Heap buffer overflow (READ) in 2.2.0-git-848-gbba3fa44

There is a 2 bytes heap buffer overflow in playing a specially crafted mov file.

ASAN output:

==17542== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600600041520 at pc 0x7fdf4f8bb211 bp 0x7fdf51048e30 sp 0x7fdf51048e28
READ of size 2 at 0x600600041520 thread T3
[0000602400018bd8] dummy interface: using the dummy interface module...
    [#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7fdf4f8bb210 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3a210)
    [#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fdf4f8c805a (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x4705a)
    [#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fdf4f8ef5ee (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x6e5ee)
    [#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fdf4f8bc6f4 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b6f4)
==17542== AddressSanitizer: while reporting a bug found another one.Ignoring.
    [#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7fdf4f8bc872 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b872)
    [#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7fdf4f8bc938 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b938)
    [#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7fdf4f8ef5ee (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x6e5ee)
    [#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7fdf4f8bc6f4 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b6f4)
    [#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7fdf4f8bc872 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b872)
    [#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7fdf4f8bc938 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b938)
    [#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7fdf4f8ef5ee (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x6e5ee)
    [#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7fdf4f8bc6f4 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b6f4)
    [#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7fdf4f8bc872 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b872)
    [#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7fdf4f8bc938 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b938)
    [#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7fdf4f8ef5ee (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x6e5ee)
    [#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7fdf4f8bc6f4 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3b6f4)
    [#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x7fdf4f8f0063 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x6f063)
    [#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x7fdf4f88fa79 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0xea79)
    [#18](https://code.videolan.org/videolan/vlc/-/issues/18) 0x7fdf4f8910e6 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x100e6)
    [#19](https://code.videolan.org/videolan/vlc/-/issues/19) 0x7fdf5ff151a2 (/usr/local/lib/libvlccore.so.8.0.0+0x1791a2)
    [#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0x7fdf5ff14580 (/usr/local/lib/libvlccore.so.8.0.0+0x178580)
    [#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0x7fdf5ff14c43 (/usr/local/lib/libvlccore.so.8.0.0+0x178c43)
    [#22](https://code.videolan.org/videolan/vlc/-/issues/22) 0x7fdf5ff152fd (/usr/local/lib/libvlccore.so.8.0.0+0x1792fd)
    [#23](https://code.videolan.org/videolan/vlc/-/issues/23) 0x7fdf5fe471af (/usr/local/lib/libvlccore.so.8.0.0+0xab1af)
    [#24](https://code.videolan.org/videolan/vlc/-/issues/24) 0x7fdf5fe7fa5f (/usr/local/lib/libvlccore.so.8.0.0+0xe3a5f)
    [#25](https://code.videolan.org/videolan/vlc/-/issues/25) 0x7fdf5fe764ac (/usr/local/lib/libvlccore.so.8.0.0+0xda4ac)
    [#26](https://code.videolan.org/videolan/vlc/-/issues/26) 0x7fdf5fe6ea59 (/usr/local/lib/libvlccore.so.8.0.0+0xd2a59)
    [#27](https://code.videolan.org/videolan/vlc/-/issues/27) 0x7fdf5fe15d76 (/usr/local/lib/libvlccore.so.8.0.0+0x79d76)
    [#28](https://code.videolan.org/videolan/vlc/-/issues/28) 0x7fdf5fe163da (/usr/local/lib/libvlccore.so.8.0.0+0x7a3da)
    [#29](https://code.videolan.org/videolan/vlc/-/issues/29) 0x7fdf60ed4b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
    [#30](https://code.videolan.org/videolan/vlc/-/issues/30) 0x7fdf60a5f181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181)
    [#31](https://code.videolan.org/videolan/vlc/-/issues/31) 0x7fdf60587fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc)
0x600600041520 is located 105364137972745 bytes inside of global variable '<null>' (0x3200000117) of size 140597298295968
ASAN:SIGSEGV

In:

[#7](https://code.videolan.org/videolan/vlc/-/issues/7)  0x00007fffe3ae8211 in U16_AT (p=0x600600041520) at ../include/vlc_common.h:674
674	    memcpy (&x, p, sizeof (x));

GDB bt full:

[#7](https://code.videolan.org/videolan/vlc/-/issues/7)  0x00007fffe3ae8211 in U16_AT (p=0x600600041520) at ../include/vlc_common.h:674
        x = 0
[#8](https://code.videolan.org/videolan/vlc/-/issues/8)  0x00007fffe3af505b in MP4_ReadBox_mdhd (p_stream=0x60280000f9d8, p_box=0x601000017aa0) at demux/mp4/libmp4.c:884
        i_language = 0
        s_creation_time = "X\376\000\000\006\000\000\000\020 \005\345\377\177\000\000\001\037\005\345\006\000\000\000\330\374\000\000(`\000\000\300\037\005\345\377\177\000\000L\215\337\354\377\177\000\000\200 \005\345\377\177\000\000\034\341\063\344\377\177\000\000\000;\346\364\377\177\000\000\035\000\000\000\000\000\000\000\000!\005\345\377\177\000\000\030$\240|\000\020\000\000\020!\005\345\377\177\000\000Fj\342\363\377\177\000\000 !\005\345\006\000\000\000\330\371\000\000(`\000"
        s_modification_time = "X\376\000\000(`\000\000\020!\005\345 \000\000\000 !\005\345\377\177\000\000\330\374\000\000(`\000\000P \005\345\377\177\000\000\300\374\002\000&`\000\000\060\375\002\000&`\000\000\f$\240|\000\000\000 \320 \005\345\377\177\000\000;\203\256\343\377\177\000\000\220 \005\345\377\177\000\000\034\341\063\344\377\177\000\000\263\212\265A\000\000\000\000\063\224\262\343\377\177\000\000\240 \005\345\377\177\000\000\360\214\337\354\377\177\000"
        s_duration = "\320 \005\345\377\177\000\000\215h\342\363\377\177\000\000\240{\001\000\020`\000\000\330\371\000\000 \000\000\000 !\005\345mdhd\264z\001\000\020`\000\000p!\005\345\377\177\000\000\343\377\177\000\000\240z\001\000\020`\000\000\330\371\000\000(`\000\000 !\005\345\377\177\000\000$$\240|\030\000\000\000\263\212\265A\000\000\000\000\240\226\262\343\377\177\000\000\240!\005\345\377\177\000\000\\\206\256\343\377\177\000"
        i_read = -8
        p_peek = 0x600600041520 "\003\003"
        p_buff = 0x600600041500 ""
        i_actually_read = 32
[#9](https://code.videolan.org/videolan/vlc/-/issues/9)  0x00007fffe3b1c5ef in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x601000017b20) at demux/mp4/libmp4.c:3673
        p_box = 0x601000017aa0
        i_index = 27
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007fffe3ae96f5 in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x601000017b20, i_last_child=0) at demux/mp4/libmp4.c:211
        p_box = 0x914
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007fffe3ae9873 in MP4_ReadBoxContainerRaw (p_stream=0x60280000f9d8, p_container=0x601000017b20) at demux/mp4/libmp4.c:231
No locals.
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007fffe3ae9939 in MP4_ReadBoxContainer (p_stream=0x60280000f9d8, p_container=0x601000017b20) at demux/mp4/libmp4.c:247
No locals.
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x00007fffe3b1c5ef in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x601000017da0) at demux/mp4/libmp4.c:3673
        p_box = 0x601000017b20
        i_index = 4
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x00007fffe3ae96f5 in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x601000017da0, i_last_child=0) at demux/mp4/libmp4.c:211
        p_box = 0x601000017c20
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x00007fffe3ae9873 in MP4_ReadBoxContainerRaw (p_stream=0x60280000f9d8, p_container=0x601000017da0) at demux/mp4/libmp4.c:231
No locals.
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x00007fffe3ae9939 in MP4_ReadBoxContainer (p_stream=0x60280000f9d8, p_container=0x601000017da0) at demux/mp4/libmp4.c:247
No locals.
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x00007fffe3b1c5ef in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x601000017f20) at demux/mp4/libmp4.c:3673
        p_box = 0x601000017da0
        i_index = 2
[#18](https://code.videolan.org/videolan/vlc/-/issues/18) 0x00007fffe3ae96f5 in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x601000017f20, i_last_child=0) at demux/mp4/libmp4.c:211
        p_box = 0x601000017e20
[#19](https://code.videolan.org/videolan/vlc/-/issues/19) 0x00007fffe3ae9873 in MP4_ReadBoxContainerRaw (p_stream=0x60280000f9d8, p_container=0x601000017f20) at demux/mp4/libmp4.c:231
No locals.
[#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0x00007fffe3ae9939 in MP4_ReadBoxContainer (p_stream=0x60280000f9d8, p_container=0x601000017f20) at demux/mp4/libmp4.c:247
No locals.
[#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0x00007fffe3b1c5ef in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x601000017fa0) at demux/mp4/libmp4.c:3673
        p_box = 0x601000017f20
        i_index = 0
[#22](https://code.videolan.org/videolan/vlc/-/issues/22) 0x00007fffe3ae96f5 in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x601000017fa0, i_last_child=1987014509) at demux/mp4/libmp4.c:211
        p_box = 0x601000017fb4
[#23](https://code.videolan.org/videolan/vlc/-/issues/23) 0x00007fffe3b1d064 in MP4_BoxGetRoot (s=0x60280000f9d8) at demux/mp4/libmp4.c:3844
        p_root = 0x601000017fa0
        p_stream = 0x60280000f9d8
        i_result = 24
        p_moov = 0x7fffe5052610
        p_cmov = 0x60280000fcd8
[#24](https://code.videolan.org/videolan/vlc/-/issues/24) 0x00007fffe3abca7a in LoadInitFrag (p_demux=0x60280000f858) at demux/mp4/mp4.c:337
        p_sys = 0x601c00019480
[#25](https://code.videolan.org/videolan/vlc/-/issues/25) 0x00007fffe3abe0e7 in Open (p_this=0x60280000f858) at demux/mp4/mp4.c:562
        p_demux = 0x60280000f858
        p_sys = 0x601c00019480
        p_peek = 0x7fffe3f3d800 ""
        p_ftyp = 0x601a00008da0
        p_rmra = 0x7fffe5052590
        p_mvhd = 0x600c0001c760
        p_trak = 0x7ffff44a52ba <__GI___strdup+26>
        i = 24602
        b_enabled_es = false
        p_fragment = 0x601a00008310
[#26](https://code.videolan.org/videolan/vlc/-/issues/26) 0x00007ffff3ea41a3 in generic_start (func=0x7fffe3abd9b6 <Open>, ap=0x7fffe5052730) at modules/modules.c:351
        obj = 0x60280000f858
        activate = 0x7fffe3abd9b6 <Open>
[#27](https://code.videolan.org/videolan/vlc/-/issues/27) 0x00007ffff3ea3581 in module_load (obj=0x60280000f858, m=0x601a00007f00, init=0x7ffff3ea4090 <generic_start>, args=0x7fffe5052880) at modules/modules.c:185
        ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe50529f0, reg_save_area = 0x7fffe5052920}}
        ret = 0
[#28](https://code.videolan.org/videolan/vlc/-/issues/28) 0x00007ffff3ea3c44 in vlc_module_load (obj=0x60280000f858, capability=0x7ffff3f51b20 "demux", name=0x6004000594b3 "", strict=true, probe=0x7ffff3ea4090 <generic_start>)
    at modules/modules.c:277
        cand = 0x601a00007f00
        ret = 0
        i = 0
        buf = "any\000\000\000\000\000\300\374\002\000&`\000\000\020\375\002\000&`\000\000\000\000\000\000\000\000\000"
        slen = 3
        shortcut = 0x7fffe50528c0 "any"
        var = 0x0
        mods = 0x60360003fcc0
        total = 66
        module = 0x0
        b_force_backup = false
        args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffe50529f0, reg_save_area = 0x7fffe5052920}}
        __PRETTY_FUNCTION__ = "vlc_module_load"
[#29](https://code.videolan.org/videolan/vlc/-/issues/29) 0x00007ffff3ea42fe in module_need (obj=0x60280000f858, cap=0x7ffff3f51b20 "demux", name=0x6004000594b0 "any", strict=true) at modules/modules.c:366
No locals.
[#30](https://code.videolan.org/videolan/vlc/-/issues/30) 0x00007ffff3dd61b0 in demux_New (p_obj=0x60220002fdd8, p_parent_input=0x60220002fdd8, psz_access=0x600c00035c00 "file", psz_demux=0x6004000596d0 "", 
    psz_location=0x600c000359c0 "/tmp/asan_heap-oob_7f1f0b8b8211_601_invalid_mov_time.mov", s=0x60280000f9d8, out=0x60080001ff90, b_quick=true) at input/demux.c:183
        psz_ext = 0x600c000358d5 "mov"
        psz_module = 0x6004000594b0 "any"
        p_demux = 0x60280000f858
        exttodemux = {{ext = "aiff", demux = "aiff\000\000\000\000"}, {ext = "asf\000", demux = "asf\000\000\000\000\000"}, {ext = "wmv\000", demux = "asf\000\000\000\000\000"}, {
            ext = "wma\000", demux = "asf\000\000\000\000\000"}, {ext = "avi\000", demux = "avi\000\000\000\000\000"}, {ext = "au\000\000", demux = "au\000\000\000\000\000\000"}, {
            ext = "flac", demux = "flac\000\000\000\000"}, {ext = "dv\000\000", demux = "dv\000\000\000\000\000\000"}, {ext = "drc\000", demux = "dirac\000\000\000"}, {
            ext = "m3u\000", demux = "m3u\000\000\000\000\000"}, {ext = "m3u8", demux = "m3u8\000\000\000\000"}, {ext = "mkv\000", demux = "mkv\000\000\000\000\000"}, {
            ext = "mka\000", demux = "mkv\000\000\000\000\000"}, {ext = "mks\000", demux = "mkv\000\000\000\000\000"}, {ext = "mp4\000", demux = "mp4\000\000\000\000\000"}, {
            ext = "m4a\000", demux = "mp4\000\000\000\000\000"}, {ext = "mov\000", demux = "mp4\000\000\000\000\000"}, {ext = "moov", demux = "mp4\000\000\000\000\000"}, {
            ext = "nsv\000", demux = "nsv\000\000\000\000\000"}, {ext = "ogg\000", demux = "ogg\000\000\000\000\000"}, {ext = "ogm\000", demux = "ogg\000\000\000\000\000"}, {
            ext = "oga\000", demux = "ogg\000\000\000\000\000"}, {ext = "spx\000", demux = "ogg\000\000\000\000\000"}, {ext = "ogv\000", demux = "ogg\000\000\000\000\000"}, {
            ext = "ogx\000", demux = "ogg\000\000\000\000\000"}, {ext = "opus", demux = "ogg\000\000\000\000\000"}, {ext = "pva\000", demux = "pva\000\000\000\000\000"}, {
            ext = "rm\000\000", demux = "avformat"}, {ext = "m4v\000", demux = "m4v\000\000\000\000\000"}, {ext = "h264", demux = "h264\000\000\000\000"}, {ext = "voc\000", 
            demux = "voc\000\000\000\000\000"}, {ext = "mid\000", demux = "smf\000\000\000\000\000"}, {ext = "rmi\000", demux = "smf\000\000\000\000\000"}, {ext = "kar\000", 
            demux = "smf\000\000\000\000\000"}, {ext = "\000\000\000\000", demux = "\000\000\000\000\000\000\000\000"}}
        exttodemux_quick = {{ext = "mp3", demux = "mpga"}, {ext = "ogg", demux = "ogg\000"}, {ext = "wma", demux = "asf\000"}, {ext = "\000\000\000", demux = "\000\000\000\000"}}

... [cut]

I will post a link to the file in a comment.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Child items 0

No child items are currently assigned. Use child items to break down this issue into smaller parts.

Activity

mikispag @mikispag · 10 years ago

Author

File: https://drive.google.com/file/d/0B52EFul-UCEIM1A5RS1fbk9DdVk/view?usp=sharing
François Cartegnie @fcartegnie · 10 years ago

Developer
commit fd9a60b0 Author: Francois Cartegnie fcvlcdev@free.fr Date: Fri Sep 26 15:56:25 2014 +0200

demux: mp4: fix heap overflow (fix [#12283](https://code.videolan.org/videolan/vlc/-/issues/12283))
François Cartegnie added Status::fixed label 10 years ago

added Status::fixed label
François Cartegnie closed 10 years ago

closed
François Cartegnie @fcartegnie · 10 years ago

Developer
commit fa6b1937 Author: Francois Cartegnie fcvlcdev@free.fr Date: Sat Sep 27 18:26:18 2014 +0200

demux: mp4: fix overflow in cprt language decoding refs [#12283](https://code.videolan.org/videolan/vlc/-/issues/12283)
Jean-Baptiste Kempf changed milestone to %2.2.0 10 years ago

changed milestone to %2.2.0

Please register or sign in to reply