Heap-buffer-overflow in AP4_Dac4Atom constructor via crafted MP4 (AP4_BitReader::ReadCache) #1058
Description
A heap-buffer-overflow vulnerability exists in the AP4_Dac4Atom constructor (Ap4Dac4Atom.cpp) when parsing a crafted MP4 file containing a dac4 atom with an insufficient payload size. The AP4_BitReader reads beyond the allocated heap buffer, resulting in an out-of-bounds read.
Affected Component
- File:
Source/C++/Core/Ap4Dac4Atom.cpp - Function:
AP4_Dac4Atom::AP4_Dac4Atom(AP4_UI32 size, const AP4_UI08* payload)(line 147) - Triggered at:
AP4_BitReader::ReadCache()inAp4Utils.cpp:447
Root Cause
In Ap4Dac4Atom.cpp, the constructor computes payload_size = size - AP4_ATOM_HEADER_SIZE (line 154) and passes the payload to AP4_BitReader (line 161). When the dac4 atom has a small size value (e.g., just enough to pass the atom factory's size check), the payload_size is very small. However, the subsequent DSI parsing logic (lines 162+) calls ReadBits() multiple times without checking whether the BitReader has enough data remaining. This causes AP4_BitReader::ReadCache() to read past the end of the heap-allocated buffer.
Steps to Reproduce
- Build Bento4 with AddressSanitizer (
-fsanitize=address) - Save the attached PoC file as
poc1.mp4 - Run:
./mp4dump poc1.mp4
ASAN Output
==3550==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50200000013c
at pc 0x62bdb9160c01 bp 0x7fffba563030 sp 0x7fffba563020
READ of size 1 at 0x50200000013c thread T0
#0 AP4_BitReader::ReadCache() const Ap4Utils.cpp:447
#1 AP4_BitReader::ReadBits() Ap4Utils.cpp:467
#2 AP4_Dac4Atom::AP4_Dac4Atom() Ap4Dac4Atom.cpp:201
#3 AP4_Dac4Atom::Create() Ap4Dac4Atom.cpp:58
0x50200000013c is located 0 bytes to the right of 12-byte region [0x502000000130,0x50200000013c)
(Full ASAN trace and PoC file attached below)
Impact
An attacker can craft a malicious MP4 file that, when parsed by any application using the Bento4 library (e.g., mp4dump, mp4info), triggers a heap out-of-bounds read. This may lead to information disclosure or denial of service (crash).
Suggested Fix
Add a bounds check before parsing the DSI fields. For example:
// Ap4Dac4Atom.cpp, line 154
unsigned int payload_size = size - AP4_ATOM_HEADER_SIZE;
if (payload_size < 11) return; // move this check BEFORE SetData
m_RawBytes.SetData(payload, payload_size);Additionally, AP4_BitReader should validate remaining bits before each ReadBits()/ReadCache() call to prevent OOB access.
Environment
- Bento4 version: latest (commit HEAD)
- OS: Ubuntu (WSL2)
- Compiler: g++ with
-fsanitize=address
poc1_dac4_oob.mp4
