Heap Buffer Overflow (WRITE) in 3.0.0-git Vetinari (revision 63c91494)
There is a Heap Buffer Overflow (WRITE) vulnerability in demux/libmp4_plugin when parsing a crafted M4A file. ASAN reports a WRITE of size 1.
ASAN output:
==20563== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600400059367 at pc 0x7fffe38dc1e4 bp 0x7fffe504e1b0 sp 0x7fffe504e1a8
WRITE of size 1 at 0x600400059367 thread T3
[#0](https://code.videolan.org/videolan/vlc/-/issues/0) 0x7fffe38dc1e3 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x711e3)
[#1](https://code.videolan.org/videolan/vlc/-/issues/1) 0x7fffe38e27f6 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x777f6)
[#2](https://code.videolan.org/videolan/vlc/-/issues/2) 0x7fffe38adfea (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x42fea)
[#3](https://code.videolan.org/videolan/vlc/-/issues/3) 0x7fffe38ae168 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x43168)
[#4](https://code.videolan.org/videolan/vlc/-/issues/4) 0x7fffe38ae22e (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x4322e)
[#5](https://code.videolan.org/videolan/vlc/-/issues/5) 0x7fffe38e27f6 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x777f6)
[#6](https://code.videolan.org/videolan/vlc/-/issues/6) 0x7fffe38adfea (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x42fea)
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x7fffe38ae168 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x43168)
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x7fffe38ae22e (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x4322e)
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x7fffe38e27f6 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x777f6)
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x7fffe38adfea (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x42fea)
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x7fffe38e31e7 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x781e7)
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x7fffe387f3f2 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x143f2)
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x7fffe3880d48 (/usr/local/lib/vlc/plugins/demux/libmp4_plugin.so+0x15d48)
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x7ffff3ea4242 (/usr/local/lib/libvlccore.so.8.0.0+0x179242)
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x7ffff3ea3620 (/usr/local/lib/libvlccore.so.8.0.0+0x178620)
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x7ffff3ea3ce3 (/usr/local/lib/libvlccore.so.8.0.0+0x178ce3)
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x7ffff3ea439d (/usr/local/lib/libvlccore.so.8.0.0+0x17939d)
[#18](https://code.videolan.org/videolan/vlc/-/issues/18) 0x7ffff3dd61df (/usr/local/lib/libvlccore.so.8.0.0+0xab1df)
[#19](https://code.videolan.org/videolan/vlc/-/issues/19) 0x7ffff3e0ea8f (/usr/local/lib/libvlccore.so.8.0.0+0xe3a8f)
[#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0x7ffff3e054dc (/usr/local/lib/libvlccore.so.8.0.0+0xda4dc)
[#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0x7ffff3dfda89 (/usr/local/lib/libvlccore.so.8.0.0+0xd2a89)
[#22](https://code.videolan.org/videolan/vlc/-/issues/22) 0x7ffff3da4da6 (/usr/local/lib/libvlccore.so.8.0.0+0x79da6)
[#23](https://code.videolan.org/videolan/vlc/-/issues/23) 0x7ffff3da540a (/usr/local/lib/libvlccore.so.8.0.0+0x7a40a)
[#24](https://code.videolan.org/videolan/vlc/-/issues/24) 0x7ffff4e63b97 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x18b97)
[#25](https://code.videolan.org/videolan/vlc/-/issues/25) 0x7ffff49ee181 (/lib/x86_64-linux-gnu/libpthread-2.19.so+0x8181)
[#26](https://code.videolan.org/videolan/vlc/-/issues/26) 0x7ffff4516fbc (/lib/x86_64-linux-gnu/libc-2.19.so+0xfafbc)
0x600400059367 is located 104479374856943 bytes inside
Program received signal SIGSEGV, Segmentation fault.
GDB bt full:
[#7](https://code.videolan.org/videolan/vlc/-/issues/7) 0x00007fffe38dc1e4 in MP4_ReadBox_chpl (p_stream=0x60280000f9d8, p_box=0x60160008e330) at demux/mp4/libmp4.c:3018
i_start = 0
i_len = 0 '\000'
i_copy = -9
p_chpl = 0x60620003df00
i_dummy = 0
i = 1
i_read = -9
p_peek = 0x60060004148a ""
p_buff = 0x600600041470 ""
i_actually_read = 26
[#8](https://code.videolan.org/videolan/vlc/-/issues/8) 0x00007fffe38e27f7 in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x60160008e800) at demux/mp4/libmp4.c:3778
p_box = 0x60160008e330
i_index = 209
[#9](https://code.videolan.org/videolan/vlc/-/issues/9) 0x00007fffe38adfeb in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x60160008e800, i_last_child=0) at demux/mp4/libmp4.c:212
p_box = 0x60160008e6a0
[#10](https://code.videolan.org/videolan/vlc/-/issues/10) 0x00007fffe38ae169 in MP4_ReadBoxContainerRaw (p_stream=0x60280000f9d8, p_container=0x60160008e800) at demux/mp4/libmp4.c:232
No locals.
[#11](https://code.videolan.org/videolan/vlc/-/issues/11) 0x00007fffe38ae22f in MP4_ReadBoxContainer (p_stream=0x60280000f9d8, p_container=0x60160008e800) at demux/mp4/libmp4.c:248
No locals.
[#12](https://code.videolan.org/videolan/vlc/-/issues/12) 0x00007fffe38e27f7 in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x60160008ec20) at demux/mp4/libmp4.c:3778
p_box = 0x60160008e800
i_index = 11
[#13](https://code.videolan.org/videolan/vlc/-/issues/13) 0x00007fffe38adfeb in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x60160008ec20, i_last_child=0) at demux/mp4/libmp4.c:212
p_box = 0x60160008ea10
[#14](https://code.videolan.org/videolan/vlc/-/issues/14) 0x00007fffe38ae169 in MP4_ReadBoxContainerRaw (p_stream=0x60280000f9d8, p_container=0x60160008ec20) at demux/mp4/libmp4.c:232
No locals.
[#15](https://code.videolan.org/videolan/vlc/-/issues/15) 0x00007fffe38ae22f in MP4_ReadBoxContainer (p_stream=0x60280000f9d8, p_container=0x60160008ec20) at demux/mp4/libmp4.c:248
No locals.
[#16](https://code.videolan.org/videolan/vlc/-/issues/16) 0x00007fffe38e27f7 in MP4_ReadBox (p_stream=0x60280000f9d8, p_father=0x60160008ed80) at demux/mp4/libmp4.c:3778
p_box = 0x60160008ec20
i_index = 0
[#17](https://code.videolan.org/videolan/vlc/-/issues/17) 0x00007fffe38adfeb in MP4_ReadBoxContainerChildren (p_stream=0x60280000f9d8, p_container=0x60160008ed80, i_last_child=1987014509) at demux/mp4/libmp4.c:212
p_box = 0x60160008ecd0
[#18](https://code.videolan.org/videolan/vlc/-/issues/18) 0x00007fffe38e31e8 in MP4_BoxGetRoot (s=0x60280000f9d8) at demux/mp4/libmp4.c:3942
p_root = 0x60160008ed80
p_stream = 0x60280000f9d8
i_result = 24
p_moov = 0x7fffe504e610
p_cmov = 0x60280000fcd8
[#19](https://code.videolan.org/videolan/vlc/-/issues/19) 0x00007fffe387f3f3 in LoadInitFrag (p_demux=0x60280000f858) at demux/mp4/mp4.c:347
p_sys = 0x60240000fe00
[#20](https://code.videolan.org/videolan/vlc/-/issues/20) 0x00007fffe3880d49 in Open (p_this=0x60280000f858) at demux/mp4/mp4.c:591
p_demux = 0x60280000f858
p_sys = 0x60240000fe00
p_peek = 0x7fffe3d36800 ""
p_ftyp = 0x601a00008da0
p_rmra = 0x7fffe504e590
p_mvhd = 0x600c0001c760
p_trak = 0x7ffff44a52ba <__GI___strdup+26>
i = 24602
b_enabled_es = false
p_fragment = 0x601a00008310
[#21](https://code.videolan.org/videolan/vlc/-/issues/21) 0x00007ffff3ea4243 in generic_start (func=0x7fffe3880618 <Open>, ap=0x7fffe504e730) at modules/modules.c:351
obj = 0x60280000f858
activate = 0x7fffe3880618 <Open>
[#22](https://code.videolan.org/videolan/vlc/-/issues/22) 0x00007ffff3ea3621 in module_load (obj=0x60280000f858, m=0x601a00007f00, init=0x7ffff3ea4130 <generic_start>, args=0x7fffe504e880) at modules/modules.c:185
ap = {{gp_offset = 48, fp_offset = 48, overflow_arg_area = 0x7fffe504e9f0, reg_save_area = 0x7fffe504e920}}
ret = 0
[#23](https://code.videolan.org/videolan/vlc/-/issues/23) 0x00007ffff3ea3ce4 in vlc_module_load (obj=0x60280000f858, capability=0x7ffff3f51be0 "demux", name=0x6004000594b3 "", strict=true, probe=0x7ffff3ea4130 <generic_start>)
at modules/modules.c:277
cand = 0x601a00007f00
ret = 0
i = 0
buf = "any\000\000\000\000\000\300\374\002\000&`\000\000\020\375\002\000&`\000\000\000\000\000\000\000\000\000"
slen = 3
shortcut = 0x7fffe504e8c0 "any"
var = 0x0
mods = 0x60360003fcc0
total = 66
module = 0x0
b_force_backup = false
args = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffe504e9f0, reg_save_area = 0x7fffe504e920}}
__PRETTY_FUNCTION__ = "vlc_module_load"
[#24](https://code.videolan.org/videolan/vlc/-/issues/24) 0x00007ffff3ea439e in module_need (obj=0x60280000f858, cap=0x7ffff3f51be0 "demux", name=0x6004000594b0 "any", strict=true) at modules/modules.c:366
No locals.
[#25](https://code.videolan.org/videolan/vlc/-/issues/25) 0x00007ffff3dd61e0 in demux_New (p_obj=0x60220002fdd8, p_parent_input=0x60220002fdd8, psz_access=0x600c00035c60 "file", psz_demux=0x6004000596d0 "",
psz_location=0x600c00035a20 "/tmp/asan_heap-oob_7f8358fc21e4_391_8_Channel_ID.m4a", s=0x60280000f9d8, out=0x60080001ff50, b_quick=true) at input/demux.c:183
psz_ext = 0x600c00035931 "m4a"
psz_module = 0x6004000594b0 "any"
p_demux = 0x60280000f858
exttodemux = {{ext = "aiff", demux = "aiff\000\000\000\000"}, {ext = "asf\000", demux = "asf\000\000\000\000\000"}, {ext = "wmv\000", demux = "asf\000\000\000\000\000"}, {
ext = "wma\000", demux = "asf\000\000\000\000\000"}, {ext = "avi\000", demux = "avi\000\000\000\000\000"}, {ext = "au\000\000", demux = "au\000\000\000\000\000\000"}, {
ext = "flac", demux = "flac\000\000\000\000"}, {ext = "dv\000\000", demux = "dv\000\000\000\000\000\000"}, {ext = "drc\000", demux = "dirac\000\000\000"}, {
ext = "m3u\000", demux = "m3u\000\000\000\000\000"}, {ext = "m3u8", demux = "m3u8\000\000\000\000"}, {ext = "mkv\000", demux = "mkv\000\000\000\000\000"}, {
ext = "mka\000", demux = "mkv\000\000\000\000\000"}, {ext = "mks\000", demux = "mkv\000\000\000\000\000"}, {ext = "mp4\000", demux = "mp4\000\000\000\000\000"}, {
ext = "m4a\000", demux = "mp4\000\000\000\000\000"}, {ext = "mov\000", demux = "mp4\000\000\000\000\000"}, {ext = "moov", demux = "mp4\000\000\000\000\000"}, {
ext = "nsv\000", demux = "nsv\000\000\000\000\000"}, {ext = "ogg\000", demux = "ogg\000\000\000\000\000"}, {ext = "ogm\000", demux = "ogg\000\000\000\000\000"}, {
ext = "oga\000", demux = "ogg\000\000\000\000\000"}, {ext = "spx\000", demux = "ogg\000\000\000\000\000"}, {ext = "ogv\000", demux = "ogg\000\000\000\000\000"}, {
ext = "ogx\000", demux = "ogg\000\000\000\000\000"}, {ext = "opus", demux = "ogg\000\000\000\000\000"}, {ext = "pva\000", demux = "pva\000\000\000\000\000"}, {
ext = "rm\000\000", demux = "avformat"}, {ext = "m4v\000", demux = "m4v\000\000\000\000\000"}, {ext = "h264", demux = "h264\000\000\000\000"}, {ext = "voc\000",
demux = "voc\000\000\000\000\000"}, {ext = "mid\000", demux = "smf\000\000\000\000\000"}, {ext = "rmi\000", demux = "smf\000\000\000\000\000"}, {ext = "kar\000",
demux = "smf\000\000\000\000\000"}, {ext = "\000\000\000\000", demux = "\000\000\000\000\000\000\000\000"}}
exttodemux_quick = {{ext = "mp3", demux = "mpga"}, {ext = "ogg", demux = "ogg\000"}, {ext = "wma", demux = "asf\000"}, {ext = "\000\000\000", demux = "\000\000\000\000"}}