Menu
▾
▴
2 Attachments
#40 Two crash bugs on mp3gain
I found two crash bugs which cause segmentation fault when mp3gain parses
header information of the attached files. These bugs were found by CONCERT,
an automated unit testing generation tool developed by my colleague and me.
*** Configuration and build option ***
$ CFLAGS="-g -O0 -fsanitize=address" LDFLAGS="-fsanitize=address make clean all
I am using Debian 8.7 on x64 and gcc 4.9.2.
--- BUG1 ---
*** Command that causes a crash ***
$ ./mp3gain mp3gain_crash_layer3_905
mp3gain_crash_layer3_906
=================================================================
==18202==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000044d698 at pc 0x43a921 bp 0x7ffc9bb30340 sp 0x7ffc9bb30338
READ of size 4 at 0x00000044d698 thread T0
#0 0x43a920 in III_dequantize_sample mpglibDBL/layer3.c:905
#1 0x442f2f in do_layer3 mpglibDBL/layer3.c:1632
#2 0x433833 in decodeMP3 mpglibDBL/interface.c:643
#3 0x40e90c in main /home/yhkim/targets/mp3gain-ASAN/mp3gain.c:2262
#4 0x7fb6b6eb7b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#5 0x401998 (/home/yhkim/targets/mp3gain-ASAN/mp3gain+0x401998)
0x00000044d698 is located 0 bytes to the right of global variable 'pretab1' from 'mpglibDBL/layer3.c' (0x44d640) of size 88
0x00000044d698 is located 40 bytes to the left of global variable 'pretab2' from 'mpglibDBL/layer3.c' (0x44d6c0) of size 88
SUMMARY: AddressSanitizer: global-buffer-overflow mpglibDBL/layer3.c:905 III_dequantize_sample
Shadow bytes around the buggy address:
0x000080081a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080081a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080081aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080081ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080081ac0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
=>0x000080081ad0: 00 00 00[f9]f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080081ae0: 00 00 00 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080081af0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080081b00: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x000080081b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080081b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==18202==ABORTING
--- BUG2 ---
*** Command that causes a crash ***
$ ./mp3gain ./mp3gain_crash_interface_204
./mp3gain_crash_interface_204
=================================================================
==18214==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff455f5310 at pc 0x4313e7 bp 0x7fff455f5220 sp 0x7fff455f5218
READ of size 1 at 0x7fff455f5310 thread T0
#0 0x4313e6 in ExtractI4 mpglibDBL/interface.c:204
#1 0x431a2e in GetVbrTag mpglibDBL/interface.c:278
#2 0x432079 in check_vbr_header mpglibDBL/interface.c:364
#3 0x4329db in decodeMP3 mpglibDBL/interface.c:482
#4 0x40e90c in main /home/yhkim/targets/mp3gain-ASAN/mp3gain.c:2262
#5 0x7f6c0c781b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
#6 0x401998 (/home/yhkim/targets/mp3gain-ASAN/mp3gain+0x401998)
Address 0x7fff455f5310 is located in stack of thread T0 at offset 80 in frame
#0 0x431ca8 in check_vbr_header mpglibDBL/interface.c:336
This frame has 2 object(s):
[32, 80) 'xing' <== Memory access at offset 80 overflows this variable
[128, 256) 'pTagData'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow mpglibDBL/interface.c:204 ExtractI4
Shadow bytes around the buggy address:
0x100068ab6a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100068ab6a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100068ab6a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100068ab6a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100068ab6a50: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
=>0x100068ab6a60: 00 00[f4]f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x100068ab6a70: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00
0x100068ab6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100068ab6a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100068ab6aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x100068ab6ab0: f1 f1 01 f4 f4 f4 f2 f2 f2 f2 01 f4 f4 f4 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==18214==ABORTING
If you need more details or any other information, please let me know.
Thanks.
Switching to libmpg123 (version 1.6.x) fixed these crashes.
Released and updated on website