Opened 8 years ago

Last modified 8 years ago

#2298 new defect

Out-of-bound read parsing a mp3 file

Reported by: ggrieco Owned by: beastd
Priority: normal Component: libavcodec
Version: unspecified Severity: blocker
Keywords: Cc:
Blocked By: Blocking:
Reproduced by developer: no Analyzed by developer: no

Description

Summary of the bug: An out-of-bound read parsing a mp3 file is affecting mplayer (tested with snapshot 2016-04-25). Find attached the file to reproduce this issue (ASAN-recompilation or valgrind are required)

How to reproduce:

$ mplayer overflow.mp3
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
MPlayer SVN-r37856-snapshot-4.8 (C) 2000-2016 MPlayer Team

Playing overflow.mp3.
libavformat version 57.34.103 (internal)
libavformat file format detected.
[mp3 @ 0x55555812c400]Skipping 12 bytes of junk at 0.
=================================================================
==19843== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60220001f910 at pc 0x5555569f861c bp 0x7fffffffb920 sp 0x7fffffffb918
READ of size 4 at 0x60220001f910 thread T0
    #0 0x5555569f861b (/home/vagrant/repos/mplayer-export-2016-04-25/mplayer+0x14a461b)
0x60220001f910 is located 0 bytes to the right of 208-byte region [0x60220001f840,0x60220001f910)
allocated by thread T0 here:
    #0 0x7ffff32cd55f (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x1555f)
    #1 0x555557743099 (/home/vagrant/repos/mplayer-export-2016-04-25/mplayer+0x21ef099)
Shadow bytes around the buggy address:
  0x0c04bfffbed0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04bfffbee0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04bfffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04bfffbf00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c04bfffbf10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c04bfffbf20: 00 00[fa]fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c04bfffbf30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c04bfffbf40: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa
  0x0c04bfffbf50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c04bfffbf60: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c04bfffbf70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==19843== ABORTING

Program received signal SIGABRT, Aborted.
0x00007ffff2d0bcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff2d0bcc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007ffff2d0f0d8 in __GI_abort () at abort.c:89
#2  0x00007ffff32d3829 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#3  0x00007ffff32ca3ec in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#4  0x00007ffff32d1012 in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#5  0x00007ffff32d0121 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#6  0x00007ffff32ca704 in __asan_report_load4 () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#7  0x00005555569f861c in get_bits (s=0x60920001b848, s=0x60920001b848, n=<optimized out>) at libavcodec/get_bits.h:265
#8  mp_decode_layer1 (s=0x60920001b400) at libavcodec/mpegaudiodec_template.c:541
#9  mp_decode_frame (s=s@entry=0x60920001b400, samples=samples@entry=0x0, buf=buf@entry=0x60220001f840 "\377\377S", buf_size=buf_size@entry=176) at libavcodec/mpegaudiodec_template.c:1571
#10 0x00005555569f8e8c in decode_frame (avctx=0x60440000f580, data=0x60340000fa80, got_frame_ptr=0x7fffffffbde0, avpkt=0x7fffffffbcf0) at libavcodec/mpegaudiodec_template.c:1693
#11 0x0000555556dc427c in avcodec_decode_audio4 (avctx=avctx@entry=0x60440000f580, frame=0x60340000fa80, got_frame_ptr=got_frame_ptr@entry=0x7fffffffbde0, avpkt=avpkt@entry=0x7fffffffc120) at libavcodec/utils.c:2319
#12 0x0000555556dc5f58 in do_decode (avctx=avctx@entry=0x60440000f580, pkt=pkt@entry=0x7fffffffc120) at libavcodec/utils.c:2729
#13 0x0000555556dc87f8 in avcodec_send_packet (avctx=avctx@entry=0x60440000f580, avpkt=<optimized out>, avpkt@entry=0x7fffffffc120) at libavcodec/utils.c:2804
#14 0x000055555611546f in try_decode_frame (s=s@entry=0x604a0000f780, st=st@entry=0x603e0000f800, avpkt=avpkt@entry=0x7fffffffc8d0, options=<optimized out>) at libavformat/utils.c:2896
#15 0x000055555612fe31 in avformat_find_stream_info (ic=0x604a0000f780, options=options@entry=0x0) at libavformat/utils.c:3590
#16 0x0000555555d2b92e in demux_open_lavf (demuxer=0x606a00020900) at libmpdemux/demux_lavf.c:610
#17 0x0000555555b925a9 in demux_open_stream (stream=stream@entry=0x60720000b500, file_format=<optimized out>, file_format@entry=0, force=force@entry=0, audio_id=-1, video_id=video_id@entry=-1, dvdsub_id=-1, 
    filename=filename@entry=0x60040000bf30 "overflow.mp3") at libmpdemux/demuxer.c:1165
#18 0x0000555555b93eb1 in demux_open (vs=0x60720000b500, file_format=0, audio_id=-1, video_id=-1, dvdsub_id=-1, filename=0x60040000bf30 "overflow.mp3") at libmpdemux/demuxer.c:1286
#19 0x00005555559808a0 in main (argc=2, argv=0x7fffffffe5e8) at mplayer.c:3380

Attachments (1)

overflow.mp3 (277 bytes ) - added by ggrieco 8 years ago.

Download all attachments as: .zip

Change History (2)

by ggrieco, 8 years ago

Attachment: overflow.mp3 added

comment:1 by compn, 8 years ago

does this crash in ffmpeg?

Note: See TracTickets for help on using tickets.