Crash when parsing malformed 264 files #33
Description
Hi folks,
An interesting crash was found while fuzz testing of the minimp4_x86 binary which can be triggered via a malformed 264 file. Although this malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.
Repro
crash.264.txt
$ minimp4_x86 crash.264 test.mp4
Segmentation fault (core dumped)
$ gdb -q minimp4_x86
Reading symbols from minimp4_x86...
(No debugging symbols found in minimp4_x86)
(gdb) r crash.264 test.mp4
Starting program: minimp4_x86 crash.264 test.mp4
Program received signal SIGBUS, Bus error.
0x0000555555558cac in patch_pps ()
(gdb) bt
#0 0x0000555555558cac in patch_pps ()
#1 0x0000555555555dd1 in main ()
(gdb) i r
rax 0x6510 25872
rbx 0x7fffffffcf70 140737488342896
rcx 0xfffffff8 4294967288
rdx 0xc204e00 203443712
rsi 0x1 1
rdi 0x7fffffffcfb0 140737488342960
rbp 0x7fffffffd040 0x7fffffffd040
rsp 0x7fffffffcec8 0x7fffffffcec8
r8 0x2511 9489
r9 0x555555563679 93824992294521
r10 0x1 1
r11 0x0 0
r12 0x7fffffffcf6c 140737488342892
r13 0x37 55
r14 0x1926 6438
r15 0x555555563670 93824992294512
rip 0x555555558cac 0x555555558cac <patch_pps+44>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
=> 0x555555558cac <patch_pps+44>: mov 0xd80(%rbp,%rax,4),%r8d
(gdb) exploitable
Description: Access violation
Short description: AccessViolation (21/22)
Hash: 7bfba3fa9abe7b60a7e8004b251c9358.7bfba3fa9abe7b60a7e8004b251c9358
Exploitability Classification: UNKNOWN
Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability.