https://github.com/zjuchenyuan/fuzzpoc/raw/master/mp3gain_poc1
================================================================= ==51760==ERROR: AddressSanitizer: unknown-crash on address 0x60200000eeb5 at pc 0x000000423ec2 bp 0x7fffffff96a0 sp 0x7fffffff9690 READ of size 4 at 0x60200000eeb5 thread T0 #0 0x423ec1 in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:243 #1 0x423ec1 in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381 #2 0x40282d in main /d/prog/mp3gain-code/mp3gain/mp3gain.c:1835 #3 0x7ffff655a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #4 0x410428 in _start (/d/p/latest/mp3gain+0x410428) 0x60200000eeb8 is located 0 bytes to the right of 8-byte region [0x60200000eeb0,0x60200000eeb8) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x4221bf in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:216 #2 0x4221bf in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381 SUMMARY: AddressSanitizer: unknown-crash /d/prog/mp3gain-code/mp3gain/apetag.c:243 ReadMP3APETag Shadow bytes around the buggy address: 0x0c047fff9d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9dd0: fa fa fa fa fa fa[00]fa fa fa 00 05 fa fa fd fa 0x0c047fff9de0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c047fff9df0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==51760==ABORTING
==50201== Memcheck, a memory error detector ==50201== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==50201== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==50201== Command: ./mp3gain /d/seed/choosepool/fuzzpoc/mp3gain_poc1 ==50201== ==50201== Invalid read of size 4 ==50201== at 0x40AA48: ReadMP3APETag (apetag.c:243) ==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==50201== by 0x405524: main (mp3gain.c:1835) ==50201== Address 0x576ba35 is 5 bytes inside a block of size 8 alloc'd ==50201== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==50201== by 0x40A893: ReadMP3APETag (apetag.c:216) ==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==50201== by 0x405524: main (mp3gain.c:1835) ==50201== ==50201== Invalid read of size 1 ==50201== at 0x40AA72: ReadMP3APETag (apetag.c:247) ==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==50201== by 0x405524: main (mp3gain.c:1835) ==50201== Address 0x576ba3a is 2 bytes after a block of size 8 alloc'd ==50201== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==50201== by 0x40A893: ReadMP3APETag (apetag.c:216) ==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==50201== by 0x405524: main (mp3gain.c:1835) ==50201== ==50201== Invalid read of size 1 ==50201== at 0x40AA7D: ReadMP3APETag (apetag.c:247) ==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==50201== by 0x405524: main (mp3gain.c:1835) ==50201== Address 0x576ba3a is 2 bytes after a block of size 8 alloc'd ==50201== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==50201== by 0x40A893: ReadMP3APETag (apetag.c:216) ==50201== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==50201== by 0x405524: main (mp3gain.c:1835) ==50201== /d/seed/choosepool/fuzzpoc/mp3gain_poc1 Delaying a frame in decoding with old libmpg123. [layer3.c:1978] error: dequantization failed! Note: broken frame 1, filling up with 9216 zeroes, from 0 [layer3.c:1978] error: dequantization failed! Note: broken frame 3, filling up with 9216 zeroes, from 0 [layer3.c:1978] error: dequantization failed! Note: broken frame 4, filling up with 9216 zeroes, from 0 [layer3.c:1978] error: dequantization failed! Note: broken frame 6, filling up with 9216 zeroes, from 0 [layer3.c:1978] error: dequantization failed! Note: broken frame 7, filling up with 9216 zeroes, from 0 Recommended "Track" dB change: -0.670000 Recommended "Track" mp3 gain change: 0 Max PCM sample at current gain: 19635.845703 Max mp3 global gain field: 254 Min mp3 global gain field: 54 Recommended "Album" dB change for all files: -0.670000 Recommended "Album" mp3 gain change for all files: 0 ==50201== ==50201== HEAP SUMMARY: ==50201== in use at exit: 0 bytes in 0 blocks ==50201== total heap usage: 42 allocs, 42 frees, 107,319 bytes allocated ==50201== ==50201== All heap blocks were freed -- no leaks are possible ==50201== ==50201== For counts of detected and suppressed errors, rerun with: -v ==50201== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 0 from 0)
https://github.com/zjuchenyuan/fuzzpoc/raw/master/mp3gain_poc2
================================================================= ==28247==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb1 at pc 0x7ffff6ef6935 bp 0x7fffffff96a0 sp 0x7fffffff8e48 READ of size 3 at 0x60200000efb1 thread T0 #0 0x7ffff6ef6934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934) #1 0x4237a6 in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:256 #2 0x4237a6 in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381 #3 0x40282d in main /d/prog/mp3gain-code/mp3gain/mp3gain.c:1835 #4 0x7ffff655a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #5 0x410428 in _start (/d/p/latest/mp3gain+0x410428) 0x60200000efb1 is located 0 bytes to the right of 1-byte region [0x60200000efb0,0x60200000efb1) allocated by thread T0 here: #0 0x7ffff6f02602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602) #1 0x4221bf in ReadMP3APETag /d/prog/mp3gain-code/mp3gain/apetag.c:216 #2 0x4221bf in ReadMP3GainAPETag /d/prog/mp3gain-code/mp3gain/apetag.c:381 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy Shadow bytes around the buggy address: 0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9df0: fa fa fa fa fa fa[01]fa fa fa 00 07 fa fa 00 fa 0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==28247==ABORTING
==40566== Memcheck, a memory error detector ==40566== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==40566== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==40566== Command: ./mp3gain /d/seed/choosepool/fuzzpoc/mp3gain_poc2 ==40566== ==40566== Invalid read of size 2 ==40566== at 0x4C32720: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40AAF0: ReadMP3APETag (apetag.c:256) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== Address 0x576b730 is 0 bytes inside a block of size 1 alloc'd ==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40A893: ReadMP3APETag (apetag.c:216) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== ==40566== Invalid read of size 1 ==40566== at 0x4C32758: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40AAF0: ReadMP3APETag (apetag.c:256) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== Address 0x576b732 is 1 bytes after a block of size 1 alloc'd ==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40A893: ReadMP3APETag (apetag.c:216) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== ==40566== Invalid read of size 2 ==40566== at 0x4C32720: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40AB29: ReadMP3APETag (apetag.c:260) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== Address 0x576b734 is 3 bytes after a block of size 1 alloc'd ==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40A893: ReadMP3APETag (apetag.c:216) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== ==40566== Invalid read of size 1 ==40566== at 0x4C32758: memcpy@@GLIBC_2.14 (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40AB29: ReadMP3APETag (apetag.c:260) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== Address 0x576b736 is 5 bytes after a block of size 1 alloc'd ==40566== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==40566== by 0x40A893: ReadMP3APETag (apetag.c:216) ==40566== by 0x40AFF4: ReadMP3GainAPETag (apetag.c:381) ==40566== by 0x405524: main (mp3gain.c:1835) ==40566== /d/seed/choosepool/fuzzpoc/mp3gain_poc2 Delaying a frame in decoding with old libmpg123. Recommended "Track" dB change: -12.470000 Recommended "Track" mp3 gain change: -8 Max PCM sample at current gain: 86720.132812 Max mp3 global gain field: 183 Min mp3 global gain field: 170 Recommended "Album" dB change for all files: -12.470000 Recommended "Album" mp3 gain change for all files: -8 ==40566== ==40566== HEAP SUMMARY: ==40566== in use at exit: 0 bytes in 0 blocks ==40566== total heap usage: 34 allocs, 34 frees, 107,054 bytes allocated ==40566== ==40566== All heap blocks were freed -- no leaks are possible ==40566== ==40566== For counts of detected and suppressed errors, rerun with: -v ==40566== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 0 from 0)
docker image has been push to zjuchenyuan/dockerized_poc:mp3gain
You can verify these poc files using:
About the image: ubuntu 16.04, mp3gain commit fc72045