Menu

#126 Global-buffer-overflow at `adpcms.c:58`

open
nobody
None
5
2025-07-21
2023-10-27
hkctkuy
No

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at /libsox/src/adpcms.c:58.

sox version: 42b3557e13e0fe01a83465b672d89faddbe65f49

OS: Ubuntu 20.04

Global-buffer-overflow occurs, because we pass v->size to lsx_adpcm_init() at /libsox/src/voc.c:357 without checking its lower limit and so we access the element out of the upper bound of setup_table.

How to reproduce:

  • Build docker from here and run the container: 
sudo docker build -t oss-sydr-fuzz-torchaudio .
sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash
  • Run the target on the attached input (second attachment):
/load_audio_afl crash-gbo-voc
  • You will see the following output:
=================================================================
==37==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000020c69cc8 at pc 0x0000008b5ec7 bp 0x7ffd40b86bf0 sp 0x7ffd40b863c0
READ of size 40 at 0x000020c69cc8 thread T0
    #0 0x8b5ec6 in __asan_memcpy /llvm-project-llvmorg-14.0.6/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3
    #1 0xc7a7a7 in lsx_adpcm_init /libsox/src/adpcms.c:58:14
    #2 0xc2a385 in read_samples /libsox/src/voc.c:357:11
    #3 0x958dde in sox_read /libsox/src/formats.c:1033:30
    #4 0xa24929 in drain /libsox/src/input.c:40:12
    #5 0x993766 in drain_effect /libsox/src/effects.c:352:17
    #6 0x993766 in sox_flow_effects /libsox/src/effects.c:445:11
    #7 0x92d135 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:118:9
    #8 0x8f88b3 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:66:10
    #9 0x8f4407 in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #10 0x1934251d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #11 0x19342328 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #12 0x19341ee8 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #13 0x7f59c1d87082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #14 0x833cbd in _start (/load_audio_afl+0x833cbd)

0x000020c69cc8 is located 0 bytes to the right of global variable 'setup_table' defined in 'adpcms.c:48:28' (0x20c69c00) of size 200
SUMMARY: AddressSanitizer: global-buffer-overflow /llvm-project-llvmorg-14.0.6/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cpp:22:3 in __asan_memcpy
Shadow bytes around the buggy address:
  0x000084185340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000084185350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000084185360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000084185370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000084185380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000084185390: 00 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9
  0x0000841853a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000841853b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000841853c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000841853d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000841853e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==37==ABORTING

The first attachment is my patch with fix.

Discussion

  • hkctkuy

    hkctkuy - 2023-10-27

    Missing attachments: input and patch

     

    Last edit: hkctkuy 2023-10-27
    crash-gbo-voc
    libsox-gbo-voc.patch

  • Martin Guy

    Martin Guy - 2025-07-21

    https://codeberg.org/sox_ng/sox_ng/issues/262
    applied to sox_ng in January 2025

     

Log in to post a comment.