Menu
▾
▴
2 Attachments
#128 Division by zero at `wav.c:967`
Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at /libsox/src/wav.c:967.
sox version: 42b3557e13e0fe01a83465b672d89faddbe65f49
OS: Ubuntu 20.04
Division by zero occurs, because we divide by ft->encoding.bits_per_sample at /libsox/src/wav.c:967 without necessary checking.
How to reproduce:
- Build docker from here and run the container:
sudo docker build -t oss-sydr-fuzz-torchaudio .
sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash
- Run the target on the attached input (first attachment):
UBSAN_OPTIONS=print_stacktrace=1,report_error_type=1 /load_audio_afl crash-fpe-wav
- You will see the following output:
wav.c:967:27: runtime error: division by zero
#0 0xc3be85 in startread /libsox/src/wav.c:967:27
#1 0x94cc2b in open_read /libsox/src/formats.c:600:32
#2 0x92ce64 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:94:16
#3 0x8f88b3 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:66:10
#4 0x8f4407 in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
#5 0x1934251d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#6 0x19342328 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#7 0x19341ee8 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#8 0x7f751bf7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#9 0x833cbd in _start (/load_audio_afl+0x833cbd)
SUMMARY: UndefinedBehaviorSanitizer: integer-divide-by-zero wav.c:967:27 in
AddressSanitizer:DEADLYSIGNAL
=================================================================
==151==ERROR: AddressSanitizer: FPE on unknown address 0x000000c3bea0 (pc 0x000000c3bea0 bp 0x7ffc061b43b0 sp 0x7ffc061b4020 T0)
#0 0xc3bea0 in startread /libsox/src/wav.c:967:27
#1 0x94cc2b in open_read /libsox/src/formats.c:600:32
#2 0x92ce64 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:94:16
#3 0x8f88b3 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:66:10
#4 0x8f4407 in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
#5 0x1934251d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
#6 0x19342328 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
#7 0x19341ee8 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
#8 0x7f751bf7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#9 0x833cbd in _start (/load_audio_afl+0x833cbd)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /libsox/src/wav.c:967:27 in startread
==151==ABORTING
The second attachment is my patch with fix.