bento4: heap-based buffer overflow in AP4_BitStream::ReadBytes (Ap4BitStream.cpp)

Description:
bento4 is a fast, modern, open source C++ toolkit for all your MP4 and MPEG DASH media format needs.

The complete ASan output of the issue:

# aac2mp4 $FILE /tmp/out.mp4
AAC frame [000000]: size = -7, 96000 kHz, 0 ch
=================================================================
==8420==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000002100 at pc 0x0000004eed45 bp 0x7ffdd3db9900 sp 0x7ffdd3db90b0
READ of size 4294963374 at 0x625000002100 thread T0
    #0 0x4eed44 in __asan_memcpy /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_interceptors.cc:453
    #1 0x54734d in AP4_BitStream::ReadBytes(unsigned char*, unsigned int) /tmp/Bento4-1.5.0-617/Source/C++/Codecs/Ap4BitStream.cpp:202:13
    #2 0x543498 in main /tmp/Bento4-1.5.0-617/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:142:29
    #3 0x7f7742500680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x44fc28 in _start (/usr/bin/aac2mp4+0x44fc28)

0x625000002100 is located 0 bytes to the right of 8192-byte region [0x625000000100,0x625000002100)
allocated by thread T0 here:
    #0 0x53e7e0 in operator new[](unsigned long) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_new_delete.cc:84
    #1 0x546445 in AP4_BitStream::AP4_BitStream() /tmp/Bento4-1.5.0-617/Source/C++/Codecs/Ap4BitStream.cpp:45:16
    #2 0x5449fb in AP4_AdtsParser::AP4_AdtsParser() /tmp/Bento4-1.5.0-617/Source/C++/Codecs/Ap4AdtsParser.cpp:124:17
    #3 0x542d8b in main /tmp/Bento4-1.5.0-617/Source/C++/Apps/Aac2Mp4/Aac2Mp4.cpp:100:20
    #4 0x7f7742500680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_interceptors.cc:453 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c4a7fff83d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff83f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff8410: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a7fff8420:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff8470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8420==ABORTING
Aborted

Affected version:
1.5.0-617

Fixed version:
N/A

Commit fix:
The maintainer said that one of the previous commit fixed this issue. It needs a bisect.

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14645

Reproducer:
https://github.com/asarubbo/poc/blob/master/00335-bento4-heapoverflow-Ap4BitStream_cpp

Timeline:
2017-09-08: bug discovered and reported to upstream
2017-09-14: blog post about the issue
2017-09-21: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

bento4: heap-based buffer overflow in AP4_BitStream::ReadBytes (Ap4BitStream.cpp)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.