, leading to a Denial of Service (DoS), as demonstrated by mp42aac.

Hi, developers of Bento4:  
Thanks for your fix of issue #751  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\==27304==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000ed28 at pc 0x0000005a64d9 bp 0x7fffffffb290 sp 0x7fffffffb280  
READ of size 1 at 0x60300000ed28 thread T0  
#0 0x5a64d8 in AP4\_Dec3Atom::AP4\_Dec3Atom(unsigned int, unsigned char const\*) /root/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:161  
#1 0x5a6a62 in AP4\_Dec3Atom::Create(unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:56  
#2 0x508887 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:769  
#3 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#4 0x579928 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#5 0x480e69 in AP4\_SampleEntry::Read(AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115  
#6 0x480e69 in AP4\_AudioSampleEntry::AP4\_AudioSampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420  
#7 0x480e69 in AP4\_Eac3SampleEntry::AP4\_Eac3SampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:752  
#8 0x508d6b in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:338  
#9 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#10 0x490228 in AP4\_StsdAtom::AP4\_StsdAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101  
#11 0x491bd0 in AP4\_StsdAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57  
#12 0x50aaae in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458  
#13 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#14 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#15 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#16 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#17 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#18 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#19 0x5aea82 in AP4\_DrefAtom::AP4\_DrefAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:84  
#20 0x5aeff7 in AP4\_DrefAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4DrefAtom.cpp:50  
#21 0x509882 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:580  
#22 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#23 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#24 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#25 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#26 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#27 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#28 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#29 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#30 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#31 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#32 0x50ecb6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#33 0x577862 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#34 0x577862 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#35 0x5785a6 in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#36 0x507f53 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#37 0x50dd7a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#38 0x50dd7a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154  
#39 0x418daf in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:104  
#40 0x418daf in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78  
#41 0x4040d7 in main /root/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:250  
#42 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#43 0x408508 in \_start (/root/Bento4/mp42aac+0x408508)

0x60300000ed28 is located 0 bytes to the right of 24-byte region \[0x60300000ed10,0x60300000ed28)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x4147b5 in AP4\_DataBuffer::AP4\_DataBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:55  
#2 0x17 ()

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Bento4/Source/C++/Core/Ap4Dec3Atom.cpp:161 AP4\_Dec3Atom::AP4\_Dec3Atom(unsigned int, unsigned char const\*)  
Shadow bytes around the buggy address:  
0x0c067fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c067fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 fa  
\=>0x0c067fff9da0: fa fa 00 00 00\[fa\]fa fa 00 00 00 fa fa fa 00 00  
0x0c067fff9db0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fff9dc0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa  
0x0c067fff9dd0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00  
0x0c067fff9de0: 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa  
0x0c067fff9df0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==27304==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-hbo-00

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-hbo-00 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43035: Heap-buffer-overflow with ASAN in mp42aac · Issue #762 · axiomatic-systems/Bento4

Bento4 v1.6.0-639 was discovered to contain a heap overflow via the AP4_BitReader::ReadCache() function in mp42ts.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output. The output is different from #764

\=================================================================  
\==3902==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000df38 at pc 0x0000004a51a6 bp 0x7ffc109910f0 sp 0x7ffc109910e0  
READ of size 1 at 0x60400000df38 thread T0  
#0 0x4a51a5 in AP4\_BitReader::ReadCache() const /root/Bento4/Source/C++/Core/Ap4Utils.cpp:447  
#1 0x4a51a5 in AP4\_BitReader::ReadBits(unsigned int) /root/Bento4/Source/C++/Core/Ap4Utils.cpp:467  
#2 0x5405fc in AP4\_Dac4Atom::AP4\_Dac4Atom(unsigned int, unsigned char const\*) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:313  
#3 0x5423a2 in AP4\_Dac4Atom::Create(unsigned int, AP4\_ByteStream&) /root/Bento4/Source/C++/Core/Ap4Dac4Atom.cpp:58  
#4 0x4f47c5 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:776  
#5 0x4f955a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#6 0x51a25e in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#7 0x487d31 in AP4\_SampleEntry::Read(AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:115  
#8 0x487d31 in AP4\_AudioSampleEntry::AP4\_AudioSampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:420  
#9 0x487d31 in AP4\_Ac4SampleEntry::AP4\_Ac4SampleEntry(unsigned int, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:801  
#10 0x4f1aad in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:342  
#11 0x4f955a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#12 0x6134a9 in AP4\_StsdAtom::AP4\_StsdAtom(unsigned int, unsigned char, unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:101  
#13 0x61534b in AP4\_StsdAtom::Create(unsigned int, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:57  
#14 0x4f55a6 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:458  
#15 0x4f955a in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#16 0x5181d5 in AP4\_ContainerAtom::ReadChildren(AP4\_AtomFactory&, AP4\_ByteStream&, unsigned long long) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194  
#17 0x5181d5 in AP4\_ContainerAtom::AP4\_ContainerAtom(unsigned int, unsigned long long, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139  
#18 0x518fce in AP4\_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4\_ByteStream&, AP4\_AtomFactory&) /root/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88  
#19 0x4f2b69 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816  
#20 0x4f865c in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned long long&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234  
#21 0x4f865c in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, AP4\_Atom\*&) /root/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154  
#22 0x41c87f in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:104  
#23 0x41c87f in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78  
#24 0x40441f in main /root/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#25 0x7fb1c343783f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#26 0x40ad98 in \_start (/root/Bento4/mp42ts+0x40ad98)

0x60400000df38 is located 0 bytes to the right of 40-byte region \[0x60400000df10,0x60400000df38)  
allocated by thread T0 here:  
#0 0x7fb1c417f712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x4199e5 in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x4199e5 in AP4\_DataBuffer::SetBufferSize(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/Bento4/Source/C++/Core/Ap4Utils.cpp:447 AP4\_BitReader::ReadCache() const  
Shadow bytes around the buggy address:  
0x0c087fff9b90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
\=>0x0c087fff9be0: fa fa 00 00 00 00 00\[fa\]fa fa 00 00 00 00 06 fa  
0x0c087fff9bf0: fa fa 00 00 00 00 06 fa fa fa 00 00 00 00 00 00  
0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==3902==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42ts-hbo-01

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42ts mp42ts-hbo-01 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43038: Heap-buffer-overflow with ASAN in mp42ts · Issue #787 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There is a bad free in the component AP4_HdlrAtom::~AP4_HdlrAtom() which allows attackers to cause a Denial of Service (DoS) via a crafted input.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing attempting free on address which was not malloc. Here is the ASAN mode output:

\==9252==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x60200000ef50 in thread T0  
#0 0x7ffff6f03d0a in operator delete (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99d0a)  
#1 0x5c124b in AP4\_HdlrAtom::~AP4\_HdlrAtom() /root/Bento4/Source/C++/Core/Ap4HdlrAtom.h:61  
#2 0x5c124b in AP4\_HdlrAtom::~AP4\_HdlrAtom() /root/Bento4/Source/C++/Core/Ap4HdlrAtom.h:61  
#3 0x4e7e4b in AP4\_List<AP4\_Atom>::DeleteReferences() /root/Bento4/Source/C++/Core/Ap4List.h:476  
#4 0x4e7e4b in AP4\_AtomParent::~AP4\_AtomParent() /root/Bento4/Source/C++/Core/Ap4Atom.cpp:516  
#5 0x57a323 in AP4\_ContainerAtom::~AP4\_ContainerAtom() /root/Bento4/Source/C++/Core/Ap4ContainerAtom.h:48  
#6 0x57a323 in AP4\_ContainerAtom::~AP4\_ContainerAtom() /root/Bento4/Source/C++/Core/Ap4ContainerAtom.h:48  
#7 0x4e7e4b in AP4\_List<AP4\_Atom>::DeleteReferences() /root/Bento4/Source/C++/Core/Ap4List.h:476  
#8 0x4e7e4b in AP4\_AtomParent::~AP4\_AtomParent() /root/Bento4/Source/C++/Core/Ap4Atom.cpp:516  
#9 0x417b8d in AP4\_File::~AP4\_File() /root/Bento4/Source/C++/Core/Ap4File.cpp:84  
#10 0x417b8d in AP4\_File::~AP4\_File() /root/Bento4/Source/C++/Core/Ap4File.cpp:88  
#11 0x4043f2 in main /root/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:303  
#12 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#13 0x408508 in \_start (/root/Bento4/mp42aac+0x408508)

0x60200000ef50 is located 0 bytes inside of 1-byte region \[0x60200000ef50,0x60200000ef51)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x48ac75 in AP4\_String::Assign(char const\*, unsigned int) /root/Bento4/Source/C++/Core/Ap4String.cpp:165  
#2 0x48ac75 in AP4\_String::operator=(char const\*) /root/Bento4/Source/C++/Core/Ap4String.cpp:123

SUMMARY: AddressSanitizer: bad-free ??:0 operator delete  
\==9252==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-badfree

**Validation steps**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-badfree /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43033: Bad-free with ASAN in mp42aac · Issue #765 · axiomatic-systems/Bento4

An issue was discovered in Bento4 v1.6.0-639. There is a memory leak in AP4_DescriptorFactory::CreateDescriptorFromStream in Core/Ap4DescriptorFactory.cpp, as demonstrated by mp42aac.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output:

\=================================================================  
\==19530==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 80 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x5ad493 in AP4\_DescriptorFactory::CreateDescriptorFromStream(AP4\_ByteStream&, AP4\_Descriptor\*&) /root/Bento4/Source/C++/Core/Ap4DescriptorFactory.cpp:85

Indirect leak of 112 byte(s) in 2 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x5ad7a9 in AP4\_DescriptorFactory::CreateDescriptorFromStream(AP4\_ByteStream&, AP4\_Descriptor\*&) /root/Bento4/Source/C++/Core/Ap4DescriptorFactory.cpp:127

Indirect leak of 72 byte(s) in 3 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x604f8b in AP4\_List<AP4\_Descriptor>::Add(AP4\_Descriptor\*) /root/Bento4/Source/C++/Core/Ap4List.h:160  
#2 0x604f8b in AP4\_ObjectDescriptor::AP4\_ObjectDescriptor(AP4\_ByteStream&, unsigned char, unsigned int, unsigned int) /root/Bento4/Source/C++/Core/Ap4ObjectDescriptor.cpp:103

Indirect leak of 32 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x5ad532 in AP4\_DescriptorFactory::CreateDescriptorFromStream(AP4\_ByteStream&, AP4\_Descriptor\*&) /root/Bento4/Source/C++/Core/Ap4DescriptorFactory.cpp:115

Indirect leak of 25 byte(s) in 2 object(s) allocated from:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x415b81 in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x415b81 in AP4\_DataBuffer::SetDataSize(unsigned int) /root/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151

SUMMARY: AddressSanitizer: 321 byte(s) leaked in 9 allocation(s).

**Crash Input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-ml-00

**Verification steps：**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-ml-00 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-43032: Memory leaks with ASAN in mp42aac · Issue #763 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There is a memory leak in the function AP4_File::ParseStream in /Core/Ap4File.cpp.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output. The output is different from #763.

\=================================================================  
\==6659==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7f8d891f0592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x418dff in AP4\_File::ParseStream(AP4\_ByteStream&, AP4\_AtomFactory&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:108  
#2 0x418dff in AP4\_File::AP4\_File(AP4\_ByteStream&, bool) /root/Bento4/Source/C++/Core/Ap4File.cpp:78

SUMMARY: AddressSanitizer: 64 byte(s) leaked in 1 allocation(s).

**Crash Input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/mp42aac-ml-01

**Verification steps：**

git clone https://github.com/axiomatic-systems/Bento4  
cd Bento4/  
mkdir check\_build && cd check\_build  
cmake ../ -DCMAKE\_C\_COMPILER=clang -DCMAKE\_CXX\_COMPILER=clang++ -DCMAKE\_C\_FLAGS="-fsanitize=address" -DCMAKE\_CXX\_FLAGS="-fsanitize=address" -DCMAKE\_BUILD\_TYPE=Release  
make -j  
./mp42aac mp42aac-ml-01 /dev/null

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

Tag

#c++