Panic when using read_box #5

frewsxcv · 2015-10-29T14:11:17Z

extern crate mp4parse;

use std::io::Cursor;

fn main() {
    let mut c = Cursor::new(b"\x30\x30\x30\x30\x66\x74\x79\x70\x30\x30\x30\x30\x30\x30\x30\x30".to_vec());
    let mut context = mp4parse::MediaContext::new();
    let _ = mp4parse::read_box(&mut c, &mut context);
}

panic discovered using afl.rs

This is the test case from frewsxcv's fuzzing work, generated by American Fuzzy Lop's rust support. It found a loop where we don't check the return value of read(). #5

rillian · 2015-10-29T18:24:05Z

Nice one! This declares a very large number of compatible brands in an ftyp box but doesn't supply them. Since be_fourcc didn't check for short reads, we would hit EOF but return a fourcc value each time. The programme only halts (after creating all 808M?) on the assert at the end of read_box which checks that we've read all the data.

I've added the testcase as 6899348 and a return value check as b154acc which fixes the slow crash.

rillian · 2015-10-29T18:43:06Z

Sorry, only 202116105 compatible brands. Forgot to divide by 4 for the fourcc width.

rillian added a commit that referenced this issue Oct 29, 2015

Add regression test from fuzzing.

6899348

This is the test case from frewsxcv's fuzzing work, generated by American Fuzzy Lop's rust support. It found a loop where we don't check the return value of read(). #5

rillian closed this as completed Oct 29, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Panic when using read_box #5

Panic when using read_box #5

frewsxcv commented Oct 29, 2015

rillian commented Oct 29, 2015

rillian commented Oct 29, 2015

Panic when using read_box #5

Panic when using read_box #5

Comments

frewsxcv commented Oct 29, 2015

rillian commented Oct 29, 2015

rillian commented Oct 29, 2015