src/mp4property.h:414 Out-of-Bounds Read in mp4v2::impl::MP4BytesProperty::GetValue
Description:
When processing a specially crafted MP4 file with malformed ITMF/iTunes metadata atoms, mp4info crashes while fetching metadata tags. The crash occurs in mp4v2::impl::MP4BytesProperty::GetValue() when the code passes an invalid source pointer and an extremely large size value to memcpy(). ASan reports a read of size 4294967293 (0xFFFFFFFD), which indicates an integer underflow / incorrect metadata size calculation. As a result, the application attempts to read from an invalid memory address located in the shadow gap area, leading to process termination.
To Reproduce
Steps to reproduce the behavior:
./mp4info src_mp4property_h_414
Output:
asan-build:
show full -click to expand
=================================================================
==86093==ERROR: AddressSanitizer: unknown-crash on address 0x0000fffffffd at pc 0x7fe025122094 bp 0x7ffe0b73d4c0 sp 0x7ffe0b73cc80
READ of size 4294967293 at 0x0000fffffffd thread T0
#0 0x7fe025122093 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:117
#1 0x5632709838e1 in mp4v2::impl::MP4BytesProperty::GetValue(unsigned char**, unsigned int*, unsigned int) src/mp4property.h:414
#2 0x5632709838e1 in __itemAtomToModel src/itmf/generic.cpp:206
#3 0x563270983b43 in mp4v2::impl::itmf::genericGetItems(mp4v2::impl::MP4File&) src/itmf/generic.cpp:308
#4 0x56327097ced4 in mp4v2::impl::itmf::Tags::c_fetch(MP4Tags_s*&, void*) src/itmf/Tags.cpp:72
#5 0x56327096e1f0 in MP4TagsFetch src/cmeta.cpp:133
#6 0x563270965be7 in main util/mp4info.cpp:90
#7 0x7fe024a33f74 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7fe024a34026 in __libc_start_main_impl ../csu/libc-start.c:360
#9 0x5632709638e0 in _start (/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mp4v2/runtime/sub/mp4v2/mp4info_asan+0x638e0) (BuildId: b2233bfe65c7ff1709d4cbbd7012f55656916e28)
Address 0x0000fffffffd is located in the shadow gap area.
SUMMARY: AddressSanitizer: unknown-crash src/mp4property.h:414 in mp4v2::impl::MP4BytesProperty::GetValue(unsigned char**, unsigned int*, unsigned int)
==86093==ABORTING
Environment
OS: tested at 6.12.25-1kali1 (2025-04-30) x86_64 GNU/Linux ;
Compiler version: Clang 21.1.8 ;
Build-opts: -fsanitize=address,undefined -g -O1 ;
CPU type: x86_64 ;
mp4v2 - commit hash b7cdf09167124136d7b6bc9f7aa5ebdc95ed5d61 ;
MP4v2 version - 2.0.0 ;
Additional context
link to the sample (github-url):
src_mp4property_h_414
Screenshots
src/mp4property.h:414 Out-of-Bounds Read in mp4v2::impl::MP4BytesProperty::GetValue
Description:
When processing a specially crafted MP4 file with malformed ITMF/iTunes metadata atoms,
mp4infocrashes while fetching metadata tags. The crash occurs inmp4v2::impl::MP4BytesProperty::GetValue()when the code passes an invalid source pointer and an extremely large size value tomemcpy(). ASan reports a read of size4294967293(0xFFFFFFFD), which indicates an integer underflow / incorrect metadata size calculation. As a result, the application attempts to read from an invalid memory address located in the shadow gap area, leading to process termination.To Reproduce
Steps to reproduce the behavior:
Output:
asan-build:
show full -click to expand
================================================================= ==86093==ERROR: AddressSanitizer: unknown-crash on address 0x0000fffffffd at pc 0x7fe025122094 bp 0x7ffe0b73d4c0 sp 0x7ffe0b73cc80 READ of size 4294967293 at 0x0000fffffffd thread T0 #0 0x7fe025122093 in memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:117 #1 0x5632709838e1 in mp4v2::impl::MP4BytesProperty::GetValue(unsigned char**, unsigned int*, unsigned int) src/mp4property.h:414 #2 0x5632709838e1 in __itemAtomToModel src/itmf/generic.cpp:206 #3 0x563270983b43 in mp4v2::impl::itmf::genericGetItems(mp4v2::impl::MP4File&) src/itmf/generic.cpp:308 #4 0x56327097ced4 in mp4v2::impl::itmf::Tags::c_fetch(MP4Tags_s*&, void*) src/itmf/Tags.cpp:72 #5 0x56327096e1f0 in MP4TagsFetch src/cmeta.cpp:133 #6 0x563270965be7 in main util/mp4info.cpp:90 #7 0x7fe024a33f74 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #8 0x7fe024a34026 in __libc_start_main_impl ../csu/libc-start.c:360 #9 0x5632709638e0 in _start (/run/media/user/81c71df6-ca99-4d27-a7b6-55107e347080/mp4v2/runtime/sub/mp4v2/mp4info_asan+0x638e0) (BuildId: b2233bfe65c7ff1709d4cbbd7012f55656916e28) Address 0x0000fffffffd is located in the shadow gap area. SUMMARY: AddressSanitizer: unknown-crash src/mp4property.h:414 in mp4v2::impl::MP4BytesProperty::GetValue(unsigned char**, unsigned int*, unsigned int) ==86093==ABORTINGEnvironment
Additional context
link to the sample (github-url):
src_mp4property_h_414
Screenshots