Bugs in mp42hevc

[G2FUZZ]

Describe the bug

I found two bugs when I tested mp42hevc.

To Reproduce

The related commit of Bento4 is 3bdc891

Environment

Ubuntu 22.04

Bug1

Input

bug1.zip

CMD

./mp42hevc Bug1 /dev/null

ASAN Output

=================================================================
==16385==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e9e at pc 0x555555647846 bp 0x7fffffffde40 sp 0x7fffffffd608
WRITE of size 4294967295 at 0x619000000e9e thread T0
    #0 0x555555647845 in __asan_memcpy (/experiments/programs_AFLplusplus/aflasan/mp42hevc+0xf3845) (BuildId: 1693de0022468d065b83dae980acd4a0bc13a7c2)
    #1 0x55555568faea in AP4_MemoryByteStream::WritePartial(void const*, unsigned int, unsigned int&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ByteStream.cpp:785:5
    #2 0x55555568942d in AP4_ByteStream::Write(void const*, unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ByteStream.cpp:77:29
    #3 0x555555756d08 in AP4_CencSampleEncryption::DoWriteFields(AP4_ByteStream&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4CommonEncryption.cpp:3569:16
    #4 0x555555704b1b in AP4_Atom::Clone() /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4Atom.cpp:316:9
    #5 0x5555556af75d in AP4_SampleDescription::AP4_SampleDescription(AP4_SampleDescription::Type, unsigned int, AP4_AtomParent*) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:138:41
    #6 0x5555556af75d in AP4_AvcSampleDescription::AP4_AvcSampleDescription(unsigned int, unsigned short, unsigned short, unsigned short, char const*, AP4_AtomParent*) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4SampleDescription.cpp:383:5
    #7 0x5555556c7223 in AP4_AvcSampleEntry::ToSampleDescription() /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4SampleEntry.cpp:1146:16
    #8 0x5555556d1ab4 in AP4_StsdAtom::GetSampleDescription(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4StsdAtom.cpp:182:53
    #9 0x555555685843 in main /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:393:39
    #10 0x7ffff7a6ad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #11 0x7ffff7a6ae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #12 0x5555555ae734 in _start (/experiments/programs_AFLplusplus/aflasan/mp42hevc+0x5a734) (BuildId: 1693de0022468d065b83dae980acd4a0bc13a7c2)

0x619000000e9e is located 0 bytes after 1054-byte region [0x619000000a80,0x619000000e9e)
allocated by thread T0 here:
    #0 0x555555682fad in operator new[](unsigned long) (/experiments/programs_AFLplusplus/aflasan/mp42hevc+0x12efad) (BuildId: 1693de0022468d065b83dae980acd4a0bc13a7c2)
    #1 0x5555556924a7 in AP4_DataBuffer::ReallocateBuffer(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:210:28
    #2 0x5555556924a7 in AP4_DataBuffer::SetBufferSize(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:136:16
    #3 0x5555556924a7 in AP4_DataBuffer::Reserve(unsigned int) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4DataBuffer.cpp:107:12

SUMMARY: AddressSanitizer: heap-buffer-overflow (/experiments/programs_AFLplusplus/aflasan/mp42hevc+0xf3845) (BuildId: 1693de0022468d065b83dae980acd4a0bc13a7c2) in __asan_memcpy
Shadow bytes around the buggy address:
  0x619000000c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x619000000e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x619000000e80: 00 00 00[06]fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000000f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000000f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000001000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000001080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x619000001100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16385==ABORTING

Bug2

Input

bug2.zip

CMD

./mp42hevc Bug1 /dev/null

ASAN Output

AddressSanitizer:DEADLYSIGNAL
=================================================================
==16402==ERROR: AddressSanitizer: FPE on unknown address 0x5555557fb476 (pc 0x5555557fb476 bp 0x7fffffffd4f0 sp 0x7fffffffd360 T0)
    #0 0x5555557fb476 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:153:53
    #1 0x5555557fab14 in AP4_TfraAtom::Create(unsigned int, AP4_ByteStream&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:53:16
    #2 0x555555719543 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:443:20
    #3 0x555555715d34 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #4 0x55555575995d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #5 0x555555759516 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #6 0x5555557589c4 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #7 0x5555557186f4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #8 0x555555715d34 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #9 0x55555575995d in AP4_ContainerAtom::ReadChildren(AP4_AtomFactory&, AP4_ByteStream&, unsigned long long) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:196:12
    #10 0x555555759516 in AP4_ContainerAtom::AP4_ContainerAtom(unsigned int, unsigned long long, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:140:5
    #11 0x5555557589c4 in AP4_ContainerAtom::Create(unsigned int, unsigned long long, bool, bool, AP4_ByteStream&, AP4_AtomFactory&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4ContainerAtom.cpp:88:20
    #12 0x5555557186f4 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned int, unsigned int, unsigned long long, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:816:20
    #13 0x555555715d34 in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, unsigned long long&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:234:14
    #14 0x5555557152da in AP4_AtomFactory::CreateAtomFromStream(AP4_ByteStream&, AP4_Atom*&) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4AtomFactory.cpp:154:12
    #15 0x555555693fde in AP4_File::ParseStream(AP4_ByteStream&, AP4_AtomFactory&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4File.cpp:104:12
    #16 0x55555569464d in AP4_File::AP4_File(AP4_ByteStream&, bool) /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4File.cpp:78:5
    #17 0x5555556857e7 in main /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Apps/Mp42Hevc/Mp42Hevc.cpp:374:32
    #18 0x7ffff7a6ad8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #19 0x7ffff7a6ae3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: c289da5071a3399de893d2af81d6a30c62646e1e)
    #20 0x5555555ae734 in _start (/experiments/programs_AFLplusplus/aflasan/mp42hevc+0x5a734) (BuildId: 1693de0022468d065b83dae980acd4a0bc13a7c2)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /experiments/programs_AFLplusplus/unibench/Bento4/Source/C++/Core/Ap4TfraAtom.cpp:153:53 in AP4_TfraAtom::AP4_TfraAtom(unsigned int, unsigned char, unsigned int, AP4_ByteStream&)
==16402==ABORTING