Bug#777160: null pointer dereference

Brian Carpenter brian.carpenter at gmail.com
Thu Feb 5 18:12:18 UTC 2015 

Package: lame
Version: 3.99.5

This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl/).
I compiled lame as follows:
CC=/path/to/afl-gcc ./configure
AFL_HARDEN=1 make

GDB output:
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xffffffffffffffe1
RBX: 0xfffffff1
RCX: 0x0
RDX: 0xffffffe1
RSI: 0x7fd184 --> 0xf770be9800007fff
RDI: 0x81a5a4 --> 0x0
RBP: 0x1f
RSP: 0x7fffffee5bd0 --> 0x0
RIP: 0x5354d0 (<fill_buffer+1944>: mulss  xmm0,DWORD PTR [rcx])
R8 : 0x81a5a0 --> 0x0
R9 : 0x80eb10 --> 0x0
R10: 0x0
R11: 0x20 (' ')
R12: 0xfffffffffffffff1
R13: 0x0
R14: 0x7
R15: 0x800cc0 --> 0xfff88e3b
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x5354be <fill_buffer+1926>: mov    rcx,QWORD PTR [rsp+0x8]
   0x5354c3 <fill_buffer+1931>: mov    rax,QWORD PTR [rsp+0x10]
   0x5354c8 <fill_buffer+1936>: lea    rsp,[rsp+0x98]
=> 0x5354d0 <fill_buffer+1944>: mulss  xmm0,DWORD PTR [rcx]
   0x5354d4 <fill_buffer+1948>: add    edx,0x1
   0x5354d7 <fill_buffer+1951>: cmp    ebp,0x1
   0x5354da <fill_buffer+1954>: mov    eax,0x1
   0x5354df <fill_buffer+1959>: addss  xmm0,xmm6
[------------------------------------stack-------------------------------------]
0000| 0x7fffffee5bd0 --> 0x0
0008| 0x7fffffee5bd8 --> 0x0
0016| 0x7fffffee5be0 --> 0x0
0024| 0x7fffffee5be8 --> 0x0
0032| 0x7fffffee5bf0 --> 0x0
0040| 0x7fffffee5bf8 --> 0x0
0048| 0x7fffffee5c00 --> 0x0
0056| 0x7fffffee5c08 --> 0x0
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
fill_buffer_resample (ch=<optimized out>, num_used=0x7fffffee5d30, len=0x1,
inbuf=0x7fd200, desired_len=0x240, outbuf=0x80eb10, gfc=0x800cc0) at
util.c:608
608            xvalue += y * esv->blackfilt[joff][i];

Valgrind output:
==53832== Invalid read of size 4
==53832==    at 0x5354D0: fill_buffer (util.c:608)
==53832==    by 0x4802D4: lame_encode_buffer_sample_t (lame.c:1736)
==53832==    by 0x49A3C3: lame_encode_flush (lame.c:1902)
==53832==    by 0x4039AC: lame_encoder_loop (lame_main.c:487)
==53832==    by 0x406D92: lame_main (lame_main.c:531)
==53832==    by 0x402604: main (main.c:470)
==53832==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==53832==
==53832==
==53832== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==53832==  Access not within mapped region at address 0x0
==53832==    at 0x5354D0: fill_buffer (util.c:608)
==53832==    by 0x4802D4: lame_encode_buffer_sample_t (lame.c:1736)
==53832==    by 0x49A3C3: lame_encode_flush (lame.c:1902)
==53832==    by 0x4039AC: lame_encoder_loop (lame_main.c:487)
==53832==    by 0x406D92: lame_main (lame_main.c:531)
==53832==    by 0x402604: main (main.c:470)
==53832==  If you believe this happened as a result of a stack
==53832==  overflow in your program's main thread (unlikely but
==53832==  possible), you can try to increase the size of the
==53832==  main thread stack using the --main-stacksize= flag.
==53832==  The main thread stack size used in this run was 8388608.
LAME 3.99.5 64bits (http://lame.sf.net)
Resampling:  input -352376 kHz  output 8 kHz
Using polyphase lowpass filter, transition band:  3903 Hz -  4000 Hz
Encoding test11.wav to test11.mp3
Encoding as 8 kHz j-stereo MPEG-2.5 Layer III (10.7x)  24 kbps qval=3
Only 8, 16, 24 and 32 bit input files supported
Segmentation fault

I've attached the test case which causes this crash.

Debian 7, kernel v3.2.63-2+deb7u2 x86_64, libc6 v2.13-38+deb7u7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150205/8eb18259/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test11.wav
Type: audio/x-wav
Size: 123 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150205/8eb18259/attachment.wav>

More information about the pkg-multimedia-maintainers mailing list