Menu
▾
▴
1 Attachments
#470 global-buffer-overflow mpglib/layer2.c:144 II_step_one
Credit: Henri Salo from Nixu Corporation
Fuzzer: afl 2.49b + afl-utils
~/builds/lame/2017-08-22/bin/lame lame-global-buffer-overflow-layer2-144-II_step_one.riff /dev/null
=================================================================
==945==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000005f1ac0 at pc 0x5529f5 bp 0x7ffe93ec44c0 sp 0x7ffe93ec44b8
READ of size 2 at 0x0000005f1ac0 thread T0
#0 0x5529f4 in II_step_one /home/hsalo/src/lame/mpglib/layer2.c:144
#1 0x5529f4 in decode_layer2_frame /home/hsalo/src/lame/mpglib/layer2.c:375
#2 0x5438d6 in decodeMP3_clipchoice /home/hsalo/src/lame/mpglib/interface.c:614
#3 0x5476ae in decodeMP3 /home/hsalo/src/lame/mpglib/interface.c:699
#4 0x5335f8 in decode1_headersB_clipchoice /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:150
#5 0x5335f8 in hip_decode1_headersB /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:437
#6 0x5335f8 in hip_decode1_headers /home/hsalo/src/lame/libmp3lame/mpglib_interface.c:380
#7 0x41378d in lame_decode_fromfile /home/hsalo/src/lame/frontend/get_audio.c:2179
#8 0x41378d in read_samples_mp3 /home/hsalo/src/lame/frontend/get_audio.c:893
#9 0x41378d in get_audio_common /home/hsalo/src/lame/frontend/get_audio.c:799
#10 0x416a74 in get_audio /home/hsalo/src/lame/frontend/get_audio.c:696
#11 0x4062fa in lame_encoder_loop /home/hsalo/src/lame/frontend/lame_main.c:431
#12 0x4080ca in lame_encoder /home/hsalo/src/lame/frontend/lame_main.c:506
#13 0x4080ca in lame_main /home/hsalo/src/lame/frontend/lame_main.c:682
#14 0x403a6f in c_main /home/hsalo/src/lame/frontend/main.c:490
#15 0x403a6f in main /home/hsalo/src/lame/frontend/main.c:458
#16 0x7f34b06f4b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#17 0x404805 (/home/hsalo/builds/lame/2017-08-22/bin/lame+0x404805)
0x0000005f1ac0 is located 0 bytes to the right of global variable 'alloc_2' from 'layer2.c' (0x5f1980) of size 320
SUMMARY: AddressSanitizer: global-buffer-overflow /home/hsalo/src/lame/mpglib/layer2.c:144 II_step_one
Shadow bytes around the buggy address:
0x0000800b6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b6310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b6320: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0000800b6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b6340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800b6350: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 00 00 00 00
0x0000800b6360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b6370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b6380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800b63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==945==ABORTING
LAME 3.100 (beta 0, Aug 22 2017) 64bits (http://lame.sf.net)
Using polyphase lowpass filter, transition band: 16538 Hz - 17071 Hz
Encoding id:000011,sig:06,src:000176,op:ext_AO,pos:43 to /dev/null
Encoding as 44.1 kHz j-stereo MPEG-1 Layer III (11x) 128 kbps qval=3
Aborted
Feel free to ask if you need any more information and I can try to provide.
A big thank you goes to Kapsi internet-käyttäjät ry for providing valuable fuzzing resources.
Thanks, fixed it.