Menu

#468 global-buffer-overflow mpglib/layer3.c:1244 III_i_stereo

Usability
closed
Robert Hegemann
security (12)
9
2017-08-19
2017-08-19
Henri Salo
No

Credit: Henri Salo from Nixu Corporation
Fuzzer: afl 2.49b

/home/hsalo/builds/lame/2017-08-19/bin/lame ~/lame-global-buffer-overflow-layer3.c-1244-III_i_stereo.riff /dev/null
Input file is freeformat.
LAME 3.100 (beta 0, Aug 19 2017) 64bits (http://lame.sf.net)
Using polyphase lowpass filter, transition band:  5468 Hz -  5613 Hz
Encoding /home/hsalo/lame-global-buffer-overflow-layer3.c-1244-III_i_stereo.riff
      to /dev/null
Encoding as 12 kHz j-stereo MPEG-2.5 Layer III (12x)  32 kbps qval=3
big_values too large! 465
hip: Can't step back 97 bytes!
big_values too large! 403
big_values too large! 457
Blocktype == 0 and window-switching == 1 not allowed.
hip: error audio data exceeds framesize by 261 bytes
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA
     0/       ( 0%)|    0:00/     :  |    0:00/     :  |         x|     :
99:25:14----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
     0/7456543 ( 0%)|    0:00/    0:00|    0:00/    0:00|   0.0000x|    0:00
99:25:14----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   kbps      %     %
    0.0           big_values too large! 403
     0/7456543 ( 0%)|    0:00/    0:00|    0:00/    0:00|   0.0000x|    0:00
99:25:14----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   kbps      %     %
    0.0           =================================================================
==11316==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000008179c0 at pc 0x573c05 bp 0x7ffd9b724210 sp 0x7ffd9b724208
READ of size 4 at 0x0000008179c0 thread T0
    #0 0x573c04 in III_i_stereo /home/hsalo/src/lame/mpglib/layer3.c:1244
    #1 0x573c04 in decode_layer3_frame /home/hsalo/src/lame/mpglib/layer3.c:1782
    #2 0x53e05e in decodeMP3_clipchoice /home/hsalo/src/lame/mpglib/interface.c:618
    #3 0x540230 in decodeMP3 /home/hsalo/src/lame/mpglib/interface.c:699
    #4 0x52e394 in decode1_headersB_clipchoice /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:150
    #5 0x52e394 in hip_decode1_headersB /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:437
    #6 0x52e394 in hip_decode1_headers /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:380
    #7 0x413680 in lame_decode_fromfile /home/hsalo/src/lame/frontend/get_audio.c:2158
    #8 0x413680 in read_samples_mp3 /home/hsalo/src/lame/frontend/get_audio.c:891
    #9 0x413680 in get_audio_common /home/hsalo/src/lame/frontend/get_audio.c:797
    #10 0x4168e4 in get_audio /home/hsalo/src/lame/frontend/get_audio.c:694
    #11 0x40628a in lame_encoder_loop /home/hsalo/src/lame/frontend/lame_main.c:431
    #12 0x4084f2 in lame_encoder /home/hsalo/src/lame/frontend/lame_main.c:506
    #13 0x4084f2 in lame_main /home/hsalo/src/lame/frontend/lame_main.c:682
    #14 0x403b8f in c_main /home/hsalo/src/lame/frontend/main.c:490
    #15 0x403b8f in main /home/hsalo/src/lame/frontend/main.c:458
    #16 0x7f0aa89ffb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #17 0x404925 (/home/hsalo/builds/lame/2017-08-19/bin/lame+0x404925)

0x0000008179c0 is located 0 bytes to the right of global variable 'pow1_2' from 'layer3.c' (0x817940) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/lame/mpglib/layer3.c:1244 III_i_stereo
Shadow bytes around the buggy address:
  0x0000800faee0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000800faef0: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x0000800faf00: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800faf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800faf20: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800faf30: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
  0x0000800faf40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800faf50: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800faf60: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000800faf70: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
  0x0000800faf80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==11316==ABORTING

Feel free to ask if you need any more information and I can try to provide.

1 Attachments
lame-global-buffer-overflow-layer3.c-1244-III_i_stereo.riff

Discussion

  • Robert Hegemann

    Robert Hegemann - 2017-08-19
    • status: open --> closed
    • assigned_to: Robert Hegemann
    • private: Yes --> No
     

  • Robert Hegemann

    Robert Hegemann - 2017-08-19

    Thanks! A fix is in CVS now.

     

Log in to post a comment.

MongoDB Logo MongoDB