Bug#777161: malformed wav file causes lame to segfault in n fill_buffer_resample at util.c:606 (y = (j2 < 0) ? inbuf_old[BLACKSIZE + j2] : inbuf[j2]; )

Brian Carpenter brian.carpenter at gmail.com
Thu Feb 5 18:37:38 UTC 2015 

Package: lame
Version: 3.99.5

This bug was found with american fuzzy lop (http://lcamtuf.coredump.cx/afl/).
I compiled lame as follows:
CC=/path/to/afl-gcc ./configure
AFL_HARDEN=1 make

GDB output:
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xfffffffffffbe74d
RBX: 0xfffffff1
RCX: 0x81f340 --> 0x3989e5fb00000000
RDX: 0xfffbe74d
RSI: 0x6f6f34 ('4oo')
RDI: 0x714354 ('TCq')
RBP: 0x1f
RSP: 0x7fffffee5bd0 --> 0xb84b6c4c
RIP: 0x536cb8 (<fill_buffer+8064>: movss  xmm0,DWORD PTR [rdi])
R8 : 0x81a5a0 --> 0x0
R9 : 0x80eb14 --> 0x0
R10: 0xfffbe76c
R11: 0x20 (' ')
R12: 0xfffffffffffffff1
R13: 0x1
R14: 0x7
R15: 0x800cc0 --> 0xfff88e3b
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
   0x536ca6 <fill_buffer+8046>: mov    rcx,QWORD PTR [rsp+0x8]
   0x536cab <fill_buffer+8051>: mov    rax,QWORD PTR [rsp+0x10]
   0x536cb0 <fill_buffer+8056>: lea    rsp,[rsp+0x98]
=> 0x536cb8 <fill_buffer+8064>: movss  xmm0,DWORD PTR [rdi]
   0x536cbc <fill_buffer+8068>: jmp    0x535494 <fill_buffer+1884>
   0x536cc1 <fill_buffer+8073>: nop    DWORD PTR [rax+0x0]
   0x536cc8 <fill_buffer+8080>: lea    rsp,[rsp-0x98]
   0x536cd0 <fill_buffer+8088>: mov    QWORD PTR [rsp],rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffee5bd0 --> 0xb84b6c4c
0008| 0x7fffffee5bd8 --> 0x0
0016| 0x7fffffee5be0 --> 0x3fef584ef0d5840f
0024| 0x7fffffee5be8 --> 0x0
0032| 0x7fffffee5bf0 --> 0x3fefd5f821e0e091
0040| 0x7fffffee5bf8 --> 0x0
0048| 0x7fffffee5c00 --> 0x2
0056| 0x7fffffee5c08 --> 0x3f000000fffffff1
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000536cb8 in fill_buffer_resample (ch=<optimized out>,
num_used=0x7fffffee5d30, len=0x1, inbuf=0x7fd200, desired_len=0x240,
outbuf=0x80eb10, gfc=0x800cc0) at util.c:606
606            y = (j2 < 0) ? inbuf_old[BLACKSIZE + j2] : inbuf[j2];

Valgrind output:
==10757==
==10757== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==10757==  Bad permissions for mapped region at address 0x59E9A94
==10757==    at 0x536CB8: fill_buffer (util.c:606)
==10757==    by 0x4802D4: lame_encode_buffer_sample_t (lame.c:1736)
==10757==    by 0x49A3C3: lame_encode_flush (lame.c:1902)
==10757==    by 0x4039AC: lame_encoder_loop (lame_main.c:487)
==10757==    by 0x406D92: lame_main (lame_main.c:531)
==10757==    by 0x402604: main (main.c:470)
LAME 3.99.5 64bits (http://lame.sf.net)
Resampling:  input -2.14748e+06 kHz  output 8 kHz
Using polyphase lowpass filter, transition band:  3903 Hz -  4000 Hz
Encoding test09.wav to test09.mp3
Encoding as 8 kHz j-stereo MPEG-2.5 Layer III (10.7x)  24 kbps qval=3
Only 8, 16, 24 and 32 bit input files supported
Segmentation fault

I've attached the test case which causes this crash.

Debian 7, kernel v3.2.63-2+deb7u2 x86_64, libc6 v2.13-38+deb7u7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150205/7265beff/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test09.wav
Type: audio/x-wav
Size: 68 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150205/7265beff/attachment-0001.wav>

More information about the pkg-multimedia-maintainers mailing list