Menu

#467 stack-buffer-overflow mpglib/layer3.c:945 III_dequantize_sample

Usability
closed
Robert Hegemann
security (12)
9
2017-08-24
2017-08-19
Henri Salo
No

Credit: Henri Salo from Nixu Corporation
Fuzzer: afl 2.49b

/home/hsalo/builds/lame/2017-08-19/bin/lame ~/lame-stack-buffer-overflow-III_dequantize_sample.riff  /dev/null
=================================================================
==23178==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff4fcefc44 at pc 0x55c0dd bp 0x7fff4fcee570 sp 0x7fff4fcee568
WRITE of size 4 at 0x7fff4fcefc44 thread T0
    #0 0x55c0dc in III_dequantize_sample /home/hsalo/lame/mpglib/layer3.c:945
    #1 0x573344 in decode_layer3_frame /home/hsalo/lame/mpglib/layer3.c:1767
    #2 0x53f8be in decodeMP3_clipchoice /home/hsalo/lame/mpglib/interface.c:618
    #3 0x541bc0 in decodeMP3 /home/hsalo/lame/mpglib/interface.c:699
    #4 0x530bf8 in decode1_headersB_clipchoice /home/hsalo/lame/libmp3lame/mpglib_interface.c:150
    #5 0x530bf8 in hip_decode1_headersB /home/hsalo/lame/libmp3lame/mpglib_interface.c:437
    #6 0x530bf8 in hip_decode1_headers /home/hsalo/lame/libmp3lame/mpglib_interface.c:380
    #7 0x4139dd in lame_decode_fromfile /home/hsalo/lame/frontend/get_audio.c:2175
    #8 0x4139dd in read_samples_mp3 /home/hsalo/lame/frontend/get_audio.c:891
    #9 0x4139dd in get_audio_common /home/hsalo/lame/frontend/get_audio.c:797
    #10 0x416934 in get_audio /home/hsalo/lame/frontend/get_audio.c:694
    #11 0x4063e2 in lame_encoder_loop /home/hsalo/lame/frontend/lame_main.c:431
    #12 0x40826a in lame_encoder /home/hsalo/lame/frontend/lame_main.c:506
    #13 0x40826a in lame_main /home/hsalo/lame/frontend/lame_main.c:682
    #14 0x403aaf in c_main /home/hsalo/lame/frontend/main.c:490
    #15 0x403aaf in main /home/hsalo/lame/frontend/main.c:458
    #16 0x7f8d2b8d2b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #17 0x4048b5 (/home/hsalo/builds/lame/2017-08-19/bin/lame+0x4048b5)

Address 0x7fff4fcefc44 is located in stack of thread T0 at offset 5060 in frame
    #0 0x56b69f in decode_layer3_frame /home/hsalo/lame/mpglib/layer3.c:1688

  This frame has 4 object(s):
    [32, 36) 'p1'
    [96, 408) 'scalefacs'
    [448, 5056) 'hybridIn' <== Memory access at offset 5060 overflows this variable
    [5088, 9696) 'hybridOut'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hsalo/lame/mpglib/layer3.c:945 III_dequantize_sample
Shadow bytes around the buggy address:
  0x100069f95f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95f60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100069f95f80: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 00 00 00 00
  0x100069f95f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100069f95fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==23178==ABORTING

Feel free to ask if you need any more information and I can try to provide.

1 Attachments
lame-stack-buffer-overflow-III_dequantize_sample.riff

Discussion

  • Henri Salo

    Henri Salo - 2017-08-19

    This is in different code path, but possibly the same root cause. You might want to add these samples to some test suite while making fixes.

     
    lame-global-buffer-overflow-layer3.c-902-III_dequantize_sample.riff

  • Robert Hegemann

    Robert Hegemann - 2017-08-19
    • status: open --> closed
    • assigned_to: Robert Hegemann
    • private: Yes --> No
     

  • Robert Hegemann

    Robert Hegemann - 2017-08-19

    Thanks! Not sure, but hope that function is now fixed.

     

    • Henri Salo

      Henri Salo - 2017-08-19

      The second fle still causes crash when compiled with ASan.

       

  • Robert Hegemann

    Robert Hegemann - 2017-08-20

    Can you please post the ASan output from the second sample?

     

    • Henri Salo

      Henri Salo - 2017-08-20 
      /home/hsalo/builds/lame/2017-08-20/bin/lame /home/hsalo/lame-global-buffer-overflow-layer3.c-902-III_dequantize_sample.riff /dev/null
=================================================================
==26734==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000820bb8 at pc 0x55e4e9 bp 0x7ffc13f1a1d0 sp 0x7ffc13f1a1c8
READ of size 4 at 0x000000820bb8 thread T0
    #0 0x55e4e8 in III_dequantize_sample /home/hsalo/src/lame/mpglib/layer3.c:906
    #1 0x5754cc in decode_layer3_frame /home/hsalo/src/lame/mpglib/layer3.c:1803
    #2 0x540e7e in decodeMP3_clipchoice /home/hsalo/src/lame/mpglib/interface.c:618
    #3 0x5434e0 in decodeMP3 /home/hsalo/src/lame/mpglib/interface.c:699
    #4 0x5321bc in decode1_headersB_clipchoice /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:150
    #5 0x5321bc in hip_decode1_headersB /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:437
    #6 0x5321bc in hip_decode1_headers /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:380
    #7 0x4138cd in lame_decode_fromfile /home/hsalo/src/lame/frontend/get_audio.c:2175
    #8 0x4138cd in read_samples_mp3 /home/hsalo/src/lame/frontend/get_audio.c:891
    #9 0x4138cd in get_audio_common /home/hsalo/src/lame/frontend/get_audio.c:797
    #10 0x4169f4 in get_audio /home/hsalo/src/lame/frontend/get_audio.c:694
    #11 0x40660a in lame_encoder_loop /home/hsalo/src/lame/frontend/lame_main.c:431
    #12 0x4081da in lame_encoder /home/hsalo/src/lame/frontend/lame_main.c:506
    #13 0x4081da in lame_main /home/hsalo/src/lame/frontend/lame_main.c:682
    #14 0x403b4f in c_main /home/hsalo/src/lame/frontend/main.c:490
    #15 0x403b4f in main /home/hsalo/src/lame/frontend/main.c:458
    #16 0x7facb4ebeb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #17 0x404925 (/home/hsalo/builds/lame/2017-08-20/bin/lame+0x404925)

0x000000820bb8 is located 16 bytes to the right of global variable 'gainpow2' from 'layer3.c' (0x8205c0) of size 1512
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/lame/mpglib/layer3.c:906 III_dequantize_sample
Shadow bytes around the buggy address:
  0x0000800fc120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800fc170: 00 00 00 00 00 f9 f9[f9]f9 f9 f9 f9 00 00 00 00
  0x0000800fc180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800fc1c0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==26734==ABORTING
       

  • Robert Hegemann

    Robert Hegemann - 2017-08-20
    • status: closed --> open
     

  • Robert Hegemann

    Robert Hegemann - 2017-08-20

    Ok, that's a different problem.

     

    • Henri Salo

      Henri Salo - 2017-08-20

      Roger. I won't submit a new issue about it. I continue fuzzing at the same time and I'll re-execute the samples after fixes so we get as much results as possible. We can also communicate in IRC or other chat software if that makes it easier/faster for you. I can also fuzz with different parameters after we have fixed all of the outstanding issues with basic lame frontend command.

       

      • Robert Hegemann

        Robert Hegemann - 2017-08-20

        Well, I've made some change, so that this buffer overflow should not happen, but gives some error message. I suspect, intensity stereo decoding to be broken, still.

         

  • Henri Salo

    Henri Salo - 2017-08-23

    I can confirm that ~/lame-global-buffer-overflow-layer3.c-902-III_dequantize_sample.riff file does not crash anymore with 2017-08-23 build anymore.

     

  • Robert Hegemann

    Robert Hegemann - 2017-08-24
    • status: open --> closed
     

Log in to post a comment.

MongoDB Logo MongoDB