techsmith / mp4v2 Goto Github PK
View Code? Open in Web Editor NEWFork of mp4v2: https://code.google.com/archive/p/mp4v2/
License: Other
Fork of mp4v2: https://code.google.com/archive/p/mp4v2/
License: Other
When open a crafted mp4
file, The program could tigger heap overflow, this could overwrite vtable ptr. and then enter mp4v2::impl::MP4TableProperty::ReadEntry
,and use the vtable , then program crash.
The gdb output is blow:
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x714f38 --> 0x714eb0 --> 0xdeadbeef
RBX: 0x2
RCX: 0xdeadbeef
RDX: 0x9 ('\t')
RSI: 0x707130 --> 0x706c70 --> 0x49bf10 --> 0x453a80 (<mp4v2::platform::io::File::~File()>: push rbp)
RDI: 0x714eb0 --> 0xdeadbeef
RBP: 0x714e10 --> 0x497010 --> 0x4354a0 (<mp4v2::impl::MP4TableProperty::~MP4TableProperty()>: push r12)
RSP: 0x7fffffffd3e0 --> 0xa ('\n')
RIP: 0x435569 (<mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+57>: call QWORD PTR [rcx+0x30])
R8 : 0x0
R9 : 0x0
R10: 0x22 ('"')
R11: 0xf736c301
R12: 0x714e38 --> 0x400000004
R13: 0x9 ('\t')
R14: 0x707130 --> 0x706c70 --> 0x49bf10 --> 0x453a80 (<mp4v2::platform::io::File::~File()>: push rbp)
R15: 0x714e38 --> 0x400000004
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x435560 <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+48>: mov edx,r13d
0x435563 <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+51>: mov rsi,r14
0x435566 <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+54>: mov rcx,QWORD PTR [rdi]
=> 0x435569 <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+57>: call QWORD PTR [rcx+0x30]
0x43556c <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+60>: cmp DWORD PTR [rbp+0x28],ebx
0x43556f <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+63>: ja 0x435550 <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+32>
0x435571 <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+65>: pop rbx
0x435572 <mp4v2::impl::MP4TableProperty::ReadEntry(mp4v2::impl::MP4File&, unsigned int)+66>: pop rbp
As you can see , program crash in
call QWORD PTR [rcx+0x30]
now $rcx = 0xdeadbeef , which is our control.
fuzz log
{"type":"crash","sub_type":"heapoverflow","pc":"0x000000000043c38f","func_of_pc":"_ZN5mp4v24impl20MP4Integer32Property4ReadERNS0_7MP4FileEj","module_of_pc":"mp4file","module_base_of_pc":"0x0000000000400000","exception_code":"0xB","access_memory":"0x00007f1066e24000","backtrace":"0.mp4file.0x3c38f _ZN5mp4v24impl20MP4Integer32Property4ReadERNS0_7MP4FileEj
","extra_info":"[returnaddr=mp4file.0x3BD0C, addr=0x00007f1066e23ffc,0x4]"}
While there is code that should read the chpl atom in moov.udata.chpl, it doesn't seem to work. Also the MP4GetChapters function doesn't seem to look for this. It would be great if MP4GetChapters would use the chpl data if the text track wasn't found.
Hello,
first i would like to thank you for this useful mp4 toolset. Great work!
When exporting, modifying and re-importing chapters, i came across an issue that i would like to discuss before taking the time for a pull request. Since i did not find a specification of the chapters.txt
format, let me point what i know
*.chapters.txt
contains the following format:
00:00:00.000
#
or whitespace followed by #
(e.g. #
) are ignoredProblems:
a 00:22:34.721 testing
lead to crash / freeze of mp4chaps
This sample can be successfully imported to a file longer than 5:53.382:
# comment line 1 is ignored
00:00:00.000 Intro
# comment line 2 is ignored
00:02:34.711 Chapter 1
00:03:31.640 Chapter 2
00:04:22.724 Chapter 3
00:05:53.382 Chapter 4
Unfortunately the format does not allow to determine or calculate total length of the file only with the *.chapters.txt
file without re-analysing the original mp4
file.
My use case:
*.chapters.txt
with a shell script*.chapters.txt
mp4info
can get the total duration but since the output format is different AND the chapter files should be parsed on another system, than the original files are it would be great, if the *.chapters.txt
format could be extended to contain the total length of the file. It would make things a lot easier for my use case.
I would suggest the following extension, where a comment starting with a specific keyword, e.g. total-length
followed by whitespace and then the value of the keyword would contain the required information:
# total-length 00:05:59.533
00:00:00.000 Intro
00:02:34.711 Chapter 1
00:03:31.640 Chapter 2
00:04:22.724 Chapter 3
00:05:53.382 Chapter 4
This extension would also allow to add other keywords, if required (e.g. codec, filesize or other meta tags of the file) but for now the missing information of total length would be great to have.
What do you think? If you are satisfied with the extended specification I could try to implement this feature and submit a pull request...
Hi. I want to thank you for continuing this project, and to ask if I could pick your brains about how and where chapter information is stored using Mp4v2.
Here's the situation: I just started learning Swift less than a year ago. I don't know any of the C-related languages. With the help of my very generous mentor, I've got a version of MP4v2
as a Swift Package Manager package to import into my project, but the API is in raw C, and I'm struggling with it.
For example: I've created a structure that holds my chapters, and within it I have a property that converts them to an array of MP4Chapter_t
objects.
// convert chapters to mp4Chapter type
var mp4Chapters: [MP4Chapter_t] {
var mp4Chapters: [MP4Chapter_t] = []
var defaultChapterTitle: String = ""
// for each index in the chapters array...
for index in sortedChapters().indices {
defaultChapterTitle = "Chapter \(Int(index))"
// get the current chapter
let chapter = sortedChapters()[index]
// get the endTime for the current chapter from the startTime of the next chapter
let endTime: Int
// get the index of the next chapter
let nextIndex = sortedChapters().index(after: index)
if nextIndex < sortedChapters().endIndex {
let nextChapter = sortedChapters()[nextIndex]
// get the end time of the current chapter from the start time of the next chapter
endTime = nextChapter.startTime
} else {
// unless it's the last chapter, in which case the end time is the end of the file
endTime = self.fileDuration
}
// convert the duration to MP4Duration
let chapterDuration = endTime - chapter.startTime
let mp4Duration = MP4Duration(chapterDuration)
// use the duration and chapter title to initialize an MP4Chapter_t object
let title = chapter.chapter.chapterTitle
var mp4Chapter = MP4Chapter_t()
mp4Chapter.duration = mp4Duration
withUnsafeMutableBytes(of: &mp4Chapter.title) { buffer in
buffer.copyBytes(from: title?.utf8 ?? defaultChapterTitle.utf8)
}
mp4Chapters.append(mp4Chapter)
}
return mp4Chapters
}
But I sort of struggle to figure out what to do with it from there. I think maybe I use MP4SetChapters
, but I'm not sure. But even if I'm right, I can't figure out what it needs for the chapterList
parameter of MP4SetChapters
:
let mp4Chapters = toc.mp4Chapters
let chapterCountInt = mp4Chapters.count
let chapterCountUInt32 = chapterCountInt.truncatedUInt32
MP4SetChapters(fileHandle,
<#T##chapterList: UnsafeMutablePointer<MP4Chapter_t>!##UnsafeMutablePointer<MP4Chapter_t>!#>,
chapterCountUInt32,
MP4ChapterTypeAny)
I'm just not sure what <#T##chapterList: UnsafeMutablePointer<MP4Chapter_t>!##UnsafeMutablePointer<MP4Chapter_t>!#>
is supposed to be.
Failing that, since all I require is a very simple and straightforward library that manages metadata and chapters for mp4 files (specifically, the audio files, such as podcasts and audiobooks), I thought perhaps I could create it myself from scratch. I know how to read the atoms and identify the various atoms from the file data, but what I don't understand is where the chapter data actually lives.
Looking at the MP4v2
code, it seems like if the chapter is a Quicktime chapter, if is stored in the gmhd
atom:
(void)InsertChildAtom(MakeTrackName(trackId, "mdia.minf"), "gmhd", 0);
or if it's a Nero chapter, it creates a chpl
atom, but examining a file that was created using Mp4v2
) neither of those atoms are in the file. In the stbl
subAtoms I can see a lot of stuff that creates samples in the same number of chapters in the file I'm dissecting, so I'm pretty sure that's related, but as far as where the chapter title and duration data, etc, exist, I can't find it.
Do you have any insight into this you could share with me?
Can this be built for Windows using the command line? I have tried make
and msbuild
with no luck.
Ubuntu 22.04, make
util/mp4art.cpp: In member function ‘virtual bool mp4v2::util::ArtUtility::utility_option(int, bool&)’:
util/mp4art.cpp:380:14: error: narrowing conversion of ‘mp4v2::util::ArtUtility::LC_ART_ANY’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
380 | case LC_ART_ANY:
| ^~~~~~~~~~
util/mp4art.cpp:384:14: error: narrowing conversion of ‘mp4v2::util::ArtUtility::LC_ART_INDEX’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
384 | case LC_ART_INDEX:
| ^~~~~~~~~~~~
util/mp4art.cpp:393:14: error: narrowing conversion of ‘mp4v2::util::ArtUtility::LC_LIST’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
393 | case LC_LIST:
| ^~~~~~~
util/mp4art.cpp:397:14: error: narrowing conversion of ‘mp4v2::util::ArtUtility::LC_ADD’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
397 | case LC_ADD:
| ^~~~~~
util/mp4art.cpp:404:14: error: narrowing conversion of ‘mp4v2::util::ArtUtility::LC_REMOVE’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
404 | case LC_REMOVE:
| ^~~~~~~~~
util/mp4art.cpp:408:14: error: narrowing conversion of ‘mp4v2::util::ArtUtility::LC_REPLACE’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
408 | case LC_REPLACE:
| ^~~~~~~~~~
util/mp4art.cpp:415:14: error: narrowing conversion of ‘mp4v2::util::ArtUtility::LC_EXTRACT’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
415 | case LC_EXTRACT:
| ^~~~~~~~~~
make: *** [GNUmakefile:1348: util/mp4art.o] Error 1
hi, everyone. It happend a bug as the title When I use MP4Read interface in Mp4ToH264 function.
here is my code.
MP4FileHandle oMp4File;
oMp4File = MP4Read(sMp4file);
if (!oMp4File)
{
printf("Read error....%s\r\n",sMp4file);
return -1;
}
and it's my mp4 file
https://user-images.githubusercontent.com/29395068/145324955-0a748f4a-1a19-4357-a70f-59886802be5c.mp4
I use the mp4v2 lib version in 2.0.0 and run it in qnx.
ffmpeg can convert this mp4 to H264 success when use command
ffmpeg -i test.mp4 -c:v libx264 test.h264
so I think the mp4 file is normal.
Latest version used in FileOptimizer destroys .mpa files. Please reference to this thread for full info.
https://sourceforge.net/p/nikkhokkho/discussion/fileoptimizer/thread/129ddbb5/
So I want to be able to delete the tvsn atom, but calling MP4TagsSetTVSeason with season set to null, doesn't delete it, just sets the value to null. I've got all the sources, so if there's no way to do this currently, if you could point me in the right direction I could modify MP4TagsSetTVSeason myself.
Also, there used to be a document that documented all the API that seemed to get lost after the move from google code. Any idea where it might be?
Thanks,
Dan
The file file_prop.h
provides a function MP4SetTimeScale()
but its counterpart MP4SetDuration()
is missing.
Can we get a function to set the file's duration?
hi
Can h265 be encapsulated?
src/mp4file.cpp
MP4ChapterType MP4File::GetChapters(MP4Chapter_t ** chapterList, uint32_t * chapterCount, MP4ChapterType fromChapterType)
{
...
const char * title = (const char *)&(sample[2]);
// collection of characters can be encoded in UTF-16
int titleLen = min((uint32_t)((sample[0] << 8) | sample[1]), (uint32_t)MP4V2_CHAPTER_TITLE_MAX);
// either byte in title may be zero
strncpy(chapters[i].title, title, titleLen);
chapters[i].title[titleLen] = 0;
...
}
https://github.com/TechSmith/mp4v2
OS:Ubuntu20.04 TLS
Build: mkdir build && cd build && cmake .. && make
https://github.com/z1r00/fuzz_vuln/blob/main/mp4v2/heap-buffer-overflow/mp4property.cpp/poc1.mp4
./mp4info poc1.mp4
./mp4info version 2.0.0
/home/ubuntu/fuzzing/mp4v2/poc1.mp4:
=================================================================
==2321319==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000158 at pc 0x7f0be169f82a bp 0x7ffe0644aba0 sp 0x7ffe0644ab98
READ of size 8 at 0x602000000158 thread T0
#0 0x7f0be169f829 in mp4v2::impl::MP4StringProperty::~MP4StringProperty() /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4property.cpp:338:17
#1 0x7f0be169f919 in mp4v2::impl::MP4StringProperty::~MP4StringProperty() /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4property.cpp:335:1
#2 0x7f0be161a7d4 in mp4v2::impl::MP4Atom::~MP4Atom() /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4atom.cpp:66:9
#3 0x7f0be1587419 in mp4v2::impl::MP4FtypAtom::~MP4FtypAtom() /home/ubuntu/mprv2_fuzz/mp4v2/src/atoms.h:344:7
#4 0x7f0be1624cd6 in mp4v2::impl::MP4Atom::ReadAtom(mp4v2::impl::MP4File&, mp4v2::impl::MP4Atom*) /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4atom.cpp:206:3
#5 0x7f0be1626ffb in mp4v2::impl::MP4Atom::ReadChildAtoms() /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4atom.cpp:442:31
#6 0x7f0be1625990 in mp4v2::impl::MP4Atom::Read() /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4atom.cpp:247:11
#7 0x7f0be163960d in mp4v2::impl::MP4File::ReadFromFile() /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4file.cpp:431:18
#8 0x7f0be1637f1f in mp4v2::impl::MP4File::Read(char const*, MP4FileProvider_s const*) /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4file.cpp:98:5
#9 0x7f0be15e60e2 in MP4Read /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4.cpp:106:16
#10 0x7f0be169ae58 in MP4FileInfo /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4info.cpp:614:29
#11 0x4c8141 in main /home/ubuntu/mprv2_fuzz/mp4v2/util/mp4info.cpp:77:22
#12 0x7f0be0e3f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#13 0x41d52d in _start (/home/ubuntu/mprv2_fuzz/mp4v2/build/mp4info+0x41d52d)
0x602000000158 is located 0 bytes to the right of 8-byte region [0x602000000150,0x602000000158)
allocated by thread T0 here:
#0 0x495f89 in realloc (/home/ubuntu/mprv2_fuzz/mp4v2/build/mp4info+0x495f89)
#1 0x7f0be1534c3d in mp4v2::impl::MP4Realloc(void*, unsigned int) /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4util.h:80:18
#2 0x7f0be16b428f in mp4v2::impl::MP4StringArray::Resize(unsigned int) /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4array.h:138:1
#3 0x7f0be169f9a3 in mp4v2::impl::MP4StringProperty::SetCount(unsigned int) /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4property.cpp:346:14
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/mprv2_fuzz/mp4v2/src/mp4property.cpp:338:17 in mp4v2::impl::MP4StringProperty::~MP4StringProperty()
Shadow bytes around the buggy address:
0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c047fff8000: fa fa 00 00 fa fa fd fd fa fa 00 00 fa fa 00 00
0x0c047fff8010: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
=>0x0c047fff8020: fa fa fd fa fa fa fd fa fa fa 00[fa]fa fa fd fd
0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff8070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2321319==ABORTING
https://github.com/z1r00/fuzz_vuln/blob/main/mp4v2/heap-buffer-overflow/mp4property.cpp/readme.md
hi,guys
Can mp4v2 be used to edit audio files in m4a format?
power off or TF card remove when recording, files will lost or size was 0KB, do you have meet this issue?
For anyone looking to build the fat library for use on Intel and Apple Silicon, here's a version of the macBuildReleaseLibs.sh that worked for me (basically unchanged for first pass, then rebuild for Apple Silicon, and use lipo to merge the two libraries into one file).
README.md says in part:
All docs are located in doc/ subdirectory. Useful starting points:
Release Notes -- doc/ReleaseNotes.txt
Building the Source -- doc/BuildSource.txt
Building the Repository -- doc/BuildRepository.txt
These files do not exist. They were deleted in a52db03.
libutil/Utility.cpp: In member function ‘bool mp4v2::util::Utility::process_impl()’:
libutil/Utility.cpp:534:18: error: narrowing conversion of ‘mp4v2::util::Utility::LC_DEBUG’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
534 | case LC_DEBUG:
| ^~~~~~~~
libutil/Utility.cpp:538:18: error: narrowing conversion of ‘mp4v2::util::Utility::LC_VERBOSE’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
538 | case LC_VERBOSE:
| ^~~~~~~~~~
libutil/Utility.cpp:545:18: error: narrowing conversion of ‘mp4v2::util::Utility::LC_HELP’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
545 | case LC_HELP:
| ^~~~~~~
libutil/Utility.cpp:549:18: error: narrowing conversion of ‘mp4v2::util::Utility::LC_VERSION’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
549 | case LC_VERSION:
| ^~~~~~~~~~
libutil/Utility.cpp:553:18: error: narrowing conversion of ‘mp4v2::util::Utility::LC_VERSIONX’ from ‘unsigned int’ to ‘int’ [-Wnarrowing]
553 | case LC_VERSIONX:
| ^~~~~~~~~~~
Hi, I have a few questions regarding version numbers.
The project version number is set to 3.0.1.1 in mp4v2-Win/include/mp4v2/project.h but 2.0.0 in include/mp4v2/project.h.
Which should be trusted and is it intentionally that the version numbers doesn't match or should they be changed to be identical?
Thanks
We use the standard MP4v2 library combined with custom functions to generate MP4 files from video. However, in the case of abnormal power failure, MP4 files will be damaged and cannot be played. We want to save data to files in real time or every few seconds, including moov format information, so that MP4 files can be used normally when power failure occurs. Is there any good way? Thank you
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.