Ubuntu Security Notice 5614-1 - It was discovered that Wayland incorrectly handled reference counting certain objects. An attacker could use this issue to cause Wayland to crash, resulting in a denial of service, or possibly execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5614-1  
September 15, 2022

wayland vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

Wayland could be made to crash or run programs.

Software Description:  
- wayland: Wayland compositor infrastructure

Details:

It was discovered that Wayland incorrectly handled reference counting  
certain objects. An attacker could use this issue to cause Wayland to  
crash, resulting in a denial of service, or possibly execute arbitrary  
code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  libwayland-bin                  1.20.0-1ubuntu0.1  
  libwayland-client0              1.20.0-1ubuntu0.1  
  libwayland-egl1                 1.20.0-1ubuntu0.1  
  libwayland-server0              1.20.0-1ubuntu0.1

Ubuntu 20.04 LTS:  
  libwayland-bin                  1.18.0-1ubuntu0.1  
  libwayland-client0              1.18.0-1ubuntu0.1  
  libwayland-egl1                 1.18.0-1ubuntu0.1  
  libwayland-server0              1.18.0-1ubuntu0.1

Ubuntu 18.04 LTS:  
  libwayland-bin                  1.16.0-1ubuntu1.1~18.04.4  
  libwayland-client0              1.16.0-1ubuntu1.1~18.04.4  
  libwayland-egl1                 1.16.0-1ubuntu1.1~18.04.4  
  libwayland-server0              1.16.0-1ubuntu1.1~18.04.4

After a standard system update you need to reboot your computer to make all  
the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5614-1  
  CVE-2021-3782

Package Information:  
  https://launchpad.net/ubuntu/+source/wayland/1.20.0-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/wayland/1.18.0-1ubuntu0.1  
  https://launchpad.net/ubuntu/+source/wayland/1.16.0-1ubuntu1.1~18.04.4

Ubuntu Security Notice USN-5614-1

Mplayer SVN-r38374-13.0.1 is vulnerable to Memory Leak via vf.c and vf_vo.c.

**#2390 closed defect (fixed)**

Reported by:

Owned by:

beastd

Priority:

normal

Component:

vf

Version:

unspecified

Severity:

normal

Keywords:

Cc:

Blocked By:

Blocking:

Reproduced by developer:

no

Analyzed by developer:

no

Summary of the bug: Found a .viv file for mplayer where asan reports a memory leak.  
How to reproduce:Use the attached file to reproduce this issue (ASAN-recompilation are required)  
version: SVN-r38374-13.0.1  
kernel version:ubuntu 20.04; Linux 5.15.0-46-generic  
complier version:clang 13.0.1-2ubuntu2~20.04.1  

mplayer and ASAN output:  

Player SVN-r38374-13.0.1 (C) 2000-2022 MPlayer Team  

Playing /home/ldy/sample/useful/03-KimagureOrangeRoad.viv.  
libavformat version 58.29.100 (external)  
VIVO file format detected.  
VIDEO: \[viv2\] 320x240 24bpp 10.000 fps 0.0 kbps ( 0.0 kbyte/s)  
\[gl\] using extended formats. Use -vo gl:nomanyfmts if playback fails.  
\==========================================================================  
Requested video codec family \[vivo\] (vfm=vfw) not available.  
Enable it at compilation.  
Cannot find codec matching selected -vo and video format 0x32766976.  
\==========================================================================  
Clip info:  

> title: <No Title>  
> author: NV  
> copyright: <No Copyright>  
> encoder: VivoActive VideoNow 3.0 for Windows  

Load subtitles in /home/ldy/sample/useful/  
\==========================================================================  
Requested audio codec family \[vivoaudio\] (afm=acm) not available.  
Enable it at compilation.  
Opening audio decoder: \[ffmpeg\] FFmpeg/libavcodec audio decoders  
libavcodec version 58.54.100 (external)  
Cannot find codec 'siren' in libavcodec...  
ADecoder init failed :(  
ADecoder init failed :(  
Cannot find codec for audio format 0x112.  
Audio: no sound  
Video: no video  

Exiting... (End of file)  

\=================================================================  
\==3993864==ERROR: LeakSanitizer: detected memory leaks  

Direct leak of 576 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e06dd in malloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e6dd)  
> #1 0x55ac7b42992e in vf\_open\_plugin /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf.c:478:8  

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  

> #0 0x55ac7b1e0872 in interceptor\_calloc (/home/ldy/good\_mplayer/asan\_playr/mplayer+0x33e872)  
> #1 0x55ac7b50a2cd in vf\_open /home/ldy/good\_mplayer/mplayer/libmpcodecs/vf\_vo.c:215:14  

SUMMARY: AddressSanitizer: 600 byte(s) leaked in 2 allocation(s).

CVE-2022-38600: #2390 (memory leak in vf.c and vf_vo.c) – MPlayer

Ubuntu Security Notice 5613-1 - It was discovered that Vim was not properly performing bounds checks when executing spell suggestion commands. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code. It was discovered that Vim was using freed memory when dealing with regular expressions through its old regular expression engine. If a user were tricked into opening a specially crafted file, an attacker could crash the application, leading to a denial of service, or possibly achieve code execution.

=========================================================================  
Ubuntu Security Notice USN-5613-1  
September 15, 2022

vim vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS  
- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS  
- Ubuntu 14.04 ESM

Summary:

Several security issues were fixed in Vim.

Software Description:  
- vim: Vi IMproved - enhanced vi editor

Details:

It was discovered that Vim was not properly performing bounds checks  
when executing spell suggestion commands. An attacker could possibly use  
this issue to cause a denial of service or execute arbitrary code.  
(CVE-2022-0943)

It was discovered that Vim was using freed memory when dealing with  
regular expressions through its old regular expression engine. If a user  
were tricked into opening a specially crafted file, an attacker could  
crash the application, leading to a denial of service, or possibly achieve  
code execution. (CVE-2022-1154)

It was discovered that Vim was not properly performing checks on name of  
lambda functions. An attacker could possibly use this issue to cause a  
denial of service. This issue affected only Ubuntu 22.04 LTS.  
(CVE-2022-1420)

It was discovered that Vim was incorrectly performing bounds checks  
when processing invalid commands with composing characters in Ex  
mode. An attacker could possibly use this issue to cause a denial of  
service or execute arbitrary code. (CVE-2022-1616)

It was discovered that Vim was not properly processing latin1 data  
when issuing Ex commands. An attacker could possibly use this issue to  
cause a denial of service or execute arbitrary code. (CVE-2022-1619)

It was discovered that Vim was not properly performing memory  
management when dealing with invalid regular expression patterns in  
buffers. An attacker could possibly use this issue to cause a denial of  
service. (CVE-2022-1620)

It was discovered that Vim was not properly processing invalid bytes  
when performing spell check operations. An attacker could possibly use  
this issue to cause a denial of service or execute arbitrary code.  
(CVE-2022-1621)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS:  
  vim                             2:8.2.3995-1ubuntu2.1

Ubuntu 20.04 LTS:  
  vim                             2:8.1.2269-1ubuntu5.8

Ubuntu 18.04 LTS:  
  vim                             2:8.0.1453-1ubuntu1.9

Ubuntu 14.04 ESM:  
  vim                             2:7.4.052-1ubuntu3.1+esm5

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5613-1  
  CVE-2022-0943, CVE-2022-1154, CVE-2022-1420, CVE-2022-1616,  
  CVE-2022-1619, CVE-2022-1620, CVE-2022-1621

Package Information:  
  https://launchpad.net/ubuntu/+source/vim/2:8.2.3995-1ubuntu2.1  
  https://launchpad.net/ubuntu/+source/vim/2:8.1.2269-1ubuntu5.8  
  https://launchpad.net/ubuntu/+source/vim/2:8.0.1453-1ubuntu1.9

Ubuntu Security Notice USN-5613-1

Ubuntu Security Notice 5612-1 - Pietro Borrello, Andreas Kogler, Martin Schwarzl, Daniel Gruss, Michael Schwarz and Moritz Lipp discovered that some Intel processors did not properly clear data between subsequent xAPIC MMIO reads. This could allow a local attacker to compromise SGX enclaves.

    =========================================================================Ubuntu Security Notice USN-5612-1September 15, 2022intel-microcode vulnerability=========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 22.04 LTS- Ubuntu 20.04 LTS- Ubuntu 18.04 LTSSummary:A security issue was fixed in Intel Microcode.Software Description:- intel-microcode: Processor microcode for Intel CPUsDetails:Pietro Borrello, Andreas Kogler, Martin Schwarzl, Daniel Gruss, MichaelSchwarz and Moritz Lipp discovered that some Intel processors did notproperly clear data between subsequent xAPIC MMIO reads. This could allow alocal attacker to compromise SGX enclaves.Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 22.04 LTS:  intel-microcode                 3.20220809.0ubuntu0.22.04.1Ubuntu 20.04 LTS:  intel-microcode                 3.20220809.0ubuntu0.20.04.1Ubuntu 18.04 LTS:  intel-microcode                 3.20220809.0ubuntu0.18.04.1After a standard system update you need to reboot your computer to makeall the necessary changes.References:  https://ubuntu.com/security/notices/USN-5612-1  CVE-2022-21233Package Information:  https://launchpad.net/ubuntu/+source/intel-microcode/3.20220809.0ubuntu0.22.04.1  https://launchpad.net/ubuntu/+source/intel-microcode/3.20220809.0ubuntu0.20.04.1  https://launchpad.net/ubuntu/+source/intel-microcode/3.20220809.0ubuntu0.18.04.1

Ubuntu Security Notice USN-5612-1

Ubuntu Security Notice 5606-2 - USN-5606-1 fixed a vulnerability in poppler. Unfortunately it was missing a commit to fix it properly. This update provides the corresponding fix for Ubuntu 18.04 LTS and Ubuntu 16.04 ESM. It was discovered that poppler incorrectly handled certain PDF. An attacker could possibly use this issue to cause a denial of service or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-5606-2  
September 14, 2022

poppler regression  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 18.04 LTS  
- Ubuntu 16.04 ESM

Summary:

USN-5606-1 caused a regression in poppler.

Software Description:  
- poppler: PDF rendering library

Details:

USN-5606-1 fixed a vulnerability in poppler. Unfortunately it was missing a  
commit to fix it properly.  This update provides  
the corresponding fix for Ubuntu 18.04 LTS and Ubuntu 16.04 ESM.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that poppler incorrectly handled certain  
 PDF. An attacker could possibly use this issue to cause a  
 denial of service or execute arbitrary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 18.04 LTS:  
  libpoppler-private-dev          0.62.0-2ubuntu2.14  
  libpoppler73                    0.62.0-2ubuntu2.14  
  poppler-utils                   0.62.0-2ubuntu2.14

Ubuntu 16.04 ESM:  
  libpoppler-private-dev          0.41.0-0ubuntu1.16+esm2  
  libpoppler58                    0.41.0-0ubuntu1.16+esm2  
  poppler-utils                   0.41.0-0ubuntu1.16+esm2

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5606-2  
  https://ubuntu.com/security/notices/USN-5606-1  
  https://launchpad.net/bugs/1989515

Package Information:  
  https://launchpad.net/ubuntu/+source/poppler/0.62.0-2ubuntu2.14

Ubuntu Security Notice USN-5606-2

Uncontrolled Recursion in GitHub repository gpac/gpac prior to 2.1.0-DEV.

It can cause Denial-of-service attack.

**Version**

    root@ubuntu:~/gpac/.git# cat refs/heads/master
    0102c5d4db7fdbf08b5b591b2a6264de33867a07
    

**system stack size (default)**

    root@ubuntu:~/gpac/bin/gcc# ulimit -s
    8192
    

**POC**

Download POC

**Execute**

    root@ubuntu:~/gpac/bin/gcc# ./MP4Box -info -disox -dump-chap-ogg -dump-cover -drtp -x3dv -out /dev/null ./recursion
    [iso file] Unknown box type FF0000 in parent moov
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80000 in parent moov
    [iso file] Incomplete box mdat - start 11495 size 808395597
    [iso file] Incomplete file while reading for dump - aborting parsing
    [iso file] Unknown box type FF0000 in parent moov
    [iso file] extra box maxr found in hinf, deleting
    [iso file] Unknown box type 80000 in parent moov
    [iso file] Incomplete box mdat - start 11495 size 808395597
    [iso file] Incomplete file while reading for dump - aborting parsing
    MPEG-4 BIFS Scene Parsing
    Segmentation fault
    

**GDB**

    #1 ...
    #7880 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7881 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7882 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7883 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7884 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7885 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7886 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7887 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7888 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7889 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7890 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7891 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7892 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7893 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7894 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7895 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7896 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7897 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7898 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7899 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7900 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7901 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7902 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7903 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7904 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7905 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7906 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7907 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7908 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7909 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7910 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7911 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7912 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7913 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7914 0x00007ffff6cdc89f in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:568
    #7915 0x00007ffff6cdcc25 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:544
    #7916 0x00007ffff6cdbf19 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:466
    #7917 0x00007ffff6cdc6c7 in SFS_Expression (parser=0x7fffffff6f30) at bifs/script_dec.c:658
    #7918 0x00007ffff6cdb61c in SFS_CompoundExpression (parser=0x7fffffff6f30) at bifs/script_dec.c:419
    #7919 0x00007ffff6cdaed3 in SFS_IfStatement (parser=0x7fffffff6f30) at bifs/script_dec.c:334
    #7920 0x00007ffff6cdac78 in SFS_Statement (parser=0x7fffffff6f30) at bifs/script_dec.c:303
    #7921 0x00007ffff6cdab2c in SFS_StatementBlock (parser=0x7fffffff6f30, funcBody=GF_TRUE) at bifs/script_dec.c:287
    #7922 0x00007ffff6cd9f01 in SFScript_Parse (codec=<optimized out>, script_field=0x8e1740, bs=0x8cded0, n=<optimized out>) at bifs/script_dec.c:210
    #7923 0x00007ffff6cc5563 in gf_bifs_dec_sf_field (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7060, is_mem_com=GF_FALSE) at bifs/field_decode.c:277
    #7924 0x00007ffff6cc9156 in BD_DecMFFieldVec (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7130, is_mem_com=<optimized out>) at bifs/field_decode.c:427
    #7925 0x00007ffff6cc9a74 in gf_bifs_dec_field (codec=0x8de970, bs=0x8cded0, node=0x8e1850, field=0x7fffffff7130, is_mem_com=GF_FALSE) at bifs/field_decode.c:566
    #7926 0x00007ffff6cca419 in gf_bifs_dec_node_list (codec=0x8de970, bs=0x8cded0, node=0x8e1850, is_proto=<optimized out>) at bifs/field_decode.c:626
    #7927 0x00007ffff6cc8130 in gf_bifs_dec_node (codec=0x51, bs=<optimized out>, NDT_Tag=<optimized out>) at bifs/field_decode.c:928
    #7928 0x00007ffff6cc8daa in BD_DecMFFieldVec (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, field=0x7fffffff7720, is_mem_com=GF_FALSE) at bifs/field_decode.c:436
    #7929 0x00007ffff6cc9a74 in gf_bifs_dec_field (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, field=0x7fffffff7720, is_mem_com=GF_FALSE) at bifs/field_decode.c:566
    #7930 0x00007ffff6cca419 in gf_bifs_dec_node_list (codec=0x8de970, bs=0x8cded0, node=0x8e17c0, is_proto=<optimized out>) at bifs/field_decode.c:626
    #7931 0x00007ffff6cc8130 in gf_bifs_dec_node (codec=0x37, bs=<optimized out>, NDT_Tag=<optimized out>) at bifs/field_decode.c:928
    #7932 0x00007ffff6cb5067 in BD_DecSceneReplace (codec=0x8de970, bs=0x8cded0, proto_list=<optimized out>) at bifs/com_dec.c:1357
    #7933 0x00007ffff6cd6043 in BM_SceneReplace (codec=0x8de970, bs=0x6, com_list=0x8ded30) at bifs/memory_decoder.c:867
    #7934 0x00007ffff6cd6556 in BM_ParseCommand (codec=0x8de970, bs=0x8cded0, com_list=0x8ded30) at bifs/memory_decoder.c:917
    #7935 0x00007ffff6cd7075 in gf_bifs_decode_command_list (codec=0x8de970, ESID=<optimized out>,
        data=0x8dedb0 "\314\314", '\060' <repeats 169 times>, "\020", '\060' <repeats 28 times>..., data_length=0x2010, com_list=0x8ded30) at bifs/memory_decoder.c:1038
    #7936 0x00007ffff70b378e in gf_sm_load_run_isom (load=0x7fffffff8660) at scene_manager/loader_isom.c:303
    #7937 0x00007ffff70765ab in gf_sm_load_run (load=0x7fffffff8660) at scene_manager/scene_manager.c:719
    #7938 0x0000000000443136 in dump_isom_scene (file=<optimized out>, inName=0x7fffffffe754 "/dev/null", is_final_name=GF_TRUE, dump_mode=GF_SM_DUMP_X3D_VRML,
        do_log=<optimized out>, no_odf_conv=<optimized out>) at filedump.c:203
    #7939 0x0000000000434038 in mp4box_main (argc=<optimized out>, argv=<optimized out>) at mp4box.c:6344
    #7940 0x00007ffff657ec87 in __libc_start_main (main=0x4410a0 <main>, argc=0xa, argv=0x7fffffffe488, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
        stack_end=0x7fffffffe478) at ../csu/libc-start.c:310
    #7941 0x00000000004103fa in _start
    

**Impact**

DoS

CVE-2022-3222: Segmentation Fault in SFS_Expression in gpac

An issue was discovered in Bento4 through 1.6.0-639. A NULL pointer dereference occurs in AP4_DescriptorListWriter::Action in Core/Ap4Descriptor.h, called from AP4_EsDescriptor::WriteFields and AP4_Expandable::Write.

Hello, I use fuzzer to test bianry mp4split, and found some vulnerabilities,the following is the details.

**Bug1**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000000,sig:06,src:000011,op:flip1,pos:31240,1216870
    =================================================================
    ==2589461==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000cfdb21 at pc 0x0000009a6c6c bp 0x7ffec6ff0d60 sp 0x7ffec6ff0510
    READ of size 237 at 0x000000cfdb21 thread T0
        #0 0x9a6c6b in __interceptor_fwrite.part.57 /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143
        #1 0x7ab8fa in AP4_StdcFileByteStream::WritePartial(void const*, unsigned int, unsigned int&) (/mp4split/mp4split/mp4split+0x7ab8fa)
        #2 0x471cf7 in AP4_ByteStream::Write(void const*, unsigned int) (/mp4split/mp4split/mp4split+0x471cf7)
        #3 0x4d1be1 in AP4_HdlrAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4d1be1)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #11 0x7f7ce8910c86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #12 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    0x000000cfdb21 is located 63 bytes to the left of global variable 'AP4_GlobalOptions::g_Entries' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4Utils.cpp:37:56' (0xcfdb60) of size 8
    0x000000cfdb21 is located 0 bytes to the right of global variable 'AP4_String::EmptyString' defined in '/Bento4-1.5.1-629/Source/C++/Core/Ap4String.cpp:39:18' (0xcfdb20) of size 1
      'AP4_String::EmptyString' is ascii string ''
    SUMMARY: AddressSanitizer: global-buffer-overflow /llvm/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1143 in __interceptor_fwrite.part.57
    Shadow bytes around the buggy address:
      0x000080197b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
      0x000080197b30: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 f9
      0x000080197b40: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
      0x000080197b50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 f9 f9 f9
    =>0x000080197b60: f9 f9 f9 f9[01]f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      0x000080197b70: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00 00
      0x000080197b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080197bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==2589461==ABORTING
    

**Bug2**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000001,sig:06,src:000011,op:flip1,pos:31415,1226899
    AddressSanitizer:DEADLYSIGNAL
    =================================================================
    ==2659777==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000096b50a bp 0x7ffda4354030 sp 0x7ffda4353e70 T0)
    ==2659777==The signal is caused by a READ memory access.
    ==2659777==Hint: address points to the zero page.
        #0 0x96b50a in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const (/mp4split/mp4split/mp4split+0x96b50a)
        #1 0x88e625 in AP4_EsDescriptor::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x88e625)
        #2 0x896a7f in AP4_Expandable::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x896a7f)
        #3 0x4bdbcd in AP4_EsdsAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x4bdbcd)
        #4 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #5 0x61dbf8 in AP4_SampleEntry::Write(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x61dbf8)
        #6 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #7 0x676f0b in AP4_StsdAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x676f0b)
        #8 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #9 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #10 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #11 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #12 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #13 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #14 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #15 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #16 0x41378f in AP4_AtomListWriter::Action(AP4_Atom*) const (/mp4split/mp4split/mp4split+0x41378f)
        #17 0x483213 in AP4_ContainerAtom::WriteFields(AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x483213)
        #18 0x40d872 in main (/mp4split/mp4split/mp4split+0x40d872)
        #19 0x7f1636a2cc86 in __libc_start_main /build/glibc-CVJwZb/glibc-2.27/csu/../csu/libc-start.c:310
        #20 0x407689 in _start (/mp4split/mp4split/mp4split+0x407689)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV (/mp4split/mp4split/mp4split+0x96b50a) in AP4_DescriptorListWriter::Action(AP4_Descriptor*) const
    ==2659777==ABORTING
    

**poc**

crash.zip

**environment**

Ubuntu 18.04(docker)

**credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thansk for your time!

CVE-2022-40738: there are some vulnerabilities in binary mp4split · Issue #756 · axiomatic-systems/Bento4

An issue was discovered in Bento4 1.6.0-639. There ie excessive memory consumption in AP4_CttsAtom::Create in Core/Ap4CttsAtom.cpp.

**summary**

Hello, I use my fuzzer to fuzz binary mp4tag mp4split and mp42hevc, the three binary all crashede, and shows that allocator is out of memory trying to allocate 0xxxxxxx bytes. The version of Bento4 is the latest and the operation system is Ubuntu 18.04(docker). The following is the details.

**Bug1**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# ./mp42hevc seed.demo out.hevc 
    =================================================================
    ==92089==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x54ba37b78 bytes
        #0 0xa1b020 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7fe65b2d6297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x6c1b9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp42hevc/mp42hevc/mp42hevc+0x6c1b9b)
        #3 0x5cf24c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5cf24c)
        #4 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #5 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #6 0x6bc7f9 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bc7f9)
        #7 0x5d5f65 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5f65)
        #8 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #9 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #10 0x6bcf4a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bcf4a)
        #11 0x5d5abc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5d5abc)
        #12 0x5dcbb6 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp42hevc/mp42hevc/mp42hevc+0x5dcbb6)
        #13 0x6bd7a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp42hevc/mp42hevc/mp42hevc+0x6bd7a5)
        #14 0x6bfa61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp42hevc/mp42hevc/mp42hevc+0x6bfa61)
    
    ==92089==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==92089==ABORTING
    my test case:
    
    

**Bug2**

    root@c511e4bf49bc:/mp42hevc/mp42hevc# /mp4box/mp4tag/mp4tag /mp4box/mp4tag/seed.demo 
    =================================================================
    ==843687==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x3a35b4320 bytes
        #0 0xa38ee0 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f9f81086297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x4ae28b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4box/mp4tag/mp4tag+0x4ae28b)
        #3 0x45f0fc in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x45f0fc)
        #4 0x46ca96 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4box/mp4tag/mp4tag+0x46ca96)
        #5 0x4a9e92 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4box/mp4tag/mp4tag+0x4a9e92)
        #6 0x4ac151 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4box/mp4tag/mp4tag+0x4ac151)
    
    ==843687==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==843687==ABORTING
    

**Bug3**

    root@c511e4bf49bc:/mp4split/mp4split# ./mp4split FishFuzz/crashes/id:000025,sig:06,src:000215,op:flip1,pos:31468,26038495
    =================================================================
    ==3151765==ERROR: AddressSanitizer: allocator is out of memory trying to allocate 0x400000068 bytes
        #0 0xa19d40 in malloc /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
        #1 0x7f8d59cb9297 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x93297)
        #2 0x48fc9b in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) (/mp4split/mp4split/mp4split+0x48fc9b)
        #3 0x440aec in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x440aec)
        #4 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #5 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #6 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #7 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #8 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #9 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #10 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #11 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #12 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #13 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #14 0x48b04a in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48b04a)
        #15 0x44735c in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44735c)
        #16 0x44e46b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) (/mp4split/mp4split/mp4split+0x44e46b)
        #17 0x48b8a5 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) (/mp4split/mp4split/mp4split+0x48b8a5)
        #18 0x48db61 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) (/mp4split/mp4split/mp4split+0x48db61)
    
    ==3151765==HINT: if you don't care about these errors you may set allocator_may_return_null=1
    SUMMARY: AddressSanitizer: out-of-memory /llvm/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145 in malloc
    ==3151765==ABORTING
    
    
    

**POC**

MP42hevc\_crash.zip  
MP4tag\_crash.zip  
mp4split\_crash.zip

**Credit**

Yuhang Huang (NCNIPC of China)  
Han Zheng (NCNIPC of China, Hexhive)

Thank you for your time!

CVE-2022-40736: Out of memory in AP4_CttsAtom::Create(unsigned int, AP4_ByteStream&) · Issue #755 · axiomatic-systems/Bento4

Buffer overflow vulnerability in function AP4_MemoryByteStream::WritePartial in mp42aac in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42aac instrumented with ASAN. There are some inputs causing heap-buffer-overflow. Here is the ASAN mode output:

\=================================================================  
\==4695==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190000027a0 at pc 0x7ffff6ef6964 bp 0x7fffffffdea0 sp 0x7fffffffd648  
WRITE of size 4294967288 at 0x6190000027a0 thread T0  
#0 0x7ffff6ef6963 in \_\_asan\_memcpy (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x8c963)  
#1 0x409ed4 in AP4\_MemoryByteStream::WritePartial(void const\*, unsigned int, unsigned int&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:785  
#2 0x40d9e3 in AP4\_ByteStream::Write(void const\*, unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77  
#3 0x4eb601 in AP4\_Atom::Write(AP4\_ByteStream&) /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:229  
#4 0x4eb601 in AP4\_Atom::Clone() /home/ferry/dp/Bento4/Source/C++/Core/Ap4Atom.cpp:316  
#5 0x446d7a in AP4\_SampleDescription::AP4\_SampleDescription(AP4\_SampleDescription::Type, unsigned int, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138  
#6 0x461a8f in AP4\_GenericAudioSampleDescription::AP4\_GenericAudioSampleDescription(unsigned int, unsigned int, unsigned short, unsigned short, AP4\_AtomParent\*) /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleDescription.h:259  
#7 0x461a8f in AP4\_AudioSampleEntry::ToSampleDescription() /home/ferry/dp/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:630  
#8 0x48ca03 in AP4\_StsdAtom::GetSampleDescription(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:181  
#9 0x4040b6 in main /home/ferry/dp/Bento4/Source/C++/Apps/Mp42Aac/Mp42Aac.cpp:268  
#10 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)  
#11 0x408338 in \_start (/home/ferry/dp/Bento4/mp42aac+0x408338)

0x6190000027a0 is located 0 bytes to the right of 1056-byte region \[0x619000002380,0x6190000027a0)  
allocated by thread T0 here:  
#0 0x7ffff6f03712 in operator new\[\](unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99712)  
#1 0x414c8e in AP4\_DataBuffer::ReallocateBuffer(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210  
#2 0x414c8e in AP4\_DataBuffer::SetBufferSize(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136  
#3 0x414c8e in AP4\_DataBuffer::Reserve(unsigned int) /home/ferry/dp/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:107

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 \_\_asan\_memcpy  
Shadow bytes around the buggy address:  
0x0c327fff84a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
0x0c327fff84e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  
\=>0x0c327fff84f0: 00 00 00 00\[fa\]fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
0x0c327fff8540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa  
Shadow byte legend (one shadow byte represents 8 application bytes):  
Addressable: 00  
Partially addressable: 01 02 03 04 05 06 07  
Heap left redzone: fa  
Heap right redzone: fb  
Freed heap region: fd  
Stack left redzone: f1  
Stack mid redzone: f2  
Stack right redzone: f3  
Stack partial redzone: f4  
Stack after return: f5  
Stack use after scope: f8  
Global redzone: f9  
Global init order: f6  
Poisoned by user: f7  
Container overflow: fc  
Array cookie: ac  
Intra object redzone: bb  
ASan internal: fe  
\==4695==ABORTING

**Crash input**

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input2

**Validation steps**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42aac input2 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

CVE-2022-40438: Heap-buffer-overflow with ASAN in mp42aac · Issue #751 · axiomatic-systems/Bento4

An memory leak issue was discovered in AP4_StdcFileByteStream::Create in mp42ts in Bento4 v1.6.0-639, allows attackers to cause a denial of service via a crafted file.

Hi, developers of Bento4:  
In the test of the binary mp42ts instrumented with ASAN. There are some inputs causing memory leaks. Here is the ASAN mode output:

\=================================================================  
\==18321==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4c871d in AP4\_StdcFileByteStream::Create(AP4\_FileByteStream\*, char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:279  
#2 0x4c871d in AP4\_FileByteStream::Create(char const\*, AP4\_FileByteStream::Mode, AP4\_ByteStream\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/System/StdC/Ap4StdCFileByteStream.cpp:439

Indirect leak of 72 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x404286 in main /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:511  
#2 0x7ffff61bb83f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)

Indirect leak of 64 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4f57d1 in AP4\_RtpAtom::Create(unsigned int, AP4\_ByteStream&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4RtpAtom.h:53  
#2 0x4f57d1 in AP4\_AtomFactory::CreateAtomFromStream(AP4\_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4\_Atom\*&) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:689

Indirect leak of 24 byte(s) in 1 object(s) allocated from:  
#0 0x7ffff6f03592 in operator new(unsigned long) (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x99592)  
#1 0x4d2591 in AP4\_List<AP4\_Atom>::Add(AP4\_Atom\*) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4List.h:160  
#2 0x4d2591 in AP4\_AtomParent::AddChild(AP4\_Atom\*, int) /home/ferry/dp/chunkfuzzer-evaluation/unibench-latest/Bento4/Source/C++/Core/Ap4Atom.cpp:532

SUMMARY: AddressSanitizer: 208 byte(s) leaked in 4 allocation(s).

****Crash Input****

https://github.com/17ssDP/fuzzer\_crashes/blob/main/Bento4/input1

**Verification steps：**

    git clone https://github.com/axiomatic-systems/Bento4
    cd Bento4/
    mkdir check_build && cd check_build
    cmake ../ -DCMAKE_C_COMPILER=clang  -DCMAKE_CXX_COMPILER=clang++ -DCMAKE_C_FLAGS="-fsanitize=address" -DCMAKE_CXX_FLAGS="-fsanitize=address" -DCMAKE_BUILD_TYPE=Release
    make -j 
    ./mp42ts input1 /dev/null
    

**Environment**

Ubuntu 16.04  
Clang 10.0.1  
gcc 5.5

Tag

#ubuntu