#464 Signed Integer Overflow

[Google-Autofuzz]

Hello flac team,

As part of our fuzzing efforts at Google, we have identified an issue affecting
flac (tested with revision * master 452a44777892086892feb8ed7f1156e9b897b5c3).

To reproduce, we are attaching a Dockerfile which compiles the project with
LLVM, taking advantage of the sanitizers that it offers. More information about
how to use the attached Dockerfile can be found here:
https://docs.docker.com/engine/reference/builder/

Instructions:
unzip artifacts_65657835.zip
docker build --build-arg SANITIZER=undefined --tag=autofuzz-flac-65657835 autofuzz_65657835
docker run --entrypoint /fuzzing/repro.sh --cap-add=SYS_PTRACE -v $PWD/autofuzz_65657835/poc-9b6510ad8eb6366d42d25800bcfa76ad70cd08e274517cb9bf5d5b6bb034ea2d-180621211839833338_min:/tmp/poc autofuzz-flac-65657835 "" /tmp/poc
docker run --cap-add=SYS_PTRACE -v $PWD/autofuzz_65657835/poc-9b6510ad8eb6366d42d25800bcfa76ad70cd08e274517cb9bf5d5b6bb034ea2d-180621211839833338_min:/tmp/poc -it autofuzz-flac-65657835

Alternatively, and depending on the bug, you could use gcc, valgrind or other
instrumentation tools to aid in the investigation. The sanitizer error that we
encountered is here:

sample rate    : 44100 Hz
channels       : 2
bits per sample: 16
total samples  : 8943480
Got error callback: FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC
Got error callback: FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC
Got error callback: FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC
Got error callback: FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC
Got error callback: FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC
Got error callback: FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC
Got error callback: FLAC__STREAM_DECODER_ERROR_STATUS_LOST_SYNC
lpc.c:1124:29: runtime error: signed integer overflow: -194967200 + -2056258914 cannot be represented in type 'int'
    #0 0x7f0efb04c89d in FLAC__lpc_restore_signal_wide /fuzzing/flac/src/libFLAC/lpc.c:1124:29
    #1 0x7f0efb090429 in read_subframe_lpc_ /fuzzing/flac/src/libFLAC/stream_decoder.c:2716:4
    #2 0x7f0efb08e2d9 in read_subframe_ /fuzzing/flac/src/libFLAC/stream_decoder.c:2525:7
    #3 0x7f0efb085ed2 in read_frame_ /fuzzing/flac/src/libFLAC/stream_decoder.c:2064:7
    #4 0x7f0efb086a0f in FLAC__stream_decoder_process_until_end_of_stream /fuzzing/flac/src/libFLAC/stream_decoder.c:1087:9
    #5 0x426136 in main /fuzzing/flac/examples/c/decode/file/main.c:101:8
    #6 0x7f0efa0b72e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x402e39 in _start (/fuzzing/flac/examples/c/decode/file/.libs/example_c_decode_file+0x402e39)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior lpc.c:1124:29 in 

We will gladly work with you so you can successfully confirm and reproduce this
issue. Do let us know if you have any feedback surrounding the documentation.

Once you have reproduced the issue, we'd appreciate to learn your expected
timeline for an update to be released. With any fix, please attribute the report
to "Google Autofuzz project".

We are also pleased to inform you that your project is eligible for inclusion to
the OSS-Fuzz project, which can provide additional continuous fuzzing, and
encourage you to investigate integration options.

Don't hesitate to let us know if you have any questions!

Google AutoFuzz Team
65657835

[Erik]

This one is like #466, undefined behavior in the audio path.

I highly recommend only fuzzing FLAC with the address sanitizer enabled and the undefined behavior sanitizer disabled.