Menu

#52 AddressSanitizer: heap-buffer-overflow in mp3gain

v1.0 (example)
open
nobody
None
5
2024-05-28
2024-05-28
Giacomo P.
No

Describe the bug

AddressSanitizer: heap-buffer-overflow in mp3gain.

To Reproduce

Built mp3gain version 1.6.2 using the provided Makefile file.

ASAN Output

./mp3gain <testcase>

=================================================================
==2151146==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000051 at pc 0x0000004964a7 bp 0x7fffffff7410 sp 0x7fffffff6bd8
READ of size 3 at 0x602000000051 thread T0
    #0 0x4964a6 in __asan_memcpy /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22
    #1 0x4dcfcd in ReadMP3APETag mp3gain/apetag.c:256
    #2 0x4de064 in ReadMP3GainAPETag mp3gain/apetag.c:381
    #3 0x4cead4 in main_impl mp3gain/mp3gain.c:1834
    #4 0x4ccbd1 in main mp3gain/mp3gain.c:2830
/usr/bin/addr2line: DWARF error: section .debug_info is larger than its filesize! (0x93f189 vs 0x531198)
    #5 0x7ffff7bdd082 in __libc_start_main ??:?
    #6 0x41c45d in _start ??:?

0x602000000051 is located 0 bytes to the right of 1-byte region [0x602000000050,0x602000000051)
allocated by thread T0 here:
    #0 0x4970fd in malloc /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:145
    #1 0x4dc731 in ReadMP3APETag mp3gain/apetag.c:216
    #2 0x4de064 in ReadMP3GainAPETag mp3gain/apetag.c:381
    #3 0x4cead4 in main_impl mp3gain/mp3gain.c:1834
    #4 0x4ccbd1 in main mp3gain/mp3gain.c:2830
    #5 0x7ffff7bdd082 in __libc_start_main ??:?

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/llvm/utils/release/final/llvm-project/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22 in __asan_memcpy
Shadow bytes around the buggy address:
  0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c047fff8000: fa fa 00 fa fa fa 00 07 fa fa[01]fa fa fa fa fa
  0x0c047fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2151146==ABORTING

Environment info

OS: Ubuntu 20.04.6
1 Attachments
testcase.zip

Discussion

Log in to post a comment.

MongoDB Logo MongoDB