SoX - Sound eXchange / Patches / #128 Division by zero at `wav.c:967`

Division by zero at `wav.c:967`

#128 Division by zero at `wav.c:967`

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2024-10-29

Created: 2023-10-27

Creator: hkctkuy

Private: No

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at /libsox/src/wav.c:967.

sox version: 42b3557e13e0fe01a83465b672d89faddbe65f49

OS: Ubuntu 20.04

Division by zero occurs, because we divide by ft->encoding.bits_per_sample at /libsox/src/wav.c:967 without necessary checking.

How to reproduce:

Build docker from here and run the container:

sudo docker build -t oss-sydr-fuzz-torchaudio .
sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash

Run the target on the attached input (first attachment):

UBSAN_OPTIONS=print_stacktrace=1,report_error_type=1 /load_audio_afl crash-fpe-wav

You will see the following output:

wav.c:967:27: runtime error: division by zero
    #0 0xc3be85 in startread /libsox/src/wav.c:967:27
    #1 0x94cc2b in open_read /libsox/src/formats.c:600:32
    #2 0x92ce64 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:94:16
    #3 0x8f88b3 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:66:10
    #4 0x8f4407 in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #5 0x1934251d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #6 0x19342328 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #7 0x19341ee8 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #8 0x7f751bf7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #9 0x833cbd in _start (/load_audio_afl+0x833cbd)

SUMMARY: UndefinedBehaviorSanitizer: integer-divide-by-zero wav.c:967:27 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==151==ERROR: AddressSanitizer: FPE on unknown address 0x000000c3bea0 (pc 0x000000c3bea0 bp 0x7ffc061b43b0 sp 0x7ffc061b4020 T0)
    #0 0xc3bea0 in startread /libsox/src/wav.c:967:27
    #1 0x94cc2b in open_read /libsox/src/formats.c:600:32
    #2 0x92ce64 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:94:16
    #3 0x8f88b3 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:66:10
    #4 0x8f4407 in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #5 0x1934251d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #6 0x19342328 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #7 0x19341ee8 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #8 0x7f751bf7e082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #9 0x833cbd in _start (/load_audio_afl+0x833cbd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /libsox/src/wav.c:967:27 in startread
==151==ABORTING

The second attachment is my patch with fix.

2 Attachments

crash-fpe-wav

libsox-fpe-wav.patch

Discussion

Martin Guy - 2024-10-29

Only affects 42b355, not 14.4.2

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Division by zero at `wav.c:967`

Group

Searches

Help

#128 Division by zero at `wav.c:967`

Discussion