Heap-buffer-overflow (out-of-bound read) when decoding frame layer2
Brought to you by:
sobukus
Menu
▾
▴
1 Attachments
#255 Heap-buffer-overflow (out-of-bound read) when decoding frame layer2
This is an out-of-bound read (heap-buffer-overflow) bug. It may cause denial-of-service. I found it with the help of AFL and AddressSanitizer.
_0.Software & Environments
_0_0 software
mpg123 snapshot-0811022201 (https://www.mpg123.de/snapshot)
_0_1 operating system
lsb_release -a
Distributor ID: Ubuntu
Description: Ubuntu 16. 04. 1 LTS
Release: 16. 04
Codename: xenial
uname -a
Linux ubuntu 4. 4. 0- 83- generic #106- Ubuntu SMP Mon J un 26 17: 54: 25 UTC 2017
i686 i686 i686 GNU/Linux
_0_2 compiler
gcc --version
gcc ( Ubuntu 5. 4. 0- 6ubuntu1~16. 04. 4) 5. 4. 0 20160609clang --version
clang version 3. 8. 0- 2ubuntu4 ( tags/RELEASE_380/final)
Target: i686- pc- linux- gnu
Thread model: posix
InstalledDir: /usr/bin
_1 reproduction
~~~
cd / path of mpg123 source code/
mkdir build-clang-asan
cd build-clang-asan
../configure CFLAGS=" -fsanitize=address -g " CXXFLAGS=" -fsanitize=address -g " --enable-static --enable-shared=no
cd src
./mpg123 -t PoC
**_2 exception**
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
version 20170811022201; written and copyright by Michael Hipp and others
free software (LGPL) without any warranty but with best wishes
Directory: mpg123-0/outputs-mpg123-a/crashes/
Terminal control enabled, press 'h' for listing of keys and functions.
Playing MPEG stream 1 of 1: id:000023,sig:06,src:001101,op:flip4,pos:3942 ...
MPEG 1.0 L I cbr146 44100 stereo
Note: Illegal Audio-MPEG-Header 0x00000000 at offset 725.
Note: Trying to resync...
Note: Skipped 96 bytes in input.
Warning: Big change from first (MPEG version, layer, rate). Frankenstein stream?
MPEG 1.0 L I cbr159 48000 stereo
[../src/libmpg123/layer1.c:30] error: Illegal bit allocation value.
[../src/libmpg123/layer1.c:174] error: Aborting layer I decoding after step one.
Note: Illegal Audio-MPEG-Header 0x00000000 at offset 980.
Note: Trying to resync...
Note: Skipped 31 bytes in input.
MPEG 1.0 L I cbr146 44100 stereo
Note: Illegal Audio-MPEG-Header 0xffffffff at offset 1170.
Note: Trying to resync...
Note: Skipped 250 bytes in input.
[../src/libmpg123/layer1.c:30] error: Illegal bit allocation value.
[../src/libmpg123/layer1.c:174] error: Aborting layer I decoding after step one.
MPEG 1.0 L I cbr448 44100 j-s
Note: Illegal Audio-MPEG-Header 0xd35030a9 at offset 1908.
Note: Trying to resync...
Note: Skipped 25 bytes in input.
Warning: Big change from first (MPEG version, layer, rate). Frankenstein stream?
MPEG 1.0 L III cbr128 44100 stereo
Note: Illegal Audio-MPEG-Header 0x7d79a341 at offset 2351.
Note: Trying to resync...
Note: Skipped 63 bytes in input.
Warning: Big change from first (MPEG version, layer, rate). Frankenstein stream?
MPEG 2.5 L I cbr96 8000 stereo
[../src/libmpg123/layer1.c:30] error: Illegal bit allocation value.
[../src/libmpg123/layer1.c:174] error: Aborting layer I decoding after step one.
Note: Illegal Audio-MPEG-Header 0x1e0566e1 at offset 2990.
Note: Trying to resync...
Note: Skipped 89 bytes in input.
Warning: Big change from first (MPEG version, layer, rate). Frankenstein stream?
MPEG 1.0 L III cbr128 44100 stereo
Note: Illegal Audio-MPEG-Header 0xffffffff at offset 3915.
Note: Trying to resync...
Note: Skipped 26 bytes in input.
Warning: Big change from first (MPEG version, layer, rate). Frankenstein stream?
==16637==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5007248 at pc 0x080de3de bp 0xbfae6f98 sp 0xbfae6f88
READ of size 1 at 0xb5007248 thread T0
#0 0x80de3dd in INT123_getbits ../src/libmpg123/getbits.h:60
#1 0x80de3dd in II_step_two ../src/libmpg123/layer2.c:216
#2 0x80de3dd in INT123_do_layer2 ../src/libmpg123/layer2.c:358
#3 0x809c3b4 in decode_the_frame ../src/libmpg123/libmpg123.c:710
#4 0x80a40a8 in mpg123_decode_frame_64 ../src/libmpg123/libmpg123.c:849
#5 0x805fe98 in play_frame ../src/mpg123.c:739
#6 0x804c891 in main ../src/mpg123.c:1363
#7 0xb6ea3636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
#8 0x804dc7f (/home/fire/bing/afl/libraries/mpg123-20170811022201/build-clang-asan/src/mpg123+0x804dc7f)
0xb5007248 is located 0 bytes to the right of 28744-byte region [0xb5000200,0xb5007248)
allocated by thread T0 here:
#0 0xb726fdee in malloc (/usr/lib/i386-linux-gnu/libasan.so.2+0x96dee)
#1 0x809d3bf in mpg123_parnew ../src/libmpg123/libmpg123.c:66
#2 0x804c06c in main ../src/mpg123.c:1125
#3 0xb6ea3636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/libmpg123/getbits.h:60 INT123_getbits
Shadow bytes around the buggy address:
0x36a00df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00e20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x36a00e30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x36a00e40: 00 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa
0x36a00e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x36a00e90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==16637==ABORTING
~~~
_3 author
Bingchang, Liu
I am short on time and should actually be far away from the computer by now … so I made a hotfix for this issue and am releasing version 1.25.6. I hope this works for you, please drop a note in case (not) so that we can close this report.
The fix is not nice (ideally, the code paths should ensure that they never request more data than there is), but should stop similar possible overflows where some code tries to get more frame data than there is.
Hello,
This is not a serious bug. So you can fix it when you have free time.
Thanks for your work!
Hello,
I have seen the version 1.25.6. Thanks.
CVE-2017-12839 was assigned for this issue by Mitre.
======================================
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Use CVE-2017-12839.
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iQIcBAEBAgAGBQJZjf6NAAoJEHb/MwWLVhi2iXUP/3me14RQbmfEimWWL4umdy+r
p3B1T72XhY9QpcxcXchsrlHgFSXIPyLKWY+XFY7Vi6inIxpD2MSBEz711wkZOeKe
tJnHYjmUXQ/4jUZm5S6kCJjT4GRRFLu8d1K0dBiyo08aoC5zdsovd+nCpTAdD7p/
R52RKC77FF836+M1SRU34qDjQJz1GyGfbpAlQvwfFAzap0NiQYcgnPGnHwLxiVcm
dVjWi/LWvBZfSX8q+haqErBUj85RM8+punceMIdqcmYM1Gh3OhiU/wN6YLEIRmxz
Qhan8vqFL8W7Xy2SmIaWAxhDSS63IBn2u1JCDvreELiRq0fH18Rr/NqAPMd/Nsse
+2pBilKDFhA/lxNKetCPxdzFLscC1XvqBgRYBmNjcHOxMdWSGrfvajGzT9Kter8F
ou3I1Qb8ACim9Wq9z/eFBnv4BDtwPwdzVPOrj0lJMy0ITvgHbE9gVaoRo9uhYVSg
aeAMjBy6Kf7jTj4OjK4IKb6Mh1nfTRKzGvegvvIgFEgyNVMKep9OhT1h4Qy80gmF
BWmsugLPwPXF01LlkPnC1OoRELHG/omoPBAQQa3JlQcIrfGrqMGulMEz219FQ1D6
6KUuKcTbpRmj0qryMrv7jX/73bDViqaRgaU7URPfqEOgrjOXj10S06xFPhvT/LL9
whAUhKsmhDHFUSDhTJRT
=nORG
-----END PGP SIGNATURE-----
Last edit: twelveand0 2018-01-12