Bug#778529: lame: fill_buffer_resample segmentation fault
Henri Salo
henri at nerv.fi
Mon Feb 16 10:45:43 UTC 2015
Package: lame
Version: 3.99.5+repack1-6
Severity: important
Tags: security
While researching Debian issue "lame: invalid sample rate -> segmentation
fault"[1]. I noticed that there is at least one more issue, which is not fixed
by patch[2] as demonstrated with attached sample file found by using afl
fuzzer[3].
hexdump -C muppet.wav
00000000 52 49 46 46 62 b8 00 00 57 41 56 45 66 6d 74 20 |RIFFb...WAVEfmt |
00000010 12 00 00 00 03 00 05 ff ff 05 f9 00 80 3e 00 00 |.............>..|
00000020 02 00 08 00 00 00 66 61 63 74 04 00 00 00 c5 5b |......fact.....[|
00000030 00 00 64 61 74 61 8a b7 |..data..|
00000038
When build with --enable-debug and CPPFLAGS=-DDEBUG CXXFLAGS="-g -O0" I get
following.
Error reading input file
lame: util.c:595: fill_buffer_resample: Assertion `fabs(offset) <= .501' failed.
(gdb) bt
#0 0x00007ffff7767107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff77684e8 in __GI_abort () at abort.c:89
#2 0x00007ffff7760226 in __assert_fail_base (fmt=0x7ffff7896ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion at entry=0x4449dc "fabs(offset) <= .501", file=file at entry=0x4449d5 "util.c", line=line at entry=595,
function=function at entry=0x4449c0 <__PRETTY_FUNCTION__.6386> "fill_buffer_resample") at assert.c:92
#3 0x00007ffff77602d2 in __GI___assert_fail (assertion=assertion at entry=0x4449dc "fabs(offset) <= .501", file=file at entry=0x4449d5 "util.c",
line=line at entry=595, function=function at entry=0x4449c0 <__PRETTY_FUNCTION__.6386> "fill_buffer_resample") at assert.c:101
#4 0x0000000000428805 in fill_buffer_resample (ch=0, num_used=0x7fffffee64a8, len=<optimized out>, inbuf=<optimized out>, desired_len=1152,
outbuf=<optimized out>, gfc=0x681170) at util.c:595
#5 fill_buffer (gfc=gfc at entry=0x681170, mfbuf=mfbuf at entry=0x7fffffee64b0, in_buffer=in_buffer at entry=0x7fffffee64c0, nsamples=nsamples at entry=1152,
n_in=n_in at entry=0x7fffffee64a8, n_out=n_out at entry=0x7fffffee64ac) at util.c:676
#6 0x0000000000415f8d in lame_encode_buffer_sample_t (mp3buf_size=147456, mp3buf=0x7ffffff0dd20 "", nsamples=1152, gfc=0x681170) at lame.c:1742
#7 lame_encode_buffer_template (gfp=gfp at entry=0x681010, buffer_l=buffer_l at entry=0x7fffffee6550, buffer_r=buffer_r at entry=0x7fffffee6e50,
nsamples=<optimized out>, mp3buf=mp3buf at entry=0x7ffffff0dba0 "\377\373\224D", mp3buf_size=mp3buf_size at entry=147456, pcm_type=pcm_short_type,
aa=1, norm=norm at entry=1) at lame.c:1897
#8 0x0000000000416914 in lame_encode_buffer (gfp=gfp at entry=0x681010, pcm_l=pcm_l at entry=0x7fffffee6550, pcm_r=pcm_r at entry=0x7fffffee6e50,
nsamples=<optimized out>, mp3buf=mp3buf at entry=0x7ffffff0dba0 "\377\373\224D", mp3buf_size=mp3buf_size at entry=147456) at lame.c:1908
#9 0x0000000000418c08 in lame_encode_flush (gfp=gfp at entry=0x681010, mp3buffer=mp3buffer at entry=0x7ffffff0dba0 "\377\373\224D",
mp3buffer_size=mp3buffer_size at entry=147456) at lame.c:2140
#10 0x0000000000401dfc in lame_encoder_loop (gf=gf at entry=0x681010, outf=outf at entry=0x696e50, nogap=nogap at entry=0,
inPath=inPath at entry=0x7fffffffd520 "muppet.wav", outPath=outPath at entry=0x7fffffffc510 "muppet.mp3") at lame_main.c:487
#11 0x0000000000402949 in lame_encoder (outPath=0x7fffffffc510 "muppet.mp3", inPath=0x7fffffffd520 "muppet.wav", nogap=0, outf=0x696e50,
gf=0x681010) at lame_main.c:531
#12 lame_main (gf=gf at entry=0x681010, argc=argc at entry=2, argv=argv at entry=0x7fffffffe668) at lame_main.c:707
#13 0x0000000000402aaf in c_main (argv=0x7fffffffe668, argc=2) at main.c:470
#14 main (argc=2, argv=0x7fffffffe668) at main.c:438
Please ask if you need more information, thank you.
1: https://bugs.debian.org/775959
2: https://bugs.debian.org/cgi-bin/bugreport.cgi?msg=8;bug=775959
3: http://lcamtuf.coredump.cx/afl/
--
Henri Salo
-------------- next part --------------
Reading symbols from ./lame/bin/lame...done.
Starting program: /home/henri/lame/bin/lame muppet.wav
Program received signal SIGABRT, Aborted.
0x00007ffff7767107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0 0x00007ffff7767107 in __GI_raise (sig=sig at entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
resultvar = 0
pid = 25006
selftid = 25006
#1 0x00007ffff77684e8 in __GI_abort () at abort.c:89
save_stage = 2
act = {__sigaction_handler = {sa_handler = 0x153, sa_sigaction = 0x153}, sa_mask = {__val = {1, 140737346366696, 140737351949831, 1, 0,
60129542144, 140737344973912, 140733193388032, 140737346366696, 4475356, 140737351975717, 140737354088452, 0, 140737354088533,
140737354088448, 140737346366696}}, sa_flags = 4475356, sa_restorer = 0x4449c0 <__PRETTY_FUNCTION__.6386>}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007ffff7760226 in __assert_fail_base (fmt=0x7ffff7896ce8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion at entry=0x4449dc "fabs(offset) <= .501", file=file at entry=0x4449d5 "util.c", line=line at entry=595,
function=function at entry=0x4449c0 <__PRETTY_FUNCTION__.6386> "fill_buffer_resample") at assert.c:92
str = 0x6b38f0 ""
total = 4096
#3 0x00007ffff77602d2 in __GI___assert_fail (assertion=assertion at entry=0x4449dc "fabs(offset) <= .501", file=file at entry=0x4449d5 "util.c",
line=line at entry=595, function=function at entry=0x4449c0 <__PRETTY_FUNCTION__.6386> "fill_buffer_resample") at assert.c:101
No locals.
#4 0x0000000000428805 in fill_buffer_resample (ch=0, num_used=0x7fffffee64a8, len=<optimized out>, inbuf=<optimized out>, desired_len=1152,
outbuf=<optimized out>, gfc=0x681170) at util.c:595
time0 = 339.99997916666666
joff = <optimized out>
i = <optimized out>
fcn = 0.00294117676
intratio = <optimized out>
bpc = 320
resample_ratio = 339.99997916666666
xvalue = <optimized out>
j = 339
filter_l = 32
inbuf_old = 0x69cf40
k = 1
cfg = 0x681184
esv = 0x687e58
BLACKSIZE = 33
offset = <optimized out>
#5 fill_buffer (gfc=gfc at entry=0x681170, mfbuf=mfbuf at entry=0x7fffffee64b0, in_buffer=in_buffer at entry=0x7fffffee64c0, nsamples=nsamples at entry=1152,
n_in=n_in at entry=0x7fffffee64a8, n_out=n_out at entry=0x7fffffee64ac) at util.c:676
cfg = 0x681184
mf_size = <optimized out>
framesize = 1152
nout = <optimized out>
ch = 0
nch = 2
#6 0x0000000000415f8d in lame_encode_buffer_sample_t (mp3buf_size=147456, mp3buf=0x7ffffff0dd20 "", nsamples=1152, gfc=0x681170) at lame.c:1742
in_buffer_ptr = {0x69ab20, 0x69bd30}
n_in = 0
n_out = 0
mp3size = 384
mp3out = <optimized out>
mfbuf = {0x68e780, 0x6925c0}
in_buffer = {0x69ab20, 0x69bd30}
ret = <optimized out>
mf_needed = 1904
cfg = 0x681184
esv = 0x687e58
pcm_samples_per_frame = <optimized out>
i = <optimized out>
ch = <optimized out>
#7 lame_encode_buffer_template (gfp=gfp at entry=0x681010, buffer_l=buffer_l at entry=0x7fffffee6550, buffer_r=buffer_r at entry=0x7fffffee6e50,
nsamples=<optimized out>, mp3buf=mp3buf at entry=0x7ffffff0dba0 "\377\373\224D", mp3buf_size=mp3buf_size at entry=147456, pcm_type=pcm_short_type,
aa=1, norm=norm at entry=1) at lame.c:1897
cfg = 0x681184
gfc = 0x681170
#8 0x0000000000416914 in lame_encode_buffer (gfp=gfp at entry=0x681010, pcm_l=pcm_l at entry=0x7fffffee6550, pcm_r=pcm_r at entry=0x7fffffee6e50,
nsamples=<optimized out>, mp3buf=mp3buf at entry=0x7ffffff0dba0 "\377\373\224D", mp3buf_size=mp3buf_size at entry=147456) at lame.c:1908
No locals.
#9 0x0000000000418c08 in lame_encode_flush (gfp=gfp at entry=0x681010, mp3buffer=mp3buffer at entry=0x7ffffff0dba0 "\377\373\224D",
mp3buffer_size=mp3buffer_size at entry=147456) at lame.c:2140
frame_num = 0
bunch = <optimized out>
gfc = 0x681170
cfg = 0x681184
esv = 0x687e58
buffer = {{0 <repeats 1152 times>}, {0 <repeats 1152 times>}}
imp3 = 0
mp3count = 0
mp3buffer_size_remaining = 147456
end_padding = <optimized out>
frames_left = 1
samples_to_encode = <optimized out>
pcm_samples_per_frame = <optimized out>
mf_needed = 1904
is_resampling_necessary = <optimized out>
resample_ratio = 339.99997916666666
#10 0x0000000000401dfc in lame_encoder_loop (gf=gf at entry=0x681010, outf=outf at entry=0x696e50, nogap=nogap at entry=0,
inPath=inPath at entry=0x7fffffffd520 "muppet.wav", outPath=outPath at entry=0x7fffffffc510 "muppet.mp3") at lame_main.c:487
mp3buffer = "\377\373\224D", '\000' <repeats 129612 times>...
Buffer = {{0 <repeats 1152 times>}, {0 <repeats 1152 times>}}
iread = -1
imp3 = <optimized out>
owrite = <optimized out>
id3v2_size = 0
#11 0x0000000000402949 in lame_encoder (outPath=0x7fffffffc510 "muppet.mp3", inPath=0x7fffffffd520 "muppet.wav", nogap=0, outf=0x696e50,
gf=0x681010) at lame_main.c:531
ret = <optimized out>
#12 lame_main (gf=gf at entry=0x681010, argc=argc at entry=2, argv=argv at entry=0x7fffffffe668) at lame_main.c:707
inPath = "muppet.wav", '\000' <repeats 4086 times>
outPath = "muppet.mp3", '\000' <repeats 4086 times>
nogapdir = '\000' <repeats 4096 times>
nogapout = 0
max_nogap = 0
nogap_inPath_ = {'\000' <repeats 4096 times> <repeats 200 times>}
nogap_inPath = {0x7ffffff33430 "", 0x7ffffff34431 "", 0x7ffffff35432 "", 0x7ffffff36433 "", 0x7ffffff37434 "", 0x7ffffff38435 "",
0x7ffffff39436 "", 0x7ffffff3a437 "", 0x7ffffff3b438 "", 0x7ffffff3c439 "", 0x7ffffff3d43a "", 0x7ffffff3e43b "", 0x7ffffff3f43c "",
0x7ffffff4043d "", 0x7ffffff4143e "", 0x7ffffff4243f "", 0x7ffffff43440 "", 0x7ffffff44441 "", 0x7ffffff45442 "", 0x7ffffff46443 "",
0x7ffffff47444 "", 0x7ffffff48445 "", 0x7ffffff49446 "", 0x7ffffff4a447 "", 0x7ffffff4b448 "", 0x7ffffff4c449 "", 0x7ffffff4d44a "",
0x7ffffff4e44b "", 0x7ffffff4f44c "", 0x7ffffff5044d "", 0x7ffffff5144e "", 0x7ffffff5244f "", 0x7ffffff53450 "", 0x7ffffff54451 "",
0x7ffffff55452 "", 0x7ffffff56453 "", 0x7ffffff57454 "", 0x7ffffff58455 "", 0x7ffffff59456 "", 0x7ffffff5a457 "", 0x7ffffff5b458 "",
0x7ffffff5c459 "", 0x7ffffff5d45a "", 0x7ffffff5e45b "", 0x7ffffff5f45c "", 0x7ffffff6045d "", 0x7ffffff6145e "", 0x7ffffff6245f "",
0x7ffffff63460 "", 0x7ffffff64461 "", 0x7ffffff65462 "", 0x7ffffff66463 "", 0x7ffffff67464 "", 0x7ffffff68465 "", 0x7ffffff69466 "",
0x7ffffff6a467 "", 0x7ffffff6b468 "", 0x7ffffff6c469 "", 0x7ffffff6d46a "", 0x7ffffff6e46b "", 0x7ffffff6f46c "", 0x7ffffff7046d "",
0x7ffffff7146e "", 0x7ffffff7246f "", 0x7ffffff73470 "", 0x7ffffff74471 "", 0x7ffffff75472 "", 0x7ffffff76473 "", 0x7ffffff77474 "",
0x7ffffff78475 "", 0x7ffffff79476 "", 0x7ffffff7a477 "", 0x7ffffff7b478 "", 0x7ffffff7c479 "", 0x7ffffff7d47a "", 0x7ffffff7e47b "",
0x7ffffff7f47c "", 0x7ffffff8047d "", 0x7ffffff8147e "", 0x7ffffff8247f "", 0x7ffffff83480 "", 0x7ffffff84481 "", 0x7ffffff85482 "",
0x7ffffff86483 "", 0x7ffffff87484 "", 0x7ffffff88485 "", 0x7ffffff89486 "", 0x7ffffff8a487 "", 0x7ffffff8b488 "", 0x7ffffff8c489 "",
0x7ffffff8d48a "", 0x7ffffff8e48b "", 0x7ffffff8f48c "", 0x7ffffff9048d "", 0x7ffffff9148e "", 0x7ffffff9248f "", 0x7ffffff93490 "",
0x7ffffff94491 "", 0x7ffffff95492 "", 0x7ffffff96493 "", 0x7ffffff97494 "", 0x7ffffff98495 "", 0x7ffffff99496 "", 0x7ffffff9a497 "",
0x7ffffff9b498 "", 0x7ffffff9c499 "", 0x7ffffff9d49a "", 0x7ffffff9e49b "", 0x7ffffff9f49c "", 0x7ffffffa049d "", 0x7ffffffa149e "",
0x7ffffffa249f "", 0x7ffffffa34a0 "", 0x7ffffffa44a1 "", 0x7ffffffa54a2 "", 0x7ffffffa64a3 "", 0x7ffffffa74a4 "", 0x7ffffffa84a5 "",
0x7ffffffa94a6 "", 0x7ffffffaa4a7 "", 0x7ffffffab4a8 "", 0x7ffffffac4a9 "", 0x7ffffffad4aa "", 0x7ffffffae4ab "", 0x7ffffffaf4ac "",
0x7ffffffb04ad "", 0x7ffffffb14ae "", 0x7ffffffb24af "", 0x7ffffffb34b0 "", 0x7ffffffb44b1 "", 0x7ffffffb54b2 "", 0x7ffffffb64b3 "",
0x7ffffffb74b4 "", 0x7ffffffb84b5 "", 0x7ffffffb94b6 "", 0x7ffffffba4b7 "", 0x7ffffffbb4b8 "", 0x7ffffffbc4b9 "", 0x7ffffffbd4ba "",
0x7ffffffbe4bb "", 0x7ffffffbf4bc "", 0x7ffffffc04bd "", 0x7ffffffc14be "", 0x7ffffffc24bf "", 0x7ffffffc34c0 "", 0x7ffffffc44c1 "",
0x7ffffffc54c2 "", 0x7ffffffc64c3 "", 0x7ffffffc74c4 "", 0x7ffffffc84c5 "", 0x7ffffffc94c6 "", 0x7ffffffca4c7 "", 0x7ffffffcb4c8 "",
0x7ffffffcc4c9 "", 0x7ffffffcd4ca "", 0x7ffffffce4cb "", 0x7ffffffcf4cc "", 0x7ffffffd04cd "", 0x7ffffffd14ce "", 0x7ffffffd24cf "",
0x7ffffffd34d0 "", 0x7ffffffd44d1 "", 0x7ffffffd54d2 "", 0x7ffffffd64d3 "", 0x7ffffffd74d4 "", 0x7ffffffd84d5 "", 0x7ffffffd94d6 "",
0x7ffffffda4d7 "", 0x7ffffffdb4d8 "", 0x7ffffffdc4d9 "", 0x7ffffffdd4da "", 0x7ffffffde4db "", 0x7ffffffdf4dc "", 0x7ffffffe04dd "",
0x7ffffffe14de "", 0x7ffffffe24df "", 0x7ffffffe34e0 "", 0x7ffffffe44e1 "", 0x7ffffffe54e2 "", 0x7ffffffe64e3 "", 0x7ffffffe74e4 "",
0x7ffffffe84e5 "", 0x7ffffffe94e6 "", 0x7ffffffea4e7 "", 0x7ffffffeb4e8 "", 0x7ffffffec4e9 "", 0x7ffffffed4ea "", 0x7ffffffee4eb "",
0x7ffffffef4ec "", 0x7fffffff04ed "", 0x7fffffff14ee "", 0x7fffffff24ef "", 0x7fffffff34f0 "", 0x7fffffff44f1 "", 0x7fffffff54f2 "",
0x7fffffff64f3 "", 0x7fffffff74f4 "", 0x7fffffff84f5 "", 0x7fffffff94f6 "", 0x7fffffffa4f7 ""}
ret = 0
i = <optimized out>
outf = 0x696e50
#13 0x0000000000402aaf in c_main (argv=0x7fffffffe668, argc=2) at main.c:470
gf = 0x681010
ret = <optimized out>
#14 main (argc=2, argv=0x7fffffffe668) at main.c:438
No locals.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: muppet.wav
Type: audio/x-wav
Size: 56 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150216/adf7f05d/attachment.wav>
More information about the pkg-multimedia-maintainers
mailing list