Menu
▾
▴
1 Attachments
#466 stack-buffer-overflow /home/afl/temp/lame/lame/lame/mpglib/layer3.c:1264 III_i_stereo
Credit: Henri Salo from Nixu Corporation
/home/afl/builds/lame/2017-08-18/bin/lame ~/lame-stack-buffer-overflow-III_i_stereo.riff
=================================================================
==24280==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff406917c0 at pc 0x5761ec bp 0x7fff40690290 sp 0x7fff40690288
WRITE of size 4 at 0x7fff406917c0 thread T0
#0 0x5761eb in III_i_stereo /home/afl/temp/lame/lame/lame/mpglib/layer3.c:1264
#1 0x5761eb in decode_layer3_frame /home/afl/temp/lame/lame/lame/mpglib/layer3.c:1781
#2 0x53ff6e in decodeMP3_clipchoice /home/afl/temp/lame/lame/lame/mpglib/interface.c:618
#3 0x542300 in decodeMP3 /home/afl/temp/lame/lame/lame/mpglib/interface.c:699
#4 0x53132f in decode1_headersB_clipchoice /home/afl/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:150
#5 0x53132f in hip_decode1_headersB /home/afl/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:437
#6 0x53132f in hip_decode1_headers /home/afl/temp/lame/lame/lame/libmp3lame/mpglib_interface.c:380
#7 0x412188 in lame_decode_fromfile /home/afl/temp/lame/lame/lame/frontend/get_audio.c:2170
#8 0x412188 in read_samples_mp3 /home/afl/temp/lame/lame/lame/frontend/get_audio.c:891
#9 0x412188 in get_audio_common /home/afl/temp/lame/lame/lame/frontend/get_audio.c:797
#10 0x4164d4 in get_audio /home/afl/temp/lame/lame/lame/frontend/get_audio.c:694
#11 0x406562 in lame_encoder_loop /home/afl/temp/lame/lame/lame/frontend/lame_main.c:431
#12 0x4081c2 in lame_encoder /home/afl/temp/lame/lame/lame/frontend/lame_main.c:506
#13 0x4081c2 in lame_main /home/afl/temp/lame/lame/lame/frontend/lame_main.c:681
#14 0x403c48 in c_main /home/afl/temp/lame/lame/lame/frontend/main.c:490
#15 0x403c48 in main /home/afl/temp/lame/lame/lame/frontend/main.c:458
#16 0x7f00fe166b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#17 0x404a15 (/home/afl/builds/lame/2017-08-18/bin/lame+0x404a15)
Address 0x7fff406917c0 is located in stack of thread T0 at offset 5056 in frame
#0 0x56c6af in decode_layer3_frame /home/afl/temp/lame/lame/lame/mpglib/layer3.c:1687
This frame has 4 object(s):
[32, 36) 'p1'
[96, 408) 'scalefacs'
[448, 5056) 'hybridIn' <== Memory access at offset 5056 overflows this variable
[5088, 9696) 'hybridOut'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/afl/temp/lame/lame/lame/mpglib/layer3.c:1264 III_i_stereo
Shadow bytes around the buggy address:
0x1000680ca2a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca2e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000680ca2f0: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
0x1000680ca300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000680ca340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24280==ABORTING
Feel free to ask if you need any more information and I can try to provide.
Thanks! A fix is now in CVS.
Can you make this issue public, thanks?
You can get my changes with the GNU tarball from CVS webview module lame.
The official release version does reject this file, as it only accepts PCM data from RIFF files. If one forces 3.99.5 to interpret the data as mp3, then it crashes because of the earlier reported issue.