Bug#689712: faad crashes when given ADTS AAC file with large ID3v2 tag
Mike Crowe
mac at mcrowe.com
Fri Oct 5 12:42:57 UTC 2012
Package: faad
Version: 2.7-8
Severity: normal
Tags: upstream
I have an ADTS AAC file with an ID3v2 tag containing an image. Attempting to
skip this header by passing a value larger than the buffer size to
advance_buffer causes fill_buffer to misbehave. The problem is detected in
free() during a normal build but the problem is clearer when running under
valgrind:
==23880== Invalid write of size 8
==23880== at 0x50F81CB: __GI_memcpy (memcpy.S:267)
==23880== by 0x50E17D2: _IO_file_xsgetn (fileops.c:1414)
==23880== by 0x50D79B1: fread (iofread.c:44)
==23880== by 0x403930: ??? (in /usr/bin/faad)
==23880== by 0x401BAE: ??? (in /usr/bin/faad)
==23880== by 0x508EEAC: (below main) (libc-start.c:228)
==23880== Address 0x567a830 is 0 bytes after a block of size 4,608 alloc'd
==23880== at 0x4C28BED: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==23880== by 0x401AC2: ??? (in /usr/bin/faad)
==23880== by 0x508EEAC: (below main) (libc-start.c:228)
Here's a more useful log generated by a version of faad I compiled myself on
squeeze-i386:
==28965== Syscall param read(buf) points to unaddressable byte(s)
==28965== at 0x4A06073: __read_nocancel (syscall-template.S:82)
==28965== by 0x49B16F7: _IO_sgetn (genops.c:500)
==28965== by 0x49A52CD: fread (iofread.c:44)
==28965== by 0x8049150: fill_buffer (main.c:100)
==28965== by 0x8049544: decodeAACfile (main.c:478)
==28965== by 0x804A484: main (main.c:1249)
==28965== Address 0x6d20548 is 0 bytes after a block of size 4,608 alloc'd
==28965== at 0x48DEF50: malloc (vg_replace_malloc.c:236)
==28965== by 0x8049461: decodeAACfile (main.c:454)
==28965== by 0x804A484: main (main.c:1249)
==28965==
==28965== Invalid write of size 1
==28965== at 0x48E091F: memcpy (mc_replace_strmem.c:497)
==28965== by 0x49AF737: _IO_file_xsgetn (fileops.c:1414)
==28965== by 0x49B16F7: _IO_sgetn (genops.c:500)
==28965== by 0x49A52CD: fread (iofread.c:44)
==28965== by 0x8049150: fill_buffer (main.c:100)
==28965== by 0x8049544: decodeAACfile (main.c:478)
==28965== by 0x804A484: main (main.c:1249)
==28965== Address 0x6d24d95 is not stack'd, malloc'd or (recently) free'd
The attached patch fixes the problem for me. I've submitted it upstream at
https://sourceforge.net/tracker/?func=detail&aid=3574761&group_id=704&atid=100704
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages faad depends on:
ii libc6 2.13-35
ii libfaad2 2.7-8
faad recommends no packages.
faad suggests no packages.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: faad2-large-id3v2.patch
Type: text/x-diff
Size: 5189 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20121005/bf864bee/attachment.patch>
More information about the pkg-multimedia-maintainers
mailing list