Bug#881131: bs1770gain: divide by zero while running bs1770gain

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 05:29:56 UTC 2017 

Package: bs1770gain
Version: 0.4.12-2
Severity: normal
Tags: security

divide by zero while running bs1770gain with "poc -o output" option

Running 'bs1770gain poc -o output' with the attached file raises divide by zero exception
which may allow a remote attack to cause a denial-of-service attack.
I expected the program to terminate without segfault, but the program crashes as follow

-------------------------------------------

june at yuweol:~/poc/bs1770gain/crash1$ bs1770gain poc output
analyzing ...
  [1/1] "poc": Floating point exception

-------------------------------------------

Program received signal SIGFPE, Arithmetic exception.
0x00007ffff5858e6d in sox_flow_effects () from /usr/lib/x86_64-linux-gnu/libsox.so.2
(gdb) x/i $rip
=> 0x7ffff5858e6d <sox_flow_effects+2525>:  div    %rcx
(gdb) i r rcx
rcx            0x0  0

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bs1770gain depends on:
ii  libavcodec57    7:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55     7:3.3.4-2+b2
ii  libc6           2.24-17
ii  libsox2         14.4.1-5+b2
ii  libswresample2  7:3.3.4-2+b2

bs1770gain recommends no packages.

bs1770gain suggests no packages.

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: audio/x-flac
Size: 43 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20171108/844c8679/attachment.bin>

More information about the pkg-multimedia-maintainers mailing list