Bento4
Bento4 copied to clipboard
axiomatic-systems
Two Vulnerabilities Identified in v1.6.0-641 of Bento4 via mp4encrypt
Hi, developers of Bento4, I identified multiple issues that may pose potential risks or impact the stability and security of Bento4 in the latest tag version v1.6.0-641 via mp4encrypt. some bugs may be legacy issues inherited from earlier versions. Below is a summary of the key findings:
BUG1
a SEGV crash in mp4encrypt
Description
An issue in Bento4 v1.6.0-641 allows an attacker to trigger a segmentation fault via Ap4Atom.cpp, specifically in AP4_AtomParent::RemoveChild, during the execution of mp4encrypt with a specially crafted MP4 input file.
Crash
$ ./mp4encrypt --method MARLIN-IPMP-ACBC ./encrypt-1 /dev/null
WARNING: track ID 1 will not be encrypted
AddressSanitizer:DEADLYSIGNAL
=================================================================
==1960780==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555559454d5 bp 0x7fffffffc5d0 sp 0x7fffffffc140 T0)
==1960780==The signal is caused by a READ memory access.
==1960780==Hint: address points to the zero page.
#0 0x5555559454d5 in AP4_AtomParent::RemoveChild(AP4_Atom*) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Atom.cpp:567:16
#1 0x5555557de48f in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:485:19
#2 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#3 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#4 0x7ffff7829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#5 0x5555555b8114 in _start (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x64114) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/xk/Documents/Bento4/Source/C++/Core/Ap4Atom.cpp:567:16 in AP4_AtomParent::RemoveChild(AP4_Atom*)
==1960780==ABORTING
PoC
BUG2
a memory leak in mp4encrypt
Description
An issue in Bento4 v1.6.0-641 allows an attacker to cause a memory leak via Ap4Marlin.cpp and Ap4Processor.cpp, specifically in AP4_MarlinIpmpEncryptingProcessor::Initialize and AP4_Processor::Process, during the execution of mp4encrypt with a specially crafted MP4 input file.
Crash
$ ./mp4encrypt --method MARLIN-IPMP-ACBC ./encrypt-2 /dev/null
=================================================================
==3712707==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 64 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x5555557888a2 in AP4_MarlinIpmpEncryptingProcessor::Initialize(AP4_AtomParent&, AP4_ByteStream&, AP4_Processor::ProgressListener*) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Marlin.cpp:704:30
#2 0x5555557deaac in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:505:25
#3 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#4 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Direct leak of 32 byte(s) in 2 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x5555557de175 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:477:23
#2 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#3 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 256 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x5555557556e4 in AP4_Array<unsigned int>::EnsureCapacity(unsigned int) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Array.h:172:25
#2 0x5555557556e4 in AP4_Array<unsigned int>::Append(unsigned int const&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Array.h:252:29
#3 0x5555557556e4 in AP4_FtypAtom::AP4_FtypAtom(unsigned int, AP4_ByteStream&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4FtypAtom.cpp:57:28
#4 0x55555568fc9a in AP4_FtypAtom::Create(unsigned int, AP4_ByteStream&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4FtypAtom.h:66:20
Indirect leak of 88 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x555555686297 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:242:16
#2 0x555555685039 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#3 0x5555557dddc7 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:451:9
#4 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#5 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x55555570946b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:16
#2 0x555555689a1b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#3 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#4 0x555555685039 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#5 0x5555557dddc7 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:451:9
#6 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#7 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 80 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x55555570946b in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:16
#2 0x555555689a1b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#3 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#4 0x55555570b04b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#5 0x5555557095ee in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#6 0x5555557095ee in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#7 0x555555689a1b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#8 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#9 0x555555685039 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#10 0x5555557dddc7 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:451:9
#11 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#12 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 72 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x55555568fc8a in AP4_FtypAtom::Create(unsigned int, AP4_ByteStream&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4FtypAtom.h:66:16
Indirect leak of 48 byte(s) in 2 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x55555570af14 in AP4_List<AP4_Atom>::Add(AP4_Atom*) /home/xk/Documents/Bento4/Source/C++/Core/Ap4List.h:160:16
#2 0x55555570af14 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:197:20
#3 0x5555557095ee in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#4 0x5555557095ee in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#5 0x555555689a1b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#6 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#7 0x555555685039 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#8 0x5555557dddc7 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:451:9
#9 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#10 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 48 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x55555579a685 in AP4_MfhdAtom::Create(unsigned int, AP4_ByteStream&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4MfhdAtom.cpp:52:12
#2 0x55555568b243 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:408:20
#3 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#4 0x55555570ad1a in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#5 0x5555557095ee in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#6 0x5555557095ee in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#7 0x555555689a1b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#8 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#9 0x555555685039 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#10 0x5555557dddc7 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:451:9
#11 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#12 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x555555675d2d in operator new(unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121d2d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x55555570af14 in AP4_List<AP4_Atom>::Add(AP4_Atom*) /home/xk/Documents/Bento4/Source/C++/Core/Ap4List.h:160:16
#2 0x55555570af14 in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:197:20
#3 0x5555557095ee in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#4 0x5555557095ee in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#5 0x555555689a1b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#6 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#7 0x55555570b04b in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:194:12
#8 0x5555557095ee in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:139:5
#9 0x5555557095ee in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
#10 0x555555689a1b in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
#11 0x5555556861cb in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
#12 0x555555685039 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
#13 0x5555557dddc7 in AP4_Processor::Process(AP4_ByteStream&, AP4_ByteStream&, AP4_ByteStream*, AP4_Processor::ProgressListener*, AP4_AtomFactory&) /home/xk/Documents/Bento4/Source/C++/Core/Ap4Processor.cpp:451:9
#14 0x55555567c1bd in main /home/xk/Documents/Bento4/Source/C++/Apps/Mp4Encrypt/Mp4Encrypt.cpp:772:29
#15 0x7ffff7829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
Indirect leak of 1 byte(s) in 1 object(s) allocated from:
#0 0x555555675e3d in operator new[](unsigned long) (/home/xk/Documents/Bento4/check_build/mp4encrypt+0x121e3d) (BuildId: 555ee0c089d25eeeb4eafa43689adcbae85a787d)
#1 0x555555740e28 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /home/xk/Documents/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
#2 0x555555740e28 in AP4_DataBuffer::SetDataSize(unsigned int) /home/xk/Documents/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:151:33
SUMMARY: AddressSanitizer: 793 byte(s) leaked in 13 allocation(s).
PoC
Environment
Ubuntu 22.04 LTS
Bento4 v1.6.0-641
Ubuntu clang version 14.0.0-1ubuntu1.1
Target: x86_64-pc-linux-gnu
Thread model: posix
