Debian Bug report logs - #778703
lame: segmentation fault at get_audio.c:865

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Cc: Fabian Greffrath <fabian@greffrath.com>

Subject: lame: segmentation fault at get_audio.c:865

Date: Wed, 18 Feb 2015 20:59:39 +0200

[Message part 1 (text/plain, inline)]

Package: lame
Version: 3.99.5+repack1-6 
Severity: normal

I found another segmentation fault crash while fuzzing with AFL
<http://lcamtuf.coredump.cx/afl/>. For some reason I can't get full backtrace
with gdb.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000412cb4 in get_audio_common (gfp=<optimized out>, buffer=<optimized out>, buffer16=0x0) at get_audio.c:865
865 }
(gdb) frame 1
#1  0xe07f0000f57f0000 in ?? ()

Please contact me via email or IRC (nickname "fgeek") if I can help debugging
this case, thanks.

-- 
Henri Salo

[samplefile.wav (audio/x-wav, attachment)]

Message #10 received at 778703@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>

To: Henri Salo <henri@nerv.fi>, 778703@bugs.debian.org

Cc: security <security@debian.org>

Subject: Re: Bug#778703: lame: segmentation fault at get_audio.c:865

Date: Thu, 19 Feb 2015 07:21:45 +0100

[Message part 1 (text/plain, inline)]

Control: tags -1 + patch security

Hi again Henri,

Am Mittwoch, den 18.02.2015, 20:59 +0200 schrieb Henri Salo: 
> I found another segmentation fault crash while fuzzing with AFL
> <http://lcamtuf.coredump.cx/afl/>. For some reason I can't get full backtrace
> with gdb.

now this is really only caused by the fact that num_channels has a
negative value. It was a bit tricky to investigate since the stack was
smashed (thus no backtrace) but the analysis should be reasonable.

The sample at hand reports to have num_channels = -251, and it is really
unbelievable that there is no early sanity check yet for this value.
However, in get_audio_common() the num_channels variable is set to this
value (l. 733), which is then multiplied with the value of
samples_to_read (= 576) and passed over to read_samples_pcm() (l. 800).
This function, in turn, passes the value of samples_to_read (now
-144576) over to unpack_read_samples() (l. 1289) together with a pointer
to sample_buffer which is a static int array of size 2304. In
unpack_read_samples() finally the value of samples_to_read is passed
over to a fread() call as the number of elements of size
"bytes_per_sample" (= 1) to read from the pcm_in stream (l. 1188).

The arguments in question of fread() are of type size_t, i.e. unsigned.
The value of samples_to_read (= -144576) translates to
18446744073709407040 as size_t type, i.e. "unlimited". And indeed
fread() returns 3967 bytes into the samples_read variable.
Unfortunately, these 3967 bytes have been written into the static int
array "sample_buffer" which was of size 2304. Boom, stack corrupted!

I suggest to fix this issue at its root and extend Maks' patch to also
bail out if (num_channels < 0). Patching the sample you provided to
num_channels = 1, LAME processes this file without problems. The
attached patch does that, simply copy it over the previous patch. Also,
I have set the "security" tag for this bug, because I think being able
to override chosen parts of the stack with data of your own choice is
rather critical.

- Fabian

[0001-Add-check-for-invalid-input-sample-rate.patch (text/x-patch, attachment)]

Message #17 received at 778703@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian@greffrath.com>

To: 778703@bugs.debian.org

Cc: Henri Salo <henri@nerv.fi>, security <security@debian.org>

Subject: Re: Bug#778703: lame: segmentation fault at get_audio.c:865

Date: Thu, 19 Feb 2015 07:32:48 +0100

Am Donnerstag, den 19.02.2015, 07:21 +0100 schrieb Fabian Greffrath: 
> 18446744073709407040 as size_t type, i.e. "unlimited". And indeed
> fread() returns 3967 bytes into the samples_read variable.
> Unfortunately, these 3967 bytes have been written into the static int
> array "sample_buffer" which was of size 2304. Boom, stack corrupted!

No, wait, that should fit. I think the real problem is that the value of
samples_read is used in the subsequent line to point the op* pointer way
beyond the sample_buffer[] array and override the values there in the
GA_URS_IFLOOP() loops that follow.

- Fabian

Message #22 received at 778703-close@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian+debian@greffrath.com>

To: 778703-close@bugs.debian.org

Subject: Bug#778703: fixed in lame 3.99.5+repack1-7

Date: Tue, 24 Feb 2015 09:19:40 +0000

Source: lame
Source-Version: 3.99.5+repack1-7

We believe that the bug you reported is fixed in the latest version of
lame, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778703@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian+debian@greffrath.com> (supplier of updated lame package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Feb 2015 09:03:07 +0100
Source: lame
Binary: lame lame-doc libmp3lame0 libmp3lame-dev
Architecture: source amd64 all
Version: 3.99.5+repack1-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Multimedia Maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian+debian@greffrath.com>
Description:
 lame       - MP3 encoding library (frontend)
 lame-doc   - MP3 encoding library (documentation)
 libmp3lame-dev - MP3 encoding library (development)
 libmp3lame0 - MP3 encoding library
Closes: 778529 778703
Changes:
 lame (3.99.5+repack1-7) unstable; urgency=medium
 .
   * Extend Maks Naumov's patch to also include a sanity check for
     a valid amount of input channels (Closes: #778703).
   * Fix decision if sample rate ratio is an integer value or not
     (Closes: #778529).
   * Thanks to Henri Salo for the bug reports and the fuzzed samples!
Checksums-Sha1:
 826b4f46524ec922c9bd5f0cda8a485942bb6946 2222 lame_3.99.5+repack1-7.dsc
 c3cdf289f61cefbd806d9a374bcb63dbc7747ed3 14232 lame_3.99.5+repack1-7.debian.tar.xz
 93e7aeb01863dfe4edbd651895ae522fd40db310 270918 lame_3.99.5+repack1-7_amd64.deb
 5d2bdfe1d32f140e568711d1690d36ac4f5b2e70 286838 lame-doc_3.99.5+repack1-7_all.deb
 f1b2190379e95ca6e11eb378748748db292a5bf4 352302 libmp3lame0_3.99.5+repack1-7_amd64.deb
 4834260ac0b2e06e573694915d62e85b0c7ff2df 368960 libmp3lame-dev_3.99.5+repack1-7_amd64.deb
Checksums-Sha256:
 bc7c699f2f8bbc08ee9e2725face7328bf4fb0fe505ceaf2cb254281665c56f5 2222 lame_3.99.5+repack1-7.dsc
 d9d4081bdf25fb1b8d159bc07cf3b0be26ae180efa3a4af96b5853895ac7e389 14232 lame_3.99.5+repack1-7.debian.tar.xz
 12421465ad1ed51be9120b9f7ae58cf1b9f2bd8a4ba3be757e6918496fb70a82 270918 lame_3.99.5+repack1-7_amd64.deb
 316e588e941e55714327a80d17fb077d7a6e16c9aeaf873bbbe8355211ed4c5a 286838 lame-doc_3.99.5+repack1-7_all.deb
 13f62fb42d0abcbc2529a846422dd826eae7217714f9503dbafd11d6a9eb8c7c 352302 libmp3lame0_3.99.5+repack1-7_amd64.deb
 1c890d7ba1d88c1e94214220f8318919d23a3478352d8d892ca3c46662b403c4 368960 libmp3lame-dev_3.99.5+repack1-7_amd64.deb
Files:
 44add176a32f52c99ff4b938c58870f1 2222 sound optional lame_3.99.5+repack1-7.dsc
 6e5c5dd47fa2d990a14b1c8f2ce35793 14232 sound optional lame_3.99.5+repack1-7.debian.tar.xz
 2dfcae34d5bf042399b92c7634d56007 270918 sound optional lame_3.99.5+repack1-7_amd64.deb
 7e28ba804877a6c814d7865c8a5aef15 286838 doc optional lame-doc_3.99.5+repack1-7_all.deb
 bb88f979a36a207ef48cabf8024ce644 352302 libs optional libmp3lame0_3.99.5+repack1-7_amd64.deb
 e935420e23e16e232270d40b8dc9499b 368960 libdevel optional libmp3lame-dev_3.99.5+repack1-7_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU7DGNAAoJEMvqjpcMzVnf8jcP/i12s7IUWUkhj+HFDrgNdj7S
WgJK6PNiujx7Rm0z+V6zzTETWTAi7GYqAws8g44Pc1AfuFY6rNUkzNrVxnYLItkn
MlQbJz/00XjJ2q3cT9qtGVrZL+ElDvE19INsS5j9G7AYWP+zWKdfAJXew778Iu9N
arq4VruYLEy9b6STR+Bgl3Yf/oN/nL8lw3eD16FZf6o5vjBlEGhKFPNiAesK5V2h
jFW2q4lqEVDgtJfV2A4HFQy5Jpa6umn4KjrGh/d0b8+RPUlGDqShT0YNTcbHybho
zpzWrezxtv+amvTUnq31LrFxzE6yxxGIkOpHlrkfwjIzyuOwMi5wA9y9gZWAD7K3
Ak6rEq2O8fRvWn8Z8NloYZSI6gK+xGswV13+eYq0AwCiBJs0mAAxmv4Kstt5q/4A
34zF1WTIsdOwKPEP1AL3G7Sde4Tyv8gcl8cLRi/6cRKAO4mPTtiGl6x+7/WuGtHy
Ghn1+kA7vmdkHt/newtD3w2A5Y0F9SHAyLJ/Syp0xXAwY4qGTaiMmBQOVB3gzzb2
1h/4YfLglTC0+f6l3aQ0rZWXO3ODIkiThZFrNwuLEm/xln8+SkLAa+od4U8VyZ3c
0z48imBRaVmehOubBjAnEBEb1TIRg4ut/oGUZIrFRQmnvnAT/1yp8YsiQtOJqICK
c/4VQ6IRsfn0DvQxPWpR
=m9Xp
-----END PGP SIGNATURE-----

Message #27 received at 778703-close@bugs.debian.org (full text, mbox, reply):

From: Fabian Greffrath <fabian+debian@greffrath.com>

To: 778703-close@bugs.debian.org

Subject: Bug#778703: fixed in lame 3.99.5+repack1-3+deb7u1

Date: Sat, 28 Feb 2015 18:03:36 +0000

Source: lame
Source-Version: 3.99.5+repack1-3+deb7u1

We believe that the bug you reported is fixed in the latest version of
lame, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778703@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Fabian Greffrath <fabian+debian@greffrath.com> (supplier of updated lame package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 24 Feb 2015 09:46:48 +0100
Source: lame
Binary: lame lame-doc libmp3lame0 libmp3lame-dev
Architecture: source amd64 all
Version: 3.99.5+repack1-3+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Debian multimedia packages maintainers <pkg-multimedia-maintainers@lists.alioth.debian.org>
Changed-By: Fabian Greffrath <fabian+debian@greffrath.com>
Description: 
 lame       - MP3 encoding library (frontend)
 lame-doc   - MP3 encoding library (documentation)
 libmp3lame-dev - MP3 encoding library (development)
 libmp3lame0 - MP3 encoding library
Closes: 775959 777159 777160 777161 778529 778703
Changes: 
 lame (3.99.5+repack1-3+deb7u1) wheezy; urgency=medium
 .
   * Add check for invalid input sample rate, thanks Maks Naumov
     (Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
     Brian Carpenter for the bug reports and test cases.
   * Extend Maks Naumov's patch to also include a sanity check for
     a valid amount of input channels (Closes: #778703).
   * Avoid malformed wav causing floating point exception in the
     frontend (Closes: #777159).
   * Fix decision if sample rate ratio is an integer value or not
     (Closes: #778529). Thanks to Henri Salo for the bug reports
     and the fuzzed samples!
Checksums-Sha1: 
 38832155db1ae5789a4fa66f0403b6e177f5cb5c 2250 lame_3.99.5+repack1-3+deb7u1.dsc
 92ab7a4eb5ba00b2dfae3852c41e26ac7b9ef636 13987 lame_3.99.5+repack1-3+deb7u1.debian.tar.gz
 ae693c1c10d88ea7b1929d551f10dd802a78ec18 279810 lame_3.99.5+repack1-3+deb7u1_amd64.deb
 f3c4c40dfc09d3737cd827631e8f94289d44feb9 296004 lame-doc_3.99.5+repack1-3+deb7u1_all.deb
 8e4a90f838a5ffe5220657087dc71e21b137f064 413878 libmp3lame0_3.99.5+repack1-3+deb7u1_amd64.deb
 b1b565c32557a7335e0f82be0d946f7353829af4 451362 libmp3lame-dev_3.99.5+repack1-3+deb7u1_amd64.deb
Checksums-Sha256: 
 40311ff26ede470a373225e7c69a3a69c4e48a25cf63c2f14e0c53c06cb4516b 2250 lame_3.99.5+repack1-3+deb7u1.dsc
 a4e3819241382ef96e16a36cfa39041f22772b7aa2b8358ec33c3b823cfb6482 13987 lame_3.99.5+repack1-3+deb7u1.debian.tar.gz
 4cd29d1c91b6f16e11956c74b6d94f41f357eeecc2f775f3ffdcf39e4427949d 279810 lame_3.99.5+repack1-3+deb7u1_amd64.deb
 d07ac2f8f08bc2fdf3fce72cc583467d3f7fe784f9b932b84047cd152ba21604 296004 lame-doc_3.99.5+repack1-3+deb7u1_all.deb
 20f4e1d1b5e3cb2cf689d9d68291fa0276add303d988386f518faae36fc238ef 413878 libmp3lame0_3.99.5+repack1-3+deb7u1_amd64.deb
 d675730777c481ffa66e30bf97d2c400275b32f1af36a839f91bb1f6f183fe55 451362 libmp3lame-dev_3.99.5+repack1-3+deb7u1_amd64.deb
Files: 
 240dc9f80c9016c7f1b99ae1f18ad644 2250 sound optional lame_3.99.5+repack1-3+deb7u1.dsc
 cae33c8d915ab4a7d84edc3cce64f2e8 13987 sound optional lame_3.99.5+repack1-3+deb7u1.debian.tar.gz
 e45e70276d154ac20b872ee1ed95bc7a 279810 sound optional lame_3.99.5+repack1-3+deb7u1_amd64.deb
 568fee660f20860b930aa39987ee5a24 296004 doc optional lame-doc_3.99.5+repack1-3+deb7u1_all.deb
 4ed9ed9c722c69eb112ccb782df3ad2d 413878 libs optional libmp3lame0_3.99.5+repack1-3+deb7u1_amd64.deb
 50a815012cf846f78edafa116d70c950 451362 libdevel optional libmp3lame-dev_3.99.5+repack1-3+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU7IYrAAoJEMvqjpcMzVnfm2oQALwxODTxUC+ah2wUV3VUo4U2
MdqzJRtrZJyRO+CjGhgLnb3rYbphVKzX9OdU6hHgOsezYktvNl95fbKUNrNONbUR
2gmjdBI8sCgEsr7x+3q04j2uaIa4HTzcsI9kxIJAriCjxLz4HxcCp5NcV3w/Qa6c
0xVsqUINwkiQgTJbTuJg7XzIuaB5Wf4/AeGhOuKwgaynrqBDItzj0ORr2Ah0TDNt
SkznoRjlpio6+sJGvMFBGT9FmSoezay9h6X3jPOb9pFcay3sMebQSAV8DPSM09rq
NM4rCUbPusiTUZK9lD+ydV2ACqprVZ2FIGSMZ2NqTN63MhdsBwIcY1j1flNzy1o2
+lvJMi5r1EMMfhF0hs4xIk+FBu5y06Bxa/SYzeS4t4ZEWuhX3jEZbzTlCPy8+loW
MLX1/V7kwaVfV1xAhmFlebkP892imDDPpSRwT+bHs6clNdRdyAd/NpPt3eEAsBxB
1p04byqa+5PKQOokvYJbdnzBQI2v2Je2+ZF0+ocU619DxQv+vAOG8h8gKrUgI6Up
bBK7q5kZ1+FePwr0qkcUUY4ZTnpmQs+GquBlzIqajw8Jnh9f8vlpMhSTi/iTWBdc
VAULVSCJxdI+JhpOyltX7bnNRgYQ/f/vx7NKQfJ4Z9vmkPOt4TRHinoUM9LYg7LO
C5Nx/m0HLh8o5Xxr/87D
=MKWs
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.