[Bug] Segmentation Fault in processmp4 #908

New Issue

Closed

opened 2026-01-29 16:56:42 +00:00 by claunia · 0 comments

claunia commented 2026-01-29 16:56:42 +00:00

Owner

Copy Link

Originally created by @oneafter on GitHub (Jan 23, 2026).

Description

We discovered a Segmentation Fault in ccextractor. The crash occurs in the processmp4 function when attempting to log a message using mprint.

The ASAN report indicates a SEGV caused by a READ memory access on the address 0xbebebebebebebebe. This specific pattern (0xBE) typically indicates that the application is accessing memory that has been freed (Use-After-Free) or is uninitialized, passing a dangling pointer to strlen via printf.

Environment

• OS: Linux x86_64
• Complier: Clang
• Build Configuration: Release mode with ASan enabled.

Vulnerability Details

• Target: CCExtractor
• Vulnerability Type: CWE-416: Use After Free / CWE-457: Use of Uninitialized Memory
• Function: processmp4 -> mprint
• Location: src/lib_ccx/mp4.c:902
• Root Cause Analysis: The crash happens at line 902 of src/lib_ccx/mp4.c inside a call to mprint. mprint acts as a wrapper for vfprintf. The crash trace ends in internal_strlen, implying mprint is parsing a format string (likely containing %s) and trying to calculate the length of the corresponding string argument.

The register rdi holds 0xbebebebebebebebe. In many debugging environments and sanitizers (like ASAN with specific flags or certain allocators), 0xBE is used to poison freed memory. This suggests that processmp4 is holding a pointer to an MP4 box name or data buffer that has already been freed, and it attempts to print this name for logging/debugging purposes.

Reproduce

1. Build ccextractor with Release optimization and ASAN enabled.
2. Run with the crashing file:

./build/ccextractor repro

ASAN report

AddressSanitizer:DEADLYSIGNAL
=================================================================
==68859==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55919c919330 bp 0x7ffe82f56ff0 sp 0x7ffe82f56768 T0)
==68859==The signal is caused by a READ memory access.
==68859==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
    #0 0x55919c919330 in __sanitizer::internal_strlen(char const*) (/src/ccextractor/build_afl/ccextractor+0x1ab330) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)
    #1 0x55919c886646 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o
    #2 0x55919c886c9f in vfprintf (/src/ccextractor/build_afl/ccextractor+0x118c9f) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)
    #3 0x55919ce41340 in mprint /src/ccextractor/src/lib_ccx/utility.c:194:2
    #4 0x55919cde315e in processmp4 /src/ccextractor/src/lib_ccx/mp4.c:902:2
    #5 0x55919caa0d2f in start_ccx /src/ccextractor/src/ccextractor.c:237:12
    #6 0x7f0e2771d1c9  (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #7 0x7f0e2771d28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
    #8 0x55919c860404 in _start (/src/ccextractor/build_afl/ccextractor+0xf2404) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015)

==68859==Register values:
rax = 0xffffffffffffffff  rbx = 0x00007ffe82f57000  rcx = 0x0000000000000010  rdx = 0x0000000000000073  
rdi = 0xbebebebebebebebe  rsi = 0x0000000000000000  rbp = 0x00007ffe82f56ff0  rsp = 0x00007ffe82f56768  
 r8 = 0x0000000000000007   r9 = 0xf9f90700f9f9f901  r10 = 0x3ffffffffffffff8  r11 = 0x0000000000000000  
r12 = 0x000055919d23d2c4  r13 = 0x0000000000000073  r14 = 0xbebebebebebebebe  r15 = 0x000055919d2fe1eb  
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/src/ccextractor/build_afl/ccextractor+0x1ab330) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) in __sanitizer::internal_strlen(char const*)
==68859==ABORTING

Originally created by @oneafter on GitHub (Jan 23, 2026). ### Description We discovered a Segmentation Fault in ccextractor. The crash occurs in the processmp4 function when attempting to log a message using mprint. The ASAN report indicates a SEGV caused by a READ memory access on the address 0xbebebebebebebebe. This specific pattern (0xBE) typically indicates that the application is accessing memory that has been freed (Use-After-Free) or is uninitialized, passing a dangling pointer to strlen via printf. ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Target: CCExtractor - Vulnerability Type: CWE-416: Use After Free / CWE-457: Use of Uninitialized Memory - Function: processmp4 -> mprint - Location: src/lib_ccx/mp4.c:902 - Root Cause Analysis: The crash happens at line 902 of src/lib_ccx/mp4.c inside a call to mprint. mprint acts as a wrapper for vfprintf. The crash trace ends in internal_strlen, implying mprint is parsing a format string (likely containing %s) and trying to calculate the length of the corresponding string argument. The register rdi holds 0xbebebebebebebebe. In many debugging environments and sanitizers (like ASAN with specific flags or certain allocators), 0xBE is used to poison freed memory. This suggests that processmp4 is holding a pointer to an MP4 box name or data buffer that has already been freed, and it attempts to print this name for logging/debugging purposes. ### Reproduce 1. Build ccextractor with Release optimization and ASAN enabled. 2. Run with the crashing [file](https://github.com/oneafter/0123/blob/main/cc3/repro): ``` ./build/ccextractor repro ``` <details> <summary>ASAN report</summary> ``` AddressSanitizer:DEADLYSIGNAL ================================================================= ==68859==ERROR: AddressSanitizer: SEGV on unknown address (pc 0x55919c919330 bp 0x7ffe82f56ff0 sp 0x7ffe82f56768 T0) ==68859==The signal is caused by a READ memory access. ==68859==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used. #0 0x55919c919330 in __sanitizer::internal_strlen(char const*) (/src/ccextractor/build_afl/ccextractor+0x1ab330) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) #1 0x55919c886646 in printf_common(void*, char const*, __va_list_tag*) asan_interceptors.cpp.o #2 0x55919c886c9f in vfprintf (/src/ccextractor/build_afl/ccextractor+0x118c9f) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) #3 0x55919ce41340 in mprint /src/ccextractor/src/lib_ccx/utility.c:194:2 #4 0x55919cde315e in processmp4 /src/ccextractor/src/lib_ccx/mp4.c:902:2 #5 0x55919caa0d2f in start_ccx /src/ccextractor/src/ccextractor.c:237:12 #6 0x7f0e2771d1c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #7 0x7f0e2771d28a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #8 0x55919c860404 in _start (/src/ccextractor/build_afl/ccextractor+0xf2404) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) ==68859==Register values: rax = 0xffffffffffffffff rbx = 0x00007ffe82f57000 rcx = 0x0000000000000010 rdx = 0x0000000000000073 rdi = 0xbebebebebebebebe rsi = 0x0000000000000000 rbp = 0x00007ffe82f56ff0 rsp = 0x00007ffe82f56768 r8 = 0x0000000000000007 r9 = 0xf9f90700f9f9f901 r10 = 0x3ffffffffffffff8 r11 = 0x0000000000000000 r12 = 0x000055919d23d2c4 r13 = 0x0000000000000073 r14 = 0xbebebebebebebebe r15 = 0x000055919d2fe1eb AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/src/ccextractor/build_afl/ccextractor+0x1ab330) (BuildId: 144afa46e860f46ef2c26b7a110ecb6056d5f015) in __sanitizer::internal_strlen(char const*) ==68859==ABORTING ``` </details>

claunia closed this issue 2026-01-29 16:56:43 +00:00

claunia referenced this issue 2026-01-29 17:18:18 +00:00

[PR #908] [MERGED] [IMPROVEMENT] Corrected the tags file format of ctags in .gitignore #1747

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

master

fix/input-scc-option

fix/palette-crate-fedora

pr-1782

fix/flutter-gui-v0.7.0-files

docs/changelog-upcoming

fix/goptime-and-startcredits-bugs

fix/bindgen-upgrade-1608

fix/tesseract-version-check-future-proof

fix/ccx-encoders-spupng-memory-safety

fix/freebsd-remarks

compatibility/xp

v0.96.5

v0.96.4

v0.96.3

v0.96.2

v0.96.1

v0.96

v0.94

v0.93

v0.92

v0.91

v0.90

v0.89

v0.88

v0.87

v0.86

v0.85b

v0.85

v0.84

v0.83

v0.82

v0.81

v0.80

v0.79

v0.78

v0.77

v0.76

v0.75

v0.74

v0.73

v0.72

v0.71

v0.70

Labels

Clear labels

bug

CEA-708

difficulty: easy

difficulty: hard

difficulty: medium

DTMB

DVB

enhancement

enhancement

Flutter GUI

GCI19

good-first-task

GSoC 2021

GSOC-2023

GSOC-2023

GSOC-2023

GSoC-related

Hacktoberfest

HardsubX

help wanted

invalid

JokerTV

Mac / OSX

more-info-needed

needs-commercial-sponsor

needs-commercial-sponsor

needs-commercial-sponsor

needs-confirmation-of-being-broken

OCR

pull-request

Mirrored from GitHub Pull Request

Python

regression

Rust

teletext

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

claunia

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/ccextractor#908