Bug#778703: lame: segmentation fault at get_audio.c:865
Fabian Greffrath
fabian at greffrath.com
Thu Feb 19 06:21:45 UTC 2015
Control: tags -1 + patch security
Hi again Henri,
Am Mittwoch, den 18.02.2015, 20:59 +0200 schrieb Henri Salo:
> I found another segmentation fault crash while fuzzing with AFL
> <http://lcamtuf.coredump.cx/afl/>. For some reason I can't get full backtrace
> with gdb.
now this is really only caused by the fact that num_channels has a
negative value. It was a bit tricky to investigate since the stack was
smashed (thus no backtrace) but the analysis should be reasonable.
The sample at hand reports to have num_channels = -251, and it is really
unbelievable that there is no early sanity check yet for this value.
However, in get_audio_common() the num_channels variable is set to this
value (l. 733), which is then multiplied with the value of
samples_to_read (= 576) and passed over to read_samples_pcm() (l. 800).
This function, in turn, passes the value of samples_to_read (now
-144576) over to unpack_read_samples() (l. 1289) together with a pointer
to sample_buffer which is a static int array of size 2304. In
unpack_read_samples() finally the value of samples_to_read is passed
over to a fread() call as the number of elements of size
"bytes_per_sample" (= 1) to read from the pcm_in stream (l. 1188).
The arguments in question of fread() are of type size_t, i.e. unsigned.
The value of samples_to_read (= -144576) translates to
18446744073709407040 as size_t type, i.e. "unlimited". And indeed
fread() returns 3967 bytes into the samples_read variable.
Unfortunately, these 3967 bytes have been written into the static int
array "sample_buffer" which was of size 2304. Boom, stack corrupted!
I suggest to fix this issue at its root and extend Maks' patch to also
bail out if (num_channels < 0). Patching the sample you provided to
num_channels = 1, LAME processes this file without problems. The
attached patch does that, simply copy it over the previous patch. Also,
I have set the "security" tag for this bug, because I think being able
to override chosen parts of the stack with data of your own choice is
rather critical.
- Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Add-check-for-invalid-input-sample-rate.patch
Type: text/x-patch
Size: 734 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20150219/a186b4d6/attachment.bin>
More information about the pkg-multimedia-maintainers
mailing list