Skip to content

Heap-buffer-overflow in AP4_Ac4Parser during Raw AC-4 bitstream parsing in mp4mux #1060

Open
Open
Heap-buffer-overflow in AP4_Ac4Parser during Raw AC-4 bitstream parsing in mp4mux#1060
@Captainjack-kor

Description

@Captainjack-kor
Captainjack-kor
opened on Mar 18, 2026

Description:
A heap-buffer-overflow (Out-of-bounds Read) was discovered in the mp4mux tool when processing a specially crafted Raw AC-4 (.ac4) file.

Technical Details:

  • Affected File: Source/C++/Codecs/Ap4Ac4Parser.cpp
  • Affected Function: AP4_Ac4Header::AP4_Ac4Header (Constructor)
  • Root Cause:
    The parser reads the m_NPresentations value using AP4_Ac4VariableBits and enters a loop to parse each presentation (Line 130). Inside the loop, it calls presentation.ParsePresentationV1Info, which utilizes AP4_BitReader to read bits. However, the parser does not validate if the remaining bitstream data is sufficient for the claimed number of presentations. When a malformed AC-4 file with a large m_NPresentations value but truncated payload is provided, the AP4_BitReader reads past the allocated heap buffer, triggering a heap-buffer-overflow.

Reproduction Steps:

  1. Build Bento4 with AddressSanitizer (ASAN) enabled.
  2. Generate a malformed AC-4 file with a high m_NPresentations count (e.g., 511) and truncated data.
  3. Run the following command: ./mp4mux --track ac4:poc.ac4 output.mp4

PoC File

poc.zip

ASAN Summary

=================================================================
==62988==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x11d2ca3a01b8 at pc 0x7ff608adebd0 bp 0x00b72b2ee620 sp 0x00b72b2ee628
READ of size 1 at 0x11d2ca3a01b8 thread T0
==62988==WARNING: Failed to use and restart external symbolizer!
    #0 0x7ff608adebcf in AP4_BitReader::ReadCache C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Core\Ap4Utils.cpp:447
    #1 0x7ff608ade67b in AP4_BitReader::ReadBits C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Core\Ap4Utils.cpp:467
    #2 0x7ff608b87f13 in AP4_Dac4Atom::Ac4Dsi::PresentationV1::ParsePresentationV1Info C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Core\Ap4Dac4Atom.cpp:1329
    #3 0x7ff608b17457 in AP4_Ac4Header::AP4_Ac4Header C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Codecs\Ap4Ac4Parser.cpp:130
    #4 0x7ff608b1916b in AP4_Ac4Parser::FindFrame C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Codecs\Ap4Ac4Parser.cpp:405
    #5 0x7ff608ac5216 in AddAc4Track C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Apps\Mp4Mux\Mp4Mux.cpp:868
    #6 0x7ff608ad65b9 in main C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Apps\Mp4Mux\Mp4Mux.cpp:2368
    #7 0x7ff608cb3158 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #8 0x7ff608cb30a1 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #9 0x7ff608cb2f5d in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #10 0x7ff608cb31cd in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #11 0x7ffe19bbe8d6 in BaseThreadInitThunk+0x16 (C:\WINDOWS\System32\KERNEL32.DLL+0x18002e8d6)
    #12 0x7ffe1abec48b in RtlUserThreadStart+0x2b (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18008c48b)

0x11d2ca3a01b8 is located 0 bytes after 8-byte region [0x11d2ca3a01b0,0x11d2ca3a01b8)
allocated by thread T0 here:
    #0 0x7ff608cb210e in operator new[] D:\a\_work\1\s\src\vctools\asan\llvm\compiler-rt\lib\asan\asan_win_new_array_thunk.cpp:41
    #1 0x7ff608ada435 in AP4_DataBuffer::ReallocateBuffer C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Core\Ap4DataBuffer.cpp:210
    #2 0x7ff608adaaff in AP4_DataBuffer::SetBufferSize C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Core\Ap4DataBuffer.cpp:136
    #3 0x7ff608adb16d in AP4_BitReader::AP4_BitReader C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Core\Ap4Utils.cpp:404
    #4 0x7ff608b16694 in AP4_Ac4Header::AP4_Ac4Header C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Codecs\Ap4Ac4Parser.cpp:42
    #5 0x7ff608b1916b in AP4_Ac4Parser::FindFrame C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Codecs\Ap4Ac4Parser.cpp:405
    #6 0x7ff608ac5216 in AddAc4Track C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Apps\Mp4Mux\Mp4Mux.cpp:868
    #7 0x7ff608ad65b9 in main C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Apps\Mp4Mux\Mp4Mux.cpp:2368
    #8 0x7ff608cb3158 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:78
    #9 0x7ff608cb30a1 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #10 0x7ff608cb2f5d in __scrt_common_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:330
    #11 0x7ff608cb31cd in mainCRTStartup D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_main.cpp:16
    #12 0x7ffe19bbe8d6 in BaseThreadInitThunk+0x16 (C:\WINDOWS\System32\KERNEL32.DLL+0x18002e8d6)
    #13 0x7ffe1abec48b in RtlUserThreadStart+0x2b (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18008c48b)

SUMMARY: AddressSanitizer: heap-buffer-overflow C:\Users\qhflt\Downloads\Bento4-1.6.0-641\Bento4-1.6.0-641\Source\C++\Core\Ap4Utils.cpp:447 in AP4_BitReader::ReadCache
Shadow bytes around the buggy address:
  0x11d2ca39ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x11d2ca39ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x11d2ca3a0000: fa fa 00 05 fa fa 00 06 fa fa 00 07 fa fa 00 00
  0x11d2ca3a0080: fa fa 00 07 fa fa 00 04 fa fa 00 00 fa fa 00 00
  0x11d2ca3a0100: fa fa 00 00 fa fa fd fd fa fa 00 04 fa fa 00 fa
=>0x11d2ca3a0180: fa fa 00 fa fa fa 00[fa]fa fa 00 04 fa fa fd fd
  0x11d2ca3a0200: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 04 fa
  0x11d2ca3a0280: fa fa 00 fa fa fa fd fa fa fa 04 fa fa fa 01 fa
  0x11d2ca3a0300: fa fa 01 fa fa fa 01 fa fa fa 00 04 fa fa 04 fa
  0x11d2ca3a0380: fa fa 04 fa fa fa 04 fa fa fa 04 fa fa fa 04 fa
  0x11d2ca3a0400: fa fa 04 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions