Menu
▾
▴
1 Attachments
#478 Heap-Buffer Overflow on supplying malformed input mp3
There's a Heap-based Buffer Overflow vulnerability getting triggered when providing a malformed input file to LAME command-line.
~/lame-3.99.5/frontend$ ./an -f -V 9 crashes/n\:000000 /dev/null
=================================================================
==7595==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf78 at pc 0x0000005d4cb4 bp 0x7ffc262397b0 sp 0x7ffc262397a8
READ of size 4 at 0x60c00000bf78 thread T0
#0 0x5d4cb3 (/home/kirit/lame-3.99.5/frontend/an+0x5d4cb3)
#1 0x57207d (/home/kirit/lame-3.99.5/frontend/an+0x57207d)
#2 0x5757fc (/home/kirit/lame-3.99.5/frontend/an+0x5757fc)
#3 0x506ae8 (/home/kirit/lame-3.99.5/frontend/an+0x506ae8)
#4 0x504c30 (/home/kirit/lame-3.99.5/frontend/an+0x504c30)
#5 0x5076d9 (/home/kirit/lame-3.99.5/frontend/an+0x5076d9)
#6 0x7f24dd6f83f0 (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
#7 0x41c859 (/home/kirit/lame-3.99.5/frontend/an+0x41c859)
0x60c00000bf78 is located 8 bytes to the left of 128-byte region [0x60c00000bf80,0x60c00000c000)
allocated by thread T0 here:
#0 0x4cc360 (/home/kirit/lame-3.99.5/frontend/an+0x4cc360)
#1 0x5d1e6f (/home/kirit/lame-3.99.5/frontend/an+0x5d1e6f)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/kirit/lame-3.99.5/frontend/an+0x5d4cb3)
Shadow bytes around the buggy address:
0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff97b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff97e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa[fa]
0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff9800: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fff9810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c187fff9820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c187fff9830: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7595==ABORTING
Running the input with gdb hooked gives the following output:
Starting program: /home/kirit/lame-3.99.5/frontend/lame -f -V 9 crashes/n:000000 /dev/null
*** Error in `/home/kirit/lame-3.99.5/frontend/lame': munmap_chunk(): invalid pointer: 0x00000000007067d0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x7908b)[0x7ffff733508b]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x1f8)[0x7ffff7342ed8]
/home/kirit/lame-3.99.5/frontend/lame[0x467596]
/home/kirit/lame-3.99.5/frontend/lame[0x43a074]
/home/kirit/lame-3.99.5/frontend/lame[0x404861]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7ffff72dc3f1]
/home/kirit/lame-3.99.5/frontend/lame[0x40204a]
======= Memory map: ========
00400000-004a8000 r-xp 00000000 103:02 26482643 /home/kirit/lame-3.99.5/frontend/lame
006a7000-006a8000 r--p 000a7000 103:02 26482643 /home/kirit/lame-3.99.5/frontend/lame
006a8000-006a9000 rw-p 000a8000 103:02 26482643 /home/kirit/lame-3.99.5/frontend/lame
006a9000-0072a000 rw-p 00000000 00:00 0 [heap]
7ffff6ea1000-7ffff6eb7000 r-xp 00000000 103:02 6164983 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff6eb7000-7ffff70b6000 ---p 00016000 103:02 6164983 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff70b6000-7ffff70b7000 r--p 00015000 103:02 6164983 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff70b7000-7ffff70b8000 rw-p 00016000 103:02 6164983 /lib/x86_64-linux-gnu/libgcc_s.so.1
7ffff70b8000-7ffff70bb000 r-xp 00000000 103:02 6160472 /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff70bb000-7ffff72ba000 ---p 00003000 103:02 6160472 /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff72ba000-7ffff72bb000 r--p 00002000 103:02 6160472 /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff72bb000-7ffff72bc000 rw-p 00003000 103:02 6160472 /lib/x86_64-linux-gnu/libdl-2.24.so
7ffff72bc000-7ffff747a000 r-xp 00000000 103:02 6160469 /lib/x86_64-linux-gnu/libc-2.24.so
7ffff747a000-7ffff7679000 ---p 001be000 103:02 6160469 /lib/x86_64-linux-gnu/libc-2.24.so
7ffff7679000-7ffff767d000 r--p 001bd000 103:02 6160469 /lib/x86_64-linux-gnu/libc-2.24.so
7ffff767d000-7ffff767f000 rw-p 001c1000 103:02 6160469 /lib/x86_64-linux-gnu/libc-2.24.so
7ffff767f000-7ffff7683000 rw-p 00000000 00:00 0
7ffff7683000-7ffff778b000 r-xp 00000000 103:02 6160473 /lib/x86_64-linux-gnu/libm-2.24.so
7ffff778b000-7ffff798a000 ---p 00108000 103:02 6160473 /lib/x86_64-linux-gnu/libm-2.24.so
7ffff798a000-7ffff798b000 r--p 00107000 103:02 6160473 /lib/x86_64-linux-gnu/libm-2.24.so
7ffff798b000-7ffff798c000 rw-p 00108000 103:02 6160473 /lib/x86_64-linux-gnu/libm-2.24.so
7ffff798c000-7ffff79b1000 r-xp 00000000 103:02 6165112 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff79b1000-7ffff7bb0000 ---p 00025000 103:02 6165112 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7bb0000-7ffff7bb4000 r--p 00024000 103:02 6165112 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7bb4000-7ffff7bb5000 rw-p 00028000 103:02 6165112 /lib/x86_64-linux-gnu/libtinfo.so.5.9
7ffff7bb5000-7ffff7bd6000 r-xp 00000000 103:02 6165021 /lib/x86_64-linux-gnu/libncurses.so.5.9
7ffff7bd6000-7ffff7dd5000 ---p 00021000 103:02 6165021 /lib/x86_64-linux-gnu/libncurses.so.5.9
7ffff7dd5000-7ffff7dd6000 r--p 00020000 103:02 6165021 /lib/x86_64-linux-gnu/libncurses.so.5.9
7ffff7dd6000-7ffff7dd7000 rw-p 00021000 103:02 6165021 /lib/x86_64-linux-gnu/libncurses.so.5.9
7ffff7dd7000-7ffff7dfd000 r-xp 00000000 103:02 6160409 /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7f8e000-7ffff7fd8000 rw-p 00000000 00:00 0
7ffff7ff4000-7ffff7ff8000 rw-p 00000000 00:00 0
7ffff7ff8000-7ffff7ffa000 r--p 00000000 00:00 0 [vvar]
7ffff7ffa000-7ffff7ffc000 r-xp 00000000 00:00 0 [vdso]
7ffff7ffc000-7ffff7ffd000 r--p 00025000 103:02 6160409 /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffd000-7ffff7ffe000 rw-p 00026000 103:02 6160409 /lib/x86_64-linux-gnu/ld-2.24.so
7ffff7ffe000-7ffff7fff000 rw-p 00000000 00:00 0
7fffffedc000-7ffffffff000 rw-p 00000000 00:00 0 [stack]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
LAME 3.99.5 64bits (http://lame.sf.net)
Resampling: input -21.692 kHz output 8 kHz
polyphase lowpass filter disabled
Encoding crashes/n:000000 to /dev/null
Encoding as 8 kHz j-stereo MPEG-2.5 Layer III VBR(q=9)
Error reading input file
mp3 buffer is not big enough...
This is already fixed in CVS.
Thanks Robert. Is there a CVE associated with this already for <3.99.5?
Hi Kirit. I discovered some issues in lame which are documented on my blog. Recently Henri Salo helped also to discover some issues. If you can obtain a symboilized stacktrace is more easy see if it is a duplicate of or not
Symbolized Stack-trace attached.