Heap buffer overflow (WRITE) in 2.2.0-git-800-ga8f7d9fa

There is a 4 bytes heap buffer overflow in playing a specially crafted mp4 file.

ASAN output:

==26620== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60040009d6c0 at pc 0x7f92693f1688 bp 0x7f926c496340 sp 0x7f926c496338
WRITE of size 4 at 0x60040009d6c0 thread T3
    [#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f92693f1687==26620== AddressSanitizer: while reporting a bug found another one.Ignoring.
 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x1a687)
    [#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f92693fe0e7 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x270e7)
    [#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f92693e7fc0 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x10fc0)
    [#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f9276cd2bb8 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178bb8)
    [#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f9276cd1f96 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x177f96)
    [#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f9276cd2659 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178659)
    [#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f9276cd2d13 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x178d13)
    [#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f9276c05162 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xab162)
    [#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f9276c3d7ca (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xe37ca)
    [#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f9276c342c8 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xda2c8)
    [#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7f9276c2c8ab (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0xd28ab)
    [#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f9276bd3d29 (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x79d29)
    [#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f9276bd438d (/tmp/vlc/src/.libs/libvlccore.so.8.0.0+0x7a38d)
    [#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7f9277c91b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
    [#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7f927781c181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181)
    [#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7f9277344fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc)

In:

[#7](https://code.videolan.org/videolan/vlc/-/issues/7)  0x00007fffe63cc688 in TrackCreateChunksIndex (p_demux=0x60280004f2d8, p_demux_track=0x6046000aae00) at demux/mp4/mp4.c:1765
1765	    p_demux_track->chunk[0].i_sample_first = 0;

GDB bt full:

[#7](https://code.videolan.org/videolan/vlc/-/issues/7)  0x00007fffe63cc688 in TrackCreateChunksIndex (p_demux=0x60280004f2d8, p_demux_track=0x6046000aae00) at demux/mp4/mp4.c:1765
        p_sys = 0x601c00045cc0
        p_co64 = 0x60100000f0a0
        p_stsc = 0x60100000f1a0
        i_chunk = 0
        i_index = 4294967295
        i_last = 0
[#8](https://code.videolan.org/videolan/vlc/-/issues/8)  0x00007fffe63d90e8 in MP4_TrackCreate (p_demux=0x60280004f2d8, p_track=0x6046000aae00, p_box_trak=0x60100000faa0, b_force_enable=true) at demux/mp4/mp4.c:3263
        p_sys = 0x601c00045cc0
        p_tkhd = 0x60100000fa20
        p_tref = 0x0
        p_elst = 0x0
        p_mdhd = 0x60100000f8a0
        p_udta = 0x0
        p_hdlr = 0x60100000f820
        p_vmhd = 0x60100000f720
        p_smhd = 0x7ffff4e63b98
        language = "und"
[#9](https://code.videolan.org/videolan/vlc/-/issues/9)  0x00007fffe63c2fc1 in Open (p_this=0x60280004f2d8) at demux/mp4/mp4.c:725
        p_demux = 0x60280004f2d8
        p_sys = 0x601c00045cc0
        p_peek = 0x7fffe3a43800 ""
        p_ftyp = 0x60100000fea0
        p_rmra = 0x0
        p_mvhd = 0x60100000fd20
        p_trak = 0x60100000faa0
        i = 0
        b_enabled_es = false
        p_fragment = 0xf47dc1c0
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007ffff3ea4bb9 in generic_start (func=0x7fffe63c0fc1 <Open>, ap=0x7fffe6bbf7a0) at modules/modules.c:351
        obj = 0x60280004f2d8
        activate = 0x7fffe63c0fc1 <Open>
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007ffff3ea3f97 in module_load (obj=0x60280004f2d8, m=0x601a00007f00, init=0x7ffff3ea4aa6 <generic_start>, args=0x7fffe6bbf8f0) at modules/modules.c:185
        ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe6bbfa60, reg_save_area = 0x7fffe6bbf990}}
        ret = 0
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007ffff3ea465a in vlc_module_load (obj=0x60280004f2d8, capability=0x7ffff3f52500 "demux", name=0x7ffff3f529cc <exttodemux+204> "", strict=false, 
    probe=0x7ffff3ea4aa6 <generic_start>) at modules/modules.c:277
        cand = 0x601a00007f00
        ret = -423888832
        i = 0
        buf = "mp4\000\377\177\000\000\240\372\005\000&`\000\000\360\372\005\000&`\000\000\000\000\000\000\000\000\000"
        slen = 3
        shortcut = 0x7fffe6bbf930 "mp4"
        var = 0x0
        mods = 0x60360004fc80
        total = 66
        module = 0x0
        b_force_backup = false
        args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffe6bbfa60, reg_save_area = 0x7fffe6bbf990}}
        __PRETTY_FUNCTION__ = "vlc_module_load"

I am attaching the mp4 file with http://streams.videolan.org/upload/ .

commit 26258915 Author: Francois Cartegnie fcvlcdev@free.fr Date: Mon Sep 22 21:17:40 2014 +0200

demux: mp4: fix heap buffer overflow (fix [#12266](https://code.videolan.org/videolan/vlc/-/issues/12266))

added Status::fixed label

closed

changed milestone to %2.2.0

Exploitable?

Not that one. Only writes 0.