Invalid read in function ReadMP3APETag
Analyzes and adjusts the volume of MP3 files
Brought to you by:
snelg
Menu
▾
▴
#46 Invalid read in function ReadMP3APETag
POC1
https://github.com/zjuchenyuan/fuzzpoc/raw/master/mp3gain_poc1
Address Sanitizer
=================================================================
==51760==ERROR: AddressSanitizer: unknown-crash on address 0x60200000eeb5 at pc 0x000000423ec2 bp 0x7fffffff96a0 sp 0x7fffffff9690
READ of size 4 at 0x60200000eeb5 thread T0
#0 0x423ec1 in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:243
#1 0x423ec1 in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381
#2 0x40282d in main /d/prog/mp3gain-code/mp3gain/mp3gain.c:1835
#3 0x7ffff655a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#4 0x410428 in _start (/d/p/latest/mp3gain+0x410428)
0x60200000eeb8 is located 0 bytes to the right of 8-byte region [0x60200000eeb0,0x60200000eeb8)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4221bf in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:216
#2 0x4221bf in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381
SUMMARY: AddressSanitizer: unknown-crash /d/prog/mp3gain-code/mp3gain/apetag.c:243 ReadMP3APETag
Shadow bytes around the buggy address:
0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9dd0: fa fa fa fa fa fa[00]fa fa fa 00 05 fa fa fd fa
0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==51760==ABORTING
Valgrind
==50201== Memcheck, a memory error detector
==50201== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==50201== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==50201== Command: ./mp3gain /d/seed/choosepool/fuzzpoc/mp3gain_poc1
==50201==
==50201== Invalid read of size 4
==50201== at 0x40AA48: ReadMP3APETag (apetag.c:243)
==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==50201== by 0x405524: main (mp3gain.c:1835)
==50201== Address 0x576ba35 is 5 bytes inside a block of size 8 alloc'd
==50201== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==50201== by 0x40A893: ReadMP3APETag (apetag.c:216)
==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==50201== by 0x405524: main (mp3gain.c:1835)
==50201==
==50201== Invalid read of size 1
==50201== at 0x40AA72: ReadMP3APETag (apetag.c:247)
==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==50201== by 0x405524: main (mp3gain.c:1835)
==50201== Address 0x576ba3a is 2 bytes after a block of size 8 alloc'd
==50201== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==50201== by 0x40A893: ReadMP3APETag (apetag.c:216)
==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==50201== by 0x405524: main (mp3gain.c:1835)
==50201==
==50201== Invalid read of size 1
==50201== at 0x40AA7D: ReadMP3APETag (apetag.c:247)
==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==50201== by 0x405524: main (mp3gain.c:1835)
==50201== Address 0x576ba3a is 2 bytes after a block of size 8 alloc'd
==50201== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==50201== by 0x40A893: ReadMP3APETag (apetag.c:216)
==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==50201== by 0x405524: main (mp3gain.c:1835)
==50201==
/d/seed/choosepool/fuzzpoc/mp3gain_poc1
Delaying a frame in decoding with old libmpg123.
[layer3.c:1978] error: dequantization failed!
Note: broken frame 1, filling up with 9216 zeroes, from 0
[layer3.c:1978] error: dequantization failed!
Note: broken frame 3, filling up with 9216 zeroes, from 0
[layer3.c:1978] error: dequantization failed!
Note: broken frame 4, filling up with 9216 zeroes, from 0
[layer3.c:1978] error: dequantization failed!
Note: broken frame 6, filling up with 9216 zeroes, from 0
[layer3.c:1978] error: dequantization failed!
Note: broken frame 7, filling up with 9216 zeroes, from 0
Recommended "Track" dB change: -0.670000
Recommended "Track" mp3 gain change: 0
Max PCM sample at current gain: 19635.845703
Max mp3 global gain field: 254
Min mp3 global gain field: 54
Recommended "Album" dB change for all files: -0.670000
Recommended "Album" mp3 gain change for all files: 0
==50201==
==50201== HEAP SUMMARY:
==50201== in use at exit: 0 bytes in 0 blocks
==50201== total heap usage: 42 allocs, 42 frees, 107,319 bytes allocated
==50201==
==50201== All heap blocks were freed -- no leaks are possible
==50201==
==50201== For counts of detected and suppressed errors, rerun with: -v
==50201== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
POC2
https://github.com/zjuchenyuan/fuzzpoc/raw/master/mp3gain_poc2
=================================================================
==28247==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6935 bp 0x7fffffff96a0 sp 0x7fffffff8e48
READ of size 3 at 0x60200000efb1 thread T0
#0 0x7ffff6ef6934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
#1 0x4237a6 in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:256
#2 0x4237a6 in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381
#3 0x40282d in main /d/prog/mp3gain-code/mp3gain/mp3gain.c:1835
#4 0x7ffff655a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#5 0x410428 in _start (/d/p/latest/mp3gain+0x410428)
0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1)
allocated by thread T0 here:
#0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4221bf in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:216
#2 0x4221bf in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 00 07 fa fa 00 fa
0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==28247==ABORTING
==40566== Memcheck, a memory error detector
==40566== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==40566== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==40566== Command: ./mp3gain /d/seed/choosepool/fuzzpoc/mp3gain_poc2
==40566==
==40566== Invalid read of size 2
==40566== at 0x4C32720: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40AAF0: ReadMP3APETag (apetag.c:256)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566== Address 0x576b730 is 0 bytes inside a block of size 1 alloc'd
==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40A893: ReadMP3APETag (apetag.c:216)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566==
==40566== Invalid read of size 1
==40566== at 0x4C32758: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40AAF0: ReadMP3APETag (apetag.c:256)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566== Address 0x576b732 is 1 bytes after a block of size 1 alloc'd
==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40A893: ReadMP3APETag (apetag.c:216)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566==
==40566== Invalid read of size 2
==40566== at 0x4C32720: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40AB29: ReadMP3APETag (apetag.c:260)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566== Address 0x576b734 is 3 bytes after a block of size 1 alloc'd
==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40A893: ReadMP3APETag (apetag.c:216)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566==
==40566== Invalid read of size 1
==40566== at 0x4C32758: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40AB29: ReadMP3APETag (apetag.c:260)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566== Address 0x576b736 is 5 bytes after a block of size 1 alloc'd
==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==40566== by 0x40A893: ReadMP3APETag (apetag.c:216)
==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381)
==40566== by 0x405524: main (mp3gain.c:1835)
==40566==
/d/seed/choosepool/fuzzpoc/mp3gain_poc2
Delaying a frame in decoding with old libmpg123.
Recommended "Track" dB change: -12.470000
Recommended "Track" mp3 gain change: -8
Max PCM sample at current gain: 86720.132812
Max mp3 global gain field: 183
Min mp3 global gain field: 170
Recommended "Album" dB change for all files: -12.470000
Recommended "Album" mp3 gain change for all files: -8
==40566==
==40566== HEAP SUMMARY:
==40566== in use at exit: 0 bytes in 0 blocks
==40566== total heap usage: 34 allocs, 34 frees, 107,054 bytes allocated
==40566==
==40566== All heap blocks were freed -- no leaks are possible
==40566==
==40566== For counts of detected and suppressed errors, rerun with: -v
==40566== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
docker image has been push to zjuchenyuan/dockerized_poc:mp3gain
You can verify these poc files using:
About the image: ubuntu 16.04, mp3gain commit fc72045