Heap Buffer Overflow (READ) in 3.0.0-git Vetinari (revision 63c91494)
There is a Heap Buffer Overflow (READ) vulnerability in demux/libmp4_plugin when parsing a crafted ISM file. ASAN reports a READ of size 1.
ASAN output:
==9288== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600400058a93 at pc 0x7fffe38df69a bp 0x7fffe504e1b0 sp 0x7fffe504e1a8
READ of size 1 at 0x600400058a93 thread T3
[New Thread 0x7fffe2f5a700 (LWP 9297)]
[New Thread 0x7fffe2b53700 (LWP 9298)]
==9288== AddressSanitizer: while reporting a bug found another one.Ignoring.
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7fffe38df699 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x74699)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffe38e27f6 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x777f6)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fffe38adfea (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x42fea)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fffe38ae168 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x43168)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7fffe38ae22e (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x4322e)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7fffe38e27f6 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x777f6)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7fffe38adfea (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x42fea)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7fffe38ae168 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x43168)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7fffe38ae22e (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x4322e)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7fffe38e27f6 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x777f6)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7fffe38adfea (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x42fea)
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7fffe38a58e3 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x3a8e3)
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7fffe3880dfd (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x15dfd)
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7ffff3ea4242 (/usr/local/lib/libvlccore.so.8.0.0+0x179242)
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7ffff3ea3620 (/usr/local/lib/libvlccore.so.8.0.0+0x178620)
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7ffff3ea3ce3 (/usr/local/lib/libvlccore.so.8.0.0+0x178ce3)
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x7ffff3ea439d (/usr/local/lib/libvlccore.so.8.0.0+0x17939d)
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x7ffff3dd61df (/usr/local/lib/libvlccore.so.8.0.0+0xab1df)
[#18](https://code.videolan.org/videolan/vlc/-/issues/18) 0x7ffff3e0ea8f (/usr/local/lib/libvlccore.so.8.0.0+0xe3a8f)
[#19](https://code.videolan.org/videolan/vlc/-/issues/19) 0x7ffff3e054dc (/usr/local/lib/libvlccore.so.8.0.0+0xda4dc)
[#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0x7ffff3dfda89 (/usr/local/lib/libvlccore.so.8.0.0+0xd2a89)
[#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0x7ffff3da4da6 (/usr/local/lib/libvlccore.so.8.0.0+0x79da6)
[#22](https://code.videolan.org/videolan/vlc/-/issues/22) 0x7ffff3da540a (/usr/local/lib/libvlccore.so.8.0.0+0x7a40a)
[#23](https://code.videolan.org/videolan/vlc/-/issues/23) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
[#24](https://code.videolan.org/videolan/vlc/-/issues/24) 0x7ffff49ee181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181)
[#25](https://code.videolan.org/videolan/vlc/-/issues/25) 0x7ffff4516fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc)
0x600400058a93 is located 104479374854683 bytes inside
Program received signal SIGSEGV, Segmentation fault.
In:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffe38df69a in MP4_ReadBox_sdtp (p_stream=0x60280000f9d8, p_box=0x60160008b940) at demux/mp4/libmp4.c:3227
3227 msg_Dbg( p_stream,
GDB bt full:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffe38df69a in MP4_ReadBox_sdtp (p_stream=0x60280000f9d8, p_box=0x60160008b940) at demux/mp4/libmp4.c:3227
i_sample_count = 2
i_read = 0
p_peek = 0x600400058ade ""
p_buff = 0x600400058ad0 ""
i_actually_read = 14
p_sdtp = 0x600400058ab0
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00007fffe38e27f7 in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x60160008bb50) at demux/mp4/libmp4.c:3778
p_box = 0x60160008b940
i_index = 224
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x00007fffe38adfeb in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x60160008bb50, i_last_child=0) at demux/mp4/libmp4.c:212
p_box = 0x60160008b9f0
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007fffe38ae169 in MP4_ReadBoxContainerRaw (p_stream=0x60280000f9d8, p_container=0x60160008bb50) at demux/mp4/libmp4.c:232
No locals.
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007fffe38ae22f in MP4_ReadBoxContainer (p_stream=0x60280000f9d8, p_container=0x60160008bb50) at demux/mp4/libmp4.c:248
No locals.
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007fffe38e27f7 in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x60160008bcb0) at demux/mp4/libmp4.c:3778
p_box = 0x60160008bb50
i_index = 216
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x00007fffe38adfeb in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x60160008bcb0, i_last_child=0) at demux/mp4/libmp4.c:212
p_box = 0x60160008bc00
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x00007fffe38ae169 in MP4_ReadBoxContainerRaw (p_stream=0x60280000f9d8, p_container=0x60160008bcb0) at demux/mp4/libmp4.c:232
No locals.
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x00007fffe38ae22f in MP4_ReadBoxContainer (p_stream=0x60280000f9d8, p_container=0x60160008bcb0) at demux/mp4/libmp4.c:248
No locals.
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x00007fffe38e27f7 in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x60160008ed80) at demux/mp4/libmp4.c:3778
p_box = 0x60160008bcb0
i_index = 5
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x00007fffe38adfeb in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x60160008ed80, i_last_child=0) at demux/mp4/libmp4.c:212
p_box = 0x60160008bd60
[#18](https://code.videolan.org/videolan/vlc/-/issues/18) 0x00007fffe38a58e4 in ProbeFragments (p_demux=0x60280000f858, b_force=false) at demux/mp4/mp4.c:4915
p_sys = 0x60240000fe00
i_current_pos = 1196
__PRETTY_FUNCTION__ = "ProbeFragments"
p_moof = 0x7fffe504e460
p_mdat = 0x1e504f6f8
[#19](https://code.videolan.org/videolan/vlc/-/issues/19) 0x00007fffe3880dfe in Open (p_this=0x60280000f858) at demux/mp4/mp4.c:600
p_demux = 0x60280000f858
p_sys = 0x60240000fe00
p_peek = 0x7fffe3d36800 ""
p_ftyp = 0x601a00008da0
p_rmra = 0x7fffe504e590
p_mvhd = 0x600c0001c760
p_trak = 0x7ffff44a52ba <__GI___strdup+26>
i = 24602
b_enabled_es = false
p_fragment = 0x601a00008310
[#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0x00007ffff3ea4243 in generic_start (func=0x7fffe3880618 <Open>, ap=0x7fffe504e730) at modules/modules.c:351
obj = 0x60280000f858
activate = 0x7fffe3880618 <Open>
[#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0x00007ffff3ea3621 in module_load (obj=0x60280000f858, m=0x601a00007f00, init=0x7ffff3ea4130 <generic_start>, args=0x7fffe504e880) at modules/modules.c:185
ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe504e9f0, reg_save_area = 0x7fffe504e920}}
ret = 0
[#22](https://code.videolan.org/videolan/vlc/-/issues/22) 0x00007ffff3ea3ce4 in vlc_module_load (obj=0x60280000f858, capability=0x7ffff3f51be0 "demux", name=0x6004000594b3 "", strict=true, probe=0x7ffff3ea4130 <generic_start>)
at modules/modules.c:277
cand = 0x601a00007f00
ret = 0
i = 0
buf = "any\000\000\000\000\000\300\374\002\000&`\000\000\020\375\002\000&`\000\000\000\000\000\000\000\000\000"
slen = 3
shortcut = 0x7fffe504e8c0 "any"
var = 0x0
mods = 0x60360003fcc0
total = 66
module = 0x0
b_force_backup = false
args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffe504e9f0, reg_save_area = 0x7fffe504e920}}
__PRETTY_FUNCTION__ = "vlc_module_load"
[#23](https://code.videolan.org/videolan/vlc/-/issues/23) 0x00007ffff3ea439e in module_need (obj=0x60280000f858, cap=0x7ffff3f51be0 "demux", name=0x6004000594b0 "any", strict=true) at modules/modules.c:366
No locals.
[#24](https://code.videolan.org/videolan/vlc/-/issues/24) 0x00007ffff3dd61e0 in demux_New (p_obj=0x60220002fdd8, p_parent_input=0x60220002fdd8, psz_access=0x600c00035c60 "file", psz_demux=0x6004000596d0 "",
psz_location=0x600c00035a20 "/tmp/asan_heap-oob_7f16b964f69a_4743_vc1-wmapro.ism", s=0x60280000f9d8, out=0x60080001ff50, b_quick=true) at input/demux.c:183
psz_ext = 0x600c00035930 "ism"
psz_module = 0x6004000594b0 "any"
p_demux = 0x60280000f858
exttodemux = {{ext = "aiff", demux = "aiff\000\000\000\000"}, {ext = "asf\000", demux = "asf\000\000\000\000\000"}, {ext = "wmv\000", demux = "asf\000\000\000\000\000"}, {
ext = "wma\000", demux = "asf\000\000\000\000\000"}, {ext = "avi\000", demux = "avi\000\000\000\000\000"}, {ext = "au\000\000", demux = "au\000\000\000\000\000\000"}, {
ext = "flac", demux = "flac\000\000\000\000"}, {ext = "dv\000\000", demux = "dv\000\000\000\000\000\000"}, {ext = "drc\000", demux = "dirac\000\000\000"}, {
ext = "m3u\000", demux = "m3u\000\000\000\000\000"}, {ext = "m3u8", demux = "m3u8\000\000\000\000"}, {ext = "mkv\000", demux = "mkv\000\000\000\000\000"}, {
ext = "mka\000", demux = "mkv\000\000\000\000\000"}, {ext = "mks\000", demux = "mkv\000\000\000\000\000"}, {ext = "mp4\000", demux = "mp4\000\000\000\000\000"}, {
ext = "m4a\000", demux = "mp4\000\000\000\000\000"}, {ext = "mov\000", demux = "mp4\000\000\000\000\000"}, {ext = "moov", demux = "mp4\000\000\000\000\000"}, {
ext = "nsv\000", demux = "nsv\000\000\000\000\000"}, {ext = "ogg\000", demux = "ogg\000\000\000\000\000"}, {ext = "ogm\000", demux = "ogg\000\000\000\000\000"}, {
ext = "oga\000", demux = "ogg\000\000\000\000\000"}, {ext = "spx\000", demux = "ogg\000\000\000\000\000"}, {ext = "ogv\000", demux = "ogg\000\000\000\000\000"}, {
ext = "ogx\000", demux = "ogg\000\000\000\000\000"}, {ext = "opus", demux = "ogg\000\000\000\000\000"}, {ext = "pva\000", demux = "pva\000\000\000\000\000"}, {
ext = "rm\000\000", demux = "avformat"}, {ext = "m4v\000", demux = "m4v\000\000\000\000\000"}, {ext = "h264", demux = "h264\000\000\000\000"}, {ext = "voc\000",
demux = "voc\000\000\000\000\000"}, {ext = "mid\000", demux = "smf\000\000\000\000\000"}, {ext = "rmi\000", demux = "smf\000\000\000\000\000"}, {ext = "kar\000",
demux = "smf\000\000\000\000\000"}, {ext = "\000\000\000\000", demux = "\000\000\000\000\000\000\000\000"}}
exttodemux_quick = {{ext = "mp3", demux = "mpga"}, {ext = "ogg", demux = "ogg\000"}, {ext = "wma", demux = "asf\000"}, {ext = "\000\000\000", demux = "\000\000\000\000"}}
...