Skip to content

[Bug] Several memory errors & runtimes errors in Bento4 #1054

Open
Open
[Bug] Several memory errors & runtimes errors in Bento4#1054
@ShangzhiXu

Description

@ShangzhiXu
ShangzhiXu
opened on Jan 20, 2026

Hi team!
Thanks for your great work! I idnetified some memeory errors and runtime error in Bento4. Here are more details and some of the possible root causes. I'll come back to add more root causes.

1. Ap4HevcParser.cpp

1.1 poc

./mp4mux --track crash_1.hevc out.mp4
/srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:154:34: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
    #0 0x55723c72b47e in ReadGolomb(AP4_BitReader&) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:154:34
    #1 0x55723c73104a in AP4_HevcVideoParameterSet::Parse(unsigned char const*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1072:47
    #2 0x55723c7347e3 in AP4_HevcFrameParser::Feed(unsigned char const*, unsigned int, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1380:27
    #3 0x55723c733394 in AP4_HevcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1245:12
    #4 0x55723c6e9e19 in AddH265Track(AP4_Movie&, char const*, AP4_Array<Parameter>&, AP4_Array<unsigned int>&, SampleFileStorage&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:1569:29
    #5 0x55723c6d3f6e in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:2359:17
    #6 0x7f7e6f9767e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #7 0x55723c6a983d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp4mux+0x20b83d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:154:34 in

The parameter of ReadGolomb comes from user input. If bit have 31 0 in it it will make leading_zeros = 31 and bypass the safeguard. Then 1 << 31 = -2147483648 leading to integer overflow.

    while (bits.ReadBit() == 0) {
        leading_zeros++;
        if (leading_zeros > 32) return 0; // safeguard
    }
...
return (1<<leading_zeros)-1+bits.ReadBits(leading_zeros); // crash

1.2 It can also be triggered with poc

 ./mp4mux --track crash_3.hevc out.mp4
/srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:154:18: runtime error: shift exponent 32 is too large for 32-bit type 'int'

1.3 Another similar problem occurs in AP4_HevcSliceSegmentHeader::Parse
poc

./mp4mux --track crash_4.hevc out.mp4
/srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:358:39: runtime error: shift exponent 133 is too large for 32-bit type 'int'
    #0 0x55a3fbefa60f in AP4_HevcSliceSegmentHeader::Parse(unsigned char const*, unsigned int, unsigned int, AP4_HevcPictureParameterSet**, AP4_HevcSequenceParameterSet**) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:358:39
    #1 0x55a3fbf058b6 in AP4_HevcFrameParser::Feed(unsigned char const*, unsigned int, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1292:36
    #2 0x55a3fbf05394 in AP4_HevcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1245:12
    #3 0x55a3fbebbe19 in AddH265Track(AP4_Movie&, char const*, AP4_Array<Parameter>&, AP4_Array<unsigned int>&, SampleFileStorage&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:1569:29
    #4 0x55a3fbea5f6e in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:2359:17
    #5 0x7f059b2d87e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #6 0x55a3fbe7b83d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp4mux+0x20b83d)

If the user set log2_min_luma_coding_block_size_minus3 in the input file to 29, it will lead to crash at line 358:

unsigned int MinCbLog2SizeY   = sps->log2_min_luma_coding_block_size_minus3 + 3;
unsigned int CtbSizeY         = 1 << CtbLog2SizeY;    // 1<<32, crash

1.4 out of bounds index
poc

./mp4mux --track crash_7.hevc out.mp4
ERROR: Feed() failed (-10)
/srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1165:41: runtime error: index 41 out of bounds for type 'AP4_HevcSequenceParameterSet *[16]'
    #0 0x559ffa20e461 in AP4_HevcFrameParser::CheckIfAccessUnitIsCompleted(AP4_HevcFrameParser::AccessUnitInfo&) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1165:41
    #1 0x559ffa210f41 in AP4_HevcFrameParser::Feed(unsigned char const*, unsigned int, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1413:9
    #2 0x559ffa20f394 in AP4_HevcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1245:12
    #3 0x559ffa1c5e19 in AddH265Track(AP4_Movie&, char const*, AP4_Array<Parameter>&, AP4_Array<unsigned int>&, SampleFileStorage&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:1569:29
    #4 0x559ffa1aff6e in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:2359:17
    #5 0x7f5f475b17e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #6 0x559ffa18583d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp4mux+0x20b83d)

2. Ap4Utils.cpp

2.1 poc

./mp4mux --track crash_2.hevc out.mp4
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==4089343==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x55771745e000 (pc 0x557715d051f2 bp 0x7ffd4b2dccd0 sp 0x7ffd4b2dcc20 T4089343)
==4089343==The signal is caused by a READ memory access.
    #0 0x557715d051f2 in AP4_BitReader::ReadCache() const /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Utils.cpp:447:40
    #1 0x557715d05786 in AP4_BitReader::ReadBit() /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Utils.cpp:492:19
    #2 0x557715b0242e in AP4_HevcVideoParameterSet::Parse(unsigned char const*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1080:18
    #3 0x557715b057e3 in AP4_HevcFrameParser::Feed(unsigned char const*, unsigned int, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1380:27
    #4 0x557715b04394 in AP4_HevcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1245:12
    #5 0x557715abae19 in AddH265Track(AP4_Movie&, char const*, AP4_Array<Parameter>&, AP4_Array<unsigned int>&, SampleFileStorage&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:1569:29
    #6 0x557715aa4f6e in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:2359:17
    #7 0x7fe5050fb7e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #8 0x557715a7a83d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp4mux+0x20b83d)

UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Utils.cpp:447:40 in AP4_BitReader::ReadCache() const
==4089343==ABORTING

2.2 Integer overflow
poc

./mp4mux --track crash_5.hevc out.mp4
/srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Utils.cpp:471:51: runtime error: signed integer overflow: -2147483648 - 1 cannot be represented in type 'int'
    #0 0x55b9cad5764e in AP4_BitReader::ReadBits(unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Utils.cpp:471:51
    #1 0x55b9cab544a1 in AP4_HevcVideoParameterSet::Parse(unsigned char const*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1085:52
    #2 0x55b9cab577e3 in AP4_HevcFrameParser::Feed(unsigned char const*, unsigned int, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1380:27
    #3 0x55b9cab56394 in AP4_HevcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1245:12
    #4 0x55b9cab0ce19 in AddH265Track(AP4_Movie&, char const*, AP4_Array<Parameter>&, AP4_Array<unsigned int>&, SampleFileStorage&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:1569:29
    #5 0x55b9caaf6f6e in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:2359:17
    #6 0x7f5acd6457e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #7 0x55b9caacc83d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp4mux+0x20b83d)

3. Ap4DataBuffer.cpp

3.1 poc

 ./mp4mux --track crash_5.hevc out.mp4
/srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:175:5: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x563c0cbc3d88 in AP4_DataBuffer::SetData(unsigned char const*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:175:5
    #1 0x563c0cd418b9 in AP4_BitReader::AP4_BitReader(unsigned char const*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Utils.cpp:405:14
    #2 0x563c0cb36138 in AP4_HevcSliceSegmentHeader::Parse(unsigned char const*, unsigned int, unsigned int, AP4_HevcPictureParameterSet**, AP4_HevcSequenceParameterSet**) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:331:19
    #3 0x563c0cb418b6 in AP4_HevcFrameParser::Feed(unsigned char const*, unsigned int, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1292:36
    #4 0x563c0cb41394 in AP4_HevcFrameParser::Feed(void const*, unsigned int, unsigned int&, AP4_HevcFrameParser::AccessUnitInfo&, bool) /srv/scratch/z5500277/target/Bento4/Source/C++/Codecs/Ap4HevcParser.cpp:1245:12
    #5 0x563c0caf7e19 in AddH265Track(AP4_Movie&, char const*, AP4_Array<Parameter>&, AP4_Array<unsigned int>&, SampleFileStorage&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:1569:29
    #6 0x563c0cae1f6e in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp4Mux/Mp4Mux.cpp:2359:17
    #7 0x7f34d74927e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #8 0x563c0cab783d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp4mux+0x20b83d)

3.2
poc

./mp42hevc crash_1.mp4 output.hevc
/srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:175:5: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x55b8a539ed2e in AP4_DataBuffer::SetData(unsigned char const*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:175:5
    #1 0x55b8a53adfb9 in AP4_HvccAtom::AP4_HvccAtom(unsigned int, unsigned char const*) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4HvccAtom.cpp:304:28

4. Mp42Hevc.cpp

Here are five crashes
https://github.com/ShangzhiXu/PoC/blob/main/crash_2.mp4
https://github.com/ShangzhiXu/PoC/blob/main/crash_3.mp4
https://github.com/ShangzhiXu/PoC/blob/main/crash_4.mp4
https://github.com/ShangzhiXu/PoC/blob/main/crash_5.mp4
https://github.com/ShangzhiXu/PoC/blob/main/crash_6.mp4

z5500277@katana2:.../Bento4/build-asan $ ./mp42hevc crash_2.mp4 output.hevc
Video Track:
  duration: 0 ms
  sample count: 1
/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:221:17: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x5646d1f7f4be in MakeFramePrefix(AP4_SampleDescription*, AP4_DataBuffer&, unsigned int&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:221:17
    #1 0x5646d1f7d9d9 in WriteSamples(AP4_Track*, AP4_SampleDescription*, AP4_ByteStream*) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:318:9
    #2 0x5646d1f7d534 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406:13
    #3 0x7fcc441187e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x5646d1f542ed in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42hevc+0x1ee2ed)



/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:221:17 in
z5500277@katana2:.../Bento4/build-asan $ ./mp42hevc crash_3.mp4 output.hevc
Video Track:
  duration: 0 ms
  sample count: 1
/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:255:17: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x557229e38413 in MakeFramePrefix(AP4_SampleDescription*, AP4_DataBuffer&, unsigned int&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:255:17
    #1 0x557229e349d9 in WriteSamples(AP4_Track*, AP4_SampleDescription*, AP4_ByteStream*) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:318:9
    #2 0x557229e34534 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406:13
    #3 0x7fb97e4da7e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x557229e0b2ed in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42hevc+0x1ee2ed)



/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:255:17 in
z5500277@katana2:.../Bento4/build-asan $ ./mp42hevc crash_4.mp4 output.hevc
Video Track:
  duration: 0 ms
  sample count: 1
/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:238:17: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x560195cb144f in MakeFramePrefix(AP4_SampleDescription*, AP4_DataBuffer&, unsigned int&) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:238:17
    #1 0x560195cae9d9 in WriteSamples(AP4_Track*, AP4_SampleDescription*, AP4_ByteStream*) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:318:9
    #2 0x560195cae534 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406:13
    #3 0x7fd035bc87e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x560195c852ed in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42hevc+0x1ee2ed)



/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:238:17 in
z5500277@katana2:.../Bento4/build-asan $ ./mp42hevc crash_5.mp4 output.hevc
Video Track:
  duration: 0 ms
  sample count: 1
/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:163:13: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x556d9015e9d4 in WriteSample(AP4_DataBuffer const&, AP4_DataBuffer&, unsigned int, AP4_ByteStream*) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:163:13
    #1 0x556d90159b73 in WriteSamples(AP4_Track*, AP4_SampleDescription*, AP4_ByteStream*) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:326:9
    #2 0x556d90159534 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406:13
    #3 0x7f2421da67e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x556d901302ed in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42hevc+0x1ee2ed)



/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:163:13 in
z5500277@katana2:.../Bento4/build-asan $ ./mp42hevc crash_6.mp4 output.hevc
Video Track:
  duration: 0 ms
  sample count: 1
/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:181:13: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x55c0aab59451 in WriteSample(AP4_DataBuffer const&, AP4_DataBuffer&, unsigned int, AP4_ByteStream*) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:181:13
    #1 0x55c0aab53b73 in WriteSamples(AP4_Track*, AP4_SampleDescription*, AP4_ByteStream*) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:326:9
    #2 0x55c0aab53534 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:406:13
    #3 0x7f9e007317e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x55c0aab2a2ed in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42hevc+0x1ee2ed)

5. Ap4Meg2Ts.cpp

Another three crashes in Ap4Meg2Ts.cpp, seems like they are caused by similar root causes in Mp42Hevc.cpp.
https://github.com/ShangzhiXu/PoC/blob/main/crash_7.mp4
https://github.com/ShangzhiXu/PoC/blob/main/crash_8.mp4
https://github.com/ShangzhiXu/PoC/blob/main/crash_9.mp4

z5500277@katana2:.../Bento4/build-asan $ ./mp42ts crash_9.mp4 output.hevc
/srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:604:25: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x5577cee07903 in AP4_Mpeg2TsVideoSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:604:25
    #1 0x5577cedc6bdb in WriteSamples(AP4_Mpeg2TsWriter&, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:310:36
    #2 0x5577cedc5533 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:640:14
    #3 0x7f380e26e7e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x5577ced9854d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42ts+0x20354d)



z5500277@katana2:.../Bento4/build-asan $ ./mp42ts crash_7.mp4 output.hevc
/srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:638:25: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x55980afe6d05 in AP4_Mpeg2TsVideoSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:638:25
    #1 0x55980afa3bdb in WriteSamples(AP4_Mpeg2TsWriter&, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:310:36
    #2 0x55980afa2533 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:640:14
    #3 0x7f5053ecb7e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x55980af7554d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42ts+0x20354d)




z5500277@katana2:.../Bento4/build-asan $ ./mp42ts crash_8.mp4 output.hevc
/srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:621:25: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x557532b12b04 in AP4_Mpeg2TsVideoSampleStream::WriteSample(AP4_Sample&, AP4_DataBuffer&, AP4_SampleDescription*, bool, AP4_ByteStream&) /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:621:25
    #1 0x557532ad0bdb in WriteSamples(AP4_Mpeg2TsWriter&, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:310:36
    #2 0x557532acf533 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Ts/Mp42Ts.cpp:640:14
    #3 0x7efcd4c4f7e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #4 0x557532aa254d in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42ts+0x20354d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /srv/scratch/z5500277/target/Bento4/Source/C++/Core/Ap4Mpeg2Ts.cpp:621:25 in
z5500277@katana2:.../Bento4/build-asan $

6. Mp42Hls.cpp

https://github.com/ShangzhiXu/PoC/blob/main/crash_10.mp4

/srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1349:27: runtime error: -nan is outside the range of representable values of type 'unsigned int'
    #0 0x556606cf2181 in WriteSamples(AP4_Mpeg2TsWriter*, PackedAudioWriter*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, AP4_Track*, SampleReader*, AP4_Mpeg2TsWriter::SampleStream*, unsigned int, unsigned char) /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:1349:27
    #1 0x556606cec7b8 in main /srv/scratch/z5500277/target/Bento4/Source/C++/Apps/Mp42Hls/Mp42Hls.cpp:2188:14
    #2 0x7fe7c8e347e4 in __libc_start_main (/lib64/libc.so.6+0x3a7e4) (BuildId: 9846edf82646848f2857c47c5a2eb71c288059ec)
    #3 0x556606cb24bd in _start (/srv/scratch/z5500277/target/Bento4/build-asan/mp42hls+0x2164bd)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions