Bug#903099: libmp4v2-2: Just found a NULL ptr reference which could result in `mp4info` crashes on corrupted MP4 file.

Ruikai Liu lrk700 at gmail.com
Fri Jul 6 08:14:56 BST 2018 

Package: libmp4v2-2
Version: 2.0.0~dfsg0-5+b1
Severity: normal
Tags: upstream

Dear Maintainer,

     A corrupted MP4 file could result in NULL pointer reference when
     `mp4info` parses it.

     By running `mp4info c1`, the output is as follows:
     root at debian:~# mp4info c1
     mp4info version -r
     c1:
     ReadAtom: "c1": invalid atom size, extends outside parent atom - skipping to end of "" "moov" 1837 vs 1816
     ReadChildAtoms: "c1": In atom stbl missing child atom stsd
     ReadAtom: "c1": invalid atom size, extends outside parent atom - skipping to end of "moov" "udta" 1837 vs 1816
     ReadAtom: "c1": invalid atom size, extends outside parent atom - skipping to end of "udta" "meta" 1837 vs 1816
     ReadAtom: "c1": invalid atom size, extends outside parent atom - skipping to end of "meta" "ilst" 1837 vs 1816
     ReadAtom: "c1": atom type da is suspect
     ReadChildAtoms: "c1": In atom tvsh missing child atom data
     ReadAtom: "c1": invalid atom size, extends outside parent atom - skipping to end of "ilst" "" 16844570 vs 1816
     ReadAtom: "c1": invalid atom size, extends outside parent atom - skipping to end of "" "data" 16844338 vs 1816
     Segmentation fault

     The bug could be mitigated in the following way:

	--- ../mp4v2-2.0.0/src/mp4file.cpp      2012-05-21 06:11:53.000000000 +0800
	+++ src/mp4file.cpp     2018-07-06 15:07:32.787600190 +0800
	@@ -3415,6 +3415,9 @@
		 MP4Atom *pAtom =
			 FindAtom(MakeTrackName(trackId,
									"mdia.minf.stbl.stsd"));
	+    if(pAtom == NULL) {
	+        return NULL;
	+    }
		 if (pAtom->GetNumberOfChildAtoms() != 1) {
			 log.errorf("%s: \"%s\": track %d has more than 1 child atoms in stsd", 
						__FUNCTION__, GetFilename().c_str(), trackId);

	--- ../mp4v2-2.0.0/src/mp4info.cpp      2018-07-06 14:47:06.599645300 +0800
	+++ src/mp4info.cpp     2018-07-06 14:47:36.111644422 +0800
	@@ -315,7 +315,7 @@
	 
		 media_data_name = MP4GetTrackMediaDataName(mp4File, trackId);
		 // encv 264b
	-    if (strcasecmp(media_data_name, "encv") == 0) {
	+    if (media_data_name != NULL && strcasecmp(media_data_name, "encv") == 0) {
			 if (MP4GetTrackMediaDataOriginalFormat(mp4File,
													trackId,
													originalFormat,

	However it seems that code is no longer maintained by the upstream and nowhere could I file an issue.

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.utf8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libmp4v2-2 depends on:
ii  libc6       2.24-11+deb9u3
ii  libgcc1     1:6.3.0-18+deb9u1
ii  libstdc++6  6.3.0-18+deb9u1

libmp4v2-2 recommends no packages.

libmp4v2-2 suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: c1
Type: video/mp4
Size: 1816 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-multimedia-maintainers/attachments/20180706/8d031828/attachment.mp4>

More information about the pkg-multimedia-maintainers mailing list