| عنوان | bento4 mp4decrypt the newest master SIGABRT, Assertion Failure |
|---|
| الوصف | **Summary**
Opening a specifically malformed MP4 file causes the Bento4 library to request approximately 4 GB of heap memory, leading to an unhandled std::bad_alloc exception and immediate process termination via SIGABRT.
**Observation**
When the attached PoC file is parsed by mp4decrypt, the following occurs:
The parser encounters an “sgpd” atom whose declared size is 0xFFFFFFFC (4 294 967 292 bytes).
This value is passed unchecked to
AP4_DataBuffer::SetDataSize(4294967292) → AP4_DataBuffer::ReallocateBuffer(4294967292).
Allocation fails, throwing std::bad_alloc.
The exception propagates to the top level, invoking std::terminate() and abort().
**Exact Stack Trace (GDB, unstripped)**
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=140737348183104) at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=140737348183104) at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=140737348183104, signo=6) at ./nptl/pthread_kill.c:89
#3 0x00007ffff7a95476 in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26
#4 0x00007ffff7a7b7f3 in __GI_abort () at ./stdlib/abort.c:79
#5 0x00007ffff7e25b9e in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#6 0x00007ffff7e3120c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007ffff7e31277 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00007ffff7e314d8 in __cxa_throw () from /lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00007ffff7e257ac in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x0000555555606fbd in AP4_DataBuffer::ReallocateBuffer (this=0x555555acf8a0, size=4294967292)
at …/Source/C++/Core/Ap4DataBuffer.cpp:210
#11 AP4_DataBuffer::SetDataSize (this=0x555555acf8a0, size=4294967292)
at …/Source/C++/Core/Ap4DataBuffer.cpp:151
#12 AP4_SgpdAtom::AP4_SgpdAtom (this=0x55555584f890, size=..., flags=..., stream=..., version=...)
at …/Source/C++/Core/Ap4SgpdAtom.cpp:108
#13 AP4_SgpdAtom::Create (size=..., stream=...)
at …/Source/C++/Core/Ap4SgpdAtom.cpp:54
#14 0x0000555555591a23 in AP4_AtomFactory::CreateAtomFromStream (...)
at …/Source/C++/Core/Ap4AtomFactory.cpp:749
#15 0x00005555555943e9 in AP4_AtomFactory::CreateAtomFromStream (...)
at …/Source/C++/Core/Ap4AtomFactory.cpp:234
#16 0x000055555558cb9e in AP4_AtomFactory::CreateAtomFromStream (...)
at …/Source/C++/Core/Ap4AtomFactory.cpp:154
#17 AP4_File::ParseStream (...)
at …/Source/C++/Core/Ap4File.cpp:104
#18 AP4_File::AP4_File (...)
at …/Source/C++/Core/Ap4File.cpp:78
#19 main (argc=..., argv=...)
at …/Source/C++/Apps/Mp4Decrypt/Mp4Decrypt.cpp:202
**Proof-of-Concept**
[The original fuzz-generated sample](https://drive.google.com/file/d/1AkRpx3wcMy3Ic9tQeQyRJybBipK72aQO/view?usp=drive_link) is available.
**Reproduction Steps**
Build mp4decrypt from commit 0d86d53 (default configuration).
Execute:
./mp4decrypt --show-progress poc-crash.mp4 /dev/null
Observe immediate crash with:
terminate called after throwing an instance of 'std::bad_alloc'
**Credit**
Xudong Cao (UCAS)
Yuqing Zhang (UCAS, Zhongguancun Laboratory) |
|---|
| المصدر | ⚠️ https://github.com/axiomatic-systems/Bento4/issues/1037 |
|---|
| المستخدم | Anonymous User |
|---|
| ارسال | 21/07/2025 08:52 AM (11 أشهر منذ) |
|---|
| الاعتدال | 04/08/2025 02:15 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 318666 [Axiomatic Bento4 حتى 1.6.0-641 mp4decrypt Mp4Decrypt.cpp SetDataSize الحرمان من الخدمة] |
|---|
| النقاط | 20 |
|---|