Debian Bug report logs - #716188
[Mayhem] Bug report on oggvideotools: oggJoin crashes with exit status 139

Toggle useless messages

Message #5 received at maintonly@bugs.debian.org (full text, mbox, reply):

From: Alexandre Rebert <alexandre@cmu.edu>

To: Debian Bug Tracking System: <maintonly@bugs.debian.org>

Subject: [Mayhem] Bug report on oggvideotools: oggJoin crashes with exit status 139

Date: Wed, 10 Jul 2013 15:36:43 -0400

[Message part 1 (text/plain, inline)]

Package: oggvideotools
Version: 0.8a-1+b1
Severity: normal
User: mayhem@forallsecure.com
Usertags: mayhem

oggJoin crashes with exit status 139. We confirmed the crash by
re-running it in a fresh debian unstable installation.

The attachment [1] contains a testcase (under ./crash) crashing the
program. It ensures that you can easily reproduce the bug. Additionally,
under ./crash_info/, we include more information about the crash such as
a core dump, the dmesg generated by the crash, and its output.

Regards,
The Mayhem Team (Alexandre Rebert, Thanassis Avgerinos, Sang Kil Cha, David Brumley, Manuel Egele)
Cylab, Carnegie Mellon University

[1] http://www.forallsecure.com/bug-reports/362669ce2a2bec2788093bcd6ef518b5ed5b81f3/full_report


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.9-1-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages oggvideotools depends on:
ii  libc6          2.17-6
ii  libgcc1        1:4.8.1-4
ii  libgd3         2.1.0~rc2-2
ii  libogg0        1.3.1-1
ii  libstdc++6     4.8.1-4
ii  libtheora0     1.1.1+dfsg.1-3.1
ii  libvorbis0a    1.3.2-1.3
ii  libvorbisenc2  1.3.2-1.3

oggvideotools recommends no packages.

oggvideotools suggests no packages.

-- no debconf information

[oggJoin-report.tar.bz2 (application/octet-stream, attachment)]

Message #10 received at 716188@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@hungry.com>

To: 716188@bugs.debian.org, Alexandre Rebert <alexandre@cmu.edu>

Subject: Re: [Mayhem] Bug report on oggvideotools: oggJoin crashes with exit status 139

Date: Wed, 22 Oct 2014 09:27:58 +0200

I am able to reproduce this problem.  Note that the stdin input were
not needed to crash the program.  Valgrind report this when the
program crashes (would be nice if future mayhem reports also used
valgrind to get crash info):

==17025== Memcheck, a memory error detector
==17025== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==17025== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==17025== Command: ../../objs/src/oggJoin -2�@ RA �A
==17025== 
OggDecoder::operator>>: no page available, insert a packet first
==17025== Invalid read of size 1
==17025==    at 0x4C2B0B9: bcmp (mc_replace_strmem.c:889)
==17025==    by 0x416A9C: OggBOSExtractorFactory::getStreamType(OggPage&) (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==    by 0x4166FE: OggBOSExtractorFactory::extractInformation(OggPage&, ExtractorInformation&) (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==    by 0x410FCF: oggJoinCmd(int, char**) (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==    by 0x411725: main (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==17025== 
==17025== 
==17025== Process terminating with default action of signal 11 (SIGSEGV)
==17025==  Access not within mapped region at address 0x0
==17025==    at 0x4C2B0B9: bcmp (mc_replace_strmem.c:889)
==17025==    by 0x416A9C: OggBOSExtractorFactory::getStreamType(OggPage&) (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==    by 0x4166FE: OggBOSExtractorFactory::extractInformation(OggPage&, ExtractorInformation&) (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==    by 0x410FCF: oggJoinCmd(int, char**) (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==    by 0x411725: main (in /home/pere/src/debian/xiph/oggvideotools/objs/src/oggJoin)
==17025==  If you believe this happened as a result of a stack
==17025==  overflow in your program's main thread (unlikely but
==17025==  possible), you can try to increase the size of the
==17025==  main thread stack using the --main-stacksize= flag.
==17025==  The main thread stack size used in this run was 8388608.
==17025== 
==17025== HEAP SUMMARY:
==17025==     in use at exit: 76,651 bytes in 16 blocks
==17025==   total heap usage: 19 allocs, 3 frees, 76,718 bytes allocated
==17025== 
==17025== LEAK SUMMARY:
==17025==    definitely lost: 0 bytes in 0 blocks
==17025==    indirectly lost: 0 bytes in 0 blocks
==17025==      possibly lost: 167 bytes in 5 blocks
==17025==    still reachable: 76,484 bytes in 11 blocks
==17025==         suppressed: 0 bytes in 0 blocks
==17025== Rerun with --leak-check=full to see details of leaked memory
==17025== 
==17025== For counts of detected and suppressed errors, rerun with: -v
==17025== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 4 from 4)
./crash.sh: line 21: 17025 Segmentation fault      env -i MALLOC_CHECK_=0 $GDB valgrind ../../objs/src/oggJoin "`cat $DIR/argv_1.symb`" "`cat $DIR/argv_2.symb`" "`cat $DIR/argv_3.symb`"

The following patch fixes the crash:

diff --git a/src/oggBOSExtractorFactory.cpp b/src/oggBOSExtractorFactory.cpp
index 35e07ab..9849acf 100644
--- a/src/oggBOSExtractorFactory.cpp
+++ b/src/oggBOSExtractorFactory.cpp
@@ -116,6 +116,9 @@ OggType OggBOSExtractorFactory::getStreamType(OggPage& page)
 {
   uint8* type = page.obj()->data+page.obj()->headerLength;
 
+  if (NULL == OggTypeMap || NULL == type)
+    return (ogg_unknown);
+
   uint8 i=1;
   for (; i< ogg_maxOggType; ++i) {
     if (memcmp(type, OggTypeMap[i], MAXIDCHARS) == 0)
@@ -131,6 +134,9 @@ OggType OggBOSExtractorFactory::getStreamType(OggPacket& packet)
 {
   uint8* type = packet.data();
 
+  if (NULL == OggTypeMap || NULL == type)
+    return (ogg_unknown);
+
   uint8 i=1;
   for (; i< ogg_maxOggType; ++i) {
     if (memcmp(type, OggTypeMap[i], MAXIDCHARS) == 0)

Only the first block was needed, but the two functions next to each
other were so similar I thought it best to fix it both places.

-- 
Happy hacking
Petter Reinholdtsen

Message #15 received at 716188-close@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@debian.org>

To: 716188-close@bugs.debian.org

Subject: Bug#716188: fixed in oggvideotools 0.8a-2

Date: Wed, 22 Oct 2014 09:27:04 +0000

Source: oggvideotools
Source-Version: 0.8a-2

We believe that the bug you reported is fixed in the latest version of
oggvideotools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 716188@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated oggvideotools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 22 Oct 2014 09:44:10 +0200
Source: oggvideotools
Binary: oggvideotools oggvideotools-dbg
Architecture: source amd64
Version: 0.8a-2
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
 oggvideotools - A toolbox for manipulating and creating Ogg video files
 oggvideotools-dbg - A toolbox for manipulating and creating Ogg video files (debug sy
Closes: 716188 732569
Changes:
 oggvideotools (0.8a-2) unstable; urgency=low
 .
   [ Martin Steghöfer ]
   * Updated meta information (VCS and Homepage) to list git
     repository.
 .
   [ Petter Reinholdtsen ]
   * Drop John Francesco Ferlito and Ron Lee, and add me and Martin
     Steghöfer as uploaders.
   * Updated standards-version from 3.9.3.1 to 3.9.6.
   * Rename oggResize to oggTranscode in package description to match
     the new reality (Closes: #732569).
   * Move to source format 3.0 (quilt) and move all upstream changes to
     new version-0.8a-1.patch.
   * Added mayhem-crash-oggjoin.patch to fix crash bug on corrupt input
     (Closes: #716188). Thanks to Alexandre Rebert and the Meyhem
     project for discovering the problem.
Checksums-Sha1:
 b654756674d5eb08e9cbf45624e03dc7b9fee3bc 1521 oggvideotools_0.8a-2.dsc
 692f8842af8549d5c039077a1e018a701fca3997 4792 oggvideotools_0.8a-2.debian.tar.xz
 f972275c20a6a90c4dcc4b0528e3e8776a67a519 473522 oggvideotools_0.8a-2_amd64.deb
 82c7769773c907432ecefa80b52f876639dffb6f 135862 oggvideotools-dbg_0.8a-2_amd64.deb
Checksums-Sha256:
 9e16f8e30508169f9025aa5c4d88f0498066f517e68efc4797d6f807f796c2f1 1521 oggvideotools_0.8a-2.dsc
 89334791af6f01c84b3732d2e8e09f206785b7fd2fc0fe55e22f1b8184e99691 4792 oggvideotools_0.8a-2.debian.tar.xz
 f3873a40f3aee50d15ba4ab9d3ece4a7f6f6def05fa6b1a07d8381bbb0169555 473522 oggvideotools_0.8a-2_amd64.deb
 55ff4ee89775e4acdab43fb4125478685017a9dc176b4b727b5822cf3cf6b534 135862 oggvideotools-dbg_0.8a-2_amd64.deb
Files:
 60880d9c8ea2c108211573c90efff84d 1521 video optional oggvideotools_0.8a-2.dsc
 af631f06d018b8bcd188f7be86071795 4792 video optional oggvideotools_0.8a-2.debian.tar.xz
 17c4f8bfa5777329f280c1dc093289ab 473522 video optional oggvideotools_0.8a-2_amd64.deb
 7f6cf6181581729512107add9ed07e95 135862 debug extra oggvideotools-dbg_0.8a-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUR2FP20zMSyow1ykRAmcVAKC0hjHyFsivzK0j/4VTAjdiE9TLxACfVZ/O
eY3BvqRloWSlv8A1tAQi14c=
=oAKn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.