Heap buffer overflow (READ) in 2.2.0-git-848-gbba3fa44
There is a 2 bytes heap buffer overflow in playing a specially crafted mov file.
ASAN output:
==22865== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600e00029e3a at pc 0x7f0371ff1b51 bp 0x7f037379b220 sp 0x7f037379b218
READ of size 2 at 0x600e00029e3a thread T3
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7f0371ff1b50 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x1eb50)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7f0371ffb174 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x28174)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7f0371fe49b5 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x119b5)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7f03826671a2 (/usr/local/lib/libvlccore.so.8.0.0+0x1791a2)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7f0382666580 (/usr/local/lib/libvlccore.so.8.0.0+0x178580)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7f0382666c43 (/usr/local/lib/libvlccore.so.8.0.0+0x178c43)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7f03826672fd (/usr/local/lib/libvlccore.so.8.0.0+0x1792fd)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7f03825991af (/usr/local/lib/libvlccore.so.8.0.0+0xab1af)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7f03825d1a5f (/usr/local/lib/libvlccore.so.8.0.0+0xe3a5f)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7f03825c84ac (/usr/local/lib/libvlccore.so.8.0.0+0xda4ac)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7f03825c0a59 (/usr/local/lib/libvlccore.so.8.0.0+0xd2a59)
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7f0382567d76 (/usr/local/lib/libvlccore.so.8.0.0+0x79d76)
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7f03825683da (/usr/local/lib/libvlccore.so.8.0.0+0x7a3da)
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7f0383626b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7f03831b1181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181)
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7f0382cd9fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc)
0x600e00029e3a is located 105398497615139 bytes inside of global variable '<null>' (0x3200000117) of size 139652983592096
ASAN:SIGSEGV
In:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffe3accb51 in TrackCreateES (p_demux=0x60280000f858, p_track=0x60380001fb80, i_chunk=0, pp_es=0x60380001fd10) at demux/mp4/mp4.c:2315
2315 p_sample->data.p_sample_vide->i_depth;
GDB bt full:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffe3accb51 in TrackCreateES (p_demux=0x60280000f858, p_track=0x60380001fb80, i_chunk=0, pp_es=0x60380001fd10) at demux/mp4/mp4.c:2315
p_soun = 0x1000000b7
p_chan = 0x2
p_sys = 0x601c00019480
i_sample_description_index = 1
p_sample = 0x6010000168a0
p_esds = 0x7fffe3acbd47 <TrackCreateSamplesIndex+10043>
p_frma = 0x0
p_enda = 0x0
p_pasp = 0x0
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00007fffe3ad6175 in MP4_TrackCreate (p_demux=0x60280000f858, p_track=0x60380001fb80, p_box_trak=0x6010000170a0, b_force_enable=false) at demux/mp4/mp4.c:3396
p_sys = 0x601c00019480
p_tkhd = 0x601000017020
p_tref = 0x0
p_elst = 0x601000016ea0
p_mdhd = 0x601000016da0
p_udta = 0x601000016520
p_hdlr = 0x601000016d20
p_vmhd = 0x601000016c20
p_smhd = 0x0
language = "en\000"
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x00007fffe3abf9b6 in Open (p_this=0x60280000f858) at demux/mp4/mp4.c:809
p_demux = 0x60280000f858
p_sys = 0x601c00019480
p_peek = 0x7fffe4143800 ""
p_ftyp = 0x0
p_rmra = 0x0
p_mvhd = 0x601000017120
p_trak = 0x6010000170a0
i = 0
b_enabled_es = true
p_fragment = 0x601a00008310
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007ffff3ea41a3 in generic_start (func=0x7fffe3abd9b6 <Open>, ap=0x7fffe5052730) at modules/modules.c:351
obj = 0x60280000f858
activate = 0x7fffe3abd9b6 <Open>
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007ffff3ea3581 in module_load (obj=0x60280000f858, m=0x601a00007f00, init=0x7ffff3ea4090 <generic_start>, args=0x7fffe5052880) at modules/modules.c:185
ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe50529f0, reg_save_area = 0x7fffe5052920}}
ret = 0
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007ffff3ea3c44 in vlc_module_load (obj=0x60280000f858, capability=0x7ffff3f51b20 "demux", name=0x6004000594b3 "", strict=true, probe=0x7ffff3ea4090 <generic_start>)
at modules/modules.c:277
cand = 0x601a00007f00
ret = 0
i = 0
buf = "any\000\000\000\000\000\300\374\002\000&`\000\000\020\375\002\000&`\000\000\000\000\000\000\000\000\000"
slen = 3
shortcut = 0x7fffe50528c0 "any"
var = 0x0
mods = 0x60360003fcc0
total = 66
module = 0x0
b_force_backup = false
args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffe50529f0, reg_save_area = 0x7fffe5052920}}
__PRETTY_FUNCTION__ = "vlc_module_load"
... [cut]
File is in comments.