LAME (Lame Aint an MP3 Encoder) / Bugs / #465 global-buffer-overflow /home/afl/temp/lame/lame/lame/mpglib/layer2.c:144 II_step

A high quality MP3 encoder

#465 global-buffer-overflow /home/afl/temp/lame/lame/lame/mpglib/layer2.c:144 II_step_one

Milestone: Usability

Status: closed

Owner: Robert Hegemann

Labels: security (12)

Priority: 9

Updated: 2017-08-19

Created: 2017-08-18

Creator: Henri Salo

Private: No

Credit: Henri Salo from Nixu Corporation

/home/afl/builds/lame/2017-08-18/bin/lame ~/lame-global-buffer-overflow-II_step_one.riff       Input file is freeformat.
LAME 3.100 (beta 0, Aug 18 2017) 64bits (http://lame.sf.net)
Using polyphase lowpass filter, transition band:  5379 Hz -  5512 Hz
Encoding /home/afl/lame-global-buffer-overflow-II_step_one.riff
      to /home/afl/lame-global-buffer-overflow-II_step_one.riff.mp3
Encoding as 11.025 kHz j-stereo MPEG-2.5 Layer III (11x)  32 kbps qval=3
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA
     0/       ( 0%)|    0:00/     :  |    0:00/     :  |         x|     :
108:12:46--------------------------------------------------------------------------------------------------------------------------------------------
   kbps      %     %
    0.0           =================================================================
==8763==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005eda00 at pc 0x54d32c bp 0x7ffc7e9497e0 sp 0x7ffc7e9497d8
READ of size 2 at 0x0000005eda00 thread T0
    #0 0x54d32b in II_step_one /home/afl/temp/lame/lame/lame/mpglib/layer2.c:144
    #1 0x54d32b in decode_layer2_frame /home/afl/temp/lame/lame/lame/mpglib/layer2.c:375
    #2 0x540909 in decodeMP3_clipchoice /home/afl/temp/lame/lame/lame/mpglib/interface.c:614
    #3 0x542300 in decodeMP3 /home/afl/temp/lame/lame/lame/mpglib/interface.c:699
    #4 0x53132f in decode1_headersB_clipchoice /home/afl/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:150
    #5 0x53132f in hip_decode1_headersB /home/afl/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:437
    #6 0x53132f in hip_decode1_headers /home/afl/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:380
    #7 0x412060 in lame_decode_fromfile /home/afl/temp/lame/lame/lame/frontend/get_audio.c:2160
    #8 0x412060 in read_samples_mp3 /home/afl/temp/lame/lame/lame/frontend/get_audio.c:891
    #9 0x412060 in get_audio_common /home/afl/temp/lame/lame/lame/frontend/get_audio.c:797
    #10 0x4164d4 in get_audio /home/afl/temp/lame/lame/lame/frontend/get_audio.c:694
    #11 0x406562 in lame_encoder_loop /home/afl/temp/lame/lame/lame/frontend/lame_main.c:431
    #12 0x4081c2 in lame_encoder /home/afl/temp/lame/lame/lame/frontend/lame_main.c:506
    #13 0x4081c2 in lame_main /home/afl/temp/lame/lame/lame/frontend/lame_main.c:681
    #14 0x403c48 in c_main /home/afl/temp/lame/lame/lame/frontend/main.c:490
    #15 0x403c48 in main /home/afl/temp/lame/lame/lame/frontend/main.c:458
    #16 0x7f1a1d729b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #17 0x404a15 (/home/afl/builds/lame/2017-08-18/bin/lame+0x404a15)

0x0000005eda00 is located 0 bytes to the right of global variable 'alloc_2' from 'layer2.c' (0x5ed8c0) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow /home/afl/temp/lame/lame/lame/mpglib/layer2.c:144 II_step_one
Shadow bytes around the buggy address:
  0x0000800b5af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800b5b40:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==8763==ABORTING

Feel free to ask if you need any more information and I can try to provide.

1 Attachments

lame-global-buffer-overflow-II_step_one.riff

Discussion

Robert Hegemann - 2017-08-18

assigned_to: Robert Hegemann
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Robert Hegemann - 2017-08-18

Actually, I've trouble to reproduce the issue with this one. Here LAME does resync on the very first frame, then encodes 10 frames and quits after it detects a sample frequency change.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Henri Salo - 2017-08-19

I'll recheck this with the latest CVS after the previous fixes and continue fuzzing.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

With latest CVS build with ASan I can see following:

~/builds/lame/2017-08-19/bin/lame ~/lame-global-buffer-overflow-II_step_one.riff test
Input file is freeformat.
LAME 3.100 (beta 0, Aug 19 2017) 64bits (http://lame.sf.net)
Using polyphase lowpass filter, transition band:  5379 Hz -  5512 Hz
Encoding /home/hsalo/lame-global-buffer-overflow-II_step_one.riff to test
Encoding as 11.025 kHz j-stereo MPEG-2.5 Layer III (11x)  32 kbps qval=3
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA
     0/       ( 0%)|    0:00/     :  |    0:00/     :  |         x|     :
108:12:46--------------------------------------------------------------------------------------------------------------------------------------------
   kbps      %     %
    0.0           =================================================================
==8947==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005ed3c0 at pc 0x54c7a0 bp 0x7fff20f3e6c0 sp 0x7fff20f3e6b8
READ of size 2 at 0x0000005ed3c0 thread T0
    #0 0x54c79f in II_step_one /home/hsalo/temp/lame/lame/lame/mpglib/layer2.c:144
    #1 0x54c79f in decode_layer2_frame /home/hsalo/temp/lame/lame/lame/mpglib/layer2.c:375
    #2 0x5401b1 in decodeMP3_clipchoice /home/hsalo/temp/lame/lame/lame/mpglib/interface.c:614
    #3 0x541bc0 in decodeMP3 /home/hsalo/temp/lame/lame/lame/mpglib/interface.c:699
    #4 0x530bf8 in decode1_headersB_clipchoice /home/hsalo/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:150
    #5 0x530bf8 in hip_decode1_headersB /home/hsalo/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:437
    #6 0x530bf8 in hip_decode1_headers /home/hsalo/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:380
    #7 0x413988 in lame_decode_fromfile /home/hsalo/temp/lame/lame/lame/frontend/get_audio.c:2158
    #8 0x413988 in read_samples_mp3 /home/hsalo/temp/lame/lame/lame/frontend/get_audio.c:891
    #9 0x413988 in get_audio_common /home/hsalo/temp/lame/lame/lame/frontend/get_audio.c:797
    #10 0x416934 in get_audio /home/hsalo/temp/lame/lame/lame/frontend/get_audio.c:694
    #11 0x4063e2 in lame_encoder_loop /home/hsalo/temp/lame/lame/lame/frontend/lame_main.c:431
    #12 0x40826a in lame_encoder /home/hsalo/temp/lame/lame/lame/frontend/lame_main.c:506
    #13 0x40826a in lame_main /home/hsalo/temp/lame/lame/lame/frontend/lame_main.c:682
    #14 0x403aaf in c_main /home/hsalo/temp/lame/lame/lame/frontend/main.c:490
    #15 0x403aaf in main /home/hsalo/temp/lame/lame/lame/frontend/main.c:458
    #16 0x7fc838cbcb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #17 0x4048b5 (/home/hsalo/builds/lame/2017-08-19/bin/lame+0x4048b5)

0x0000005ed3c0 is located 0 bytes to the right of global variable 'alloc_2' from 'layer2.c' (0x5ed280) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/temp/lame/lame/lame/mpglib/layer2.c:144 II_step_one
Shadow bytes around the buggy address:
  0x0000800b5a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5a40: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000800b5a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800b5a70: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
  0x0000800b5a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800b5ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==8947==ABORTING
hip: bitstream problem, resyncing skipping 258 bytes...
hip: bitstream problem, resyncing skipping 108 bytes...
hip: bitstream problem, resyncing skipping 105 bytes...
hip: bitstream problem, resyncing skipping 191 bytes...
Aborted

Without ASan

~/builds/lame/2017-08-19-nonasan/bin/lame ~/lame-global-buffer-overflow-II_step_one.riff test
Input file is freeformat.
LAME 3.100 (beta 0, Aug 19 2017) 64bits (http://lame.sf.net)
Using polyphase lowpass filter, transition band:  5379 Hz -  5512 Hz
Encoding /home/hsalo/lame-global-buffer-overflow-II_step_one.riff to test
Encoding as 11.025 kHz j-stereo MPEG-2.5 Layer III (11x)  32 kbps qval=3
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA 
     0/       ( 0%)|    0:00/     :  |    0:00/     :  |         x|     :  
108:12:46---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   kbps      %     %
    0.0           hip: bitstream problem, resyncing skipping 258 bytes...
hip: bitstream problem, resyncing skipping 108 bytes...
    10/7456543 ( 0%)|    0:00/ 3:27:55|    0:00/ 3:28:25|   31.226x| 3:28:25 
-108:12:45--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   kbps        LR    MS  %     long switch short %
   32.0       20.0  80.0        40.0  40.0  20.0
Writing LAME Tag...done
ReplayGain: -20.6dB

Robert Hegemann - 2017-08-19

status: open --> closed

private: Yes --> No
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Robert Hegemann - 2017-08-19

Thanks!
A fix is now in CVS, Layer 1 and 2 do not support MPEG-2.5.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

global-buffer-overflow /home/afl/temp/lame/lame/lame/mpglib/layer2.c:144...

A high quality MP3 encoder

Group

Searches

Help

#465 global-buffer-overflow /home/afl/temp/lame/lame/lame/mpglib/layer2.c:144 II_step_one

Discussion