Debian Bug report logs - #716613
[Mayhem] Bug report on vorbis-tools: oggenc crashes with exit status 136

Package: libvorbisenc2; Maintainer for libvorbisenc2 is Debian Multimedia Maintainers <debian-multimedia@lists.debian.org>; Source for libvorbisenc2 is src:libvorbis (PTS, buildd, popcon).

Reported by: Alexandre Rebert <alexandre@cmu.edu>

Date: Wed, 10 Jul 2013 20:30:37 UTC

Severity: important

Found in version libvorbis/1.3.2-1.3

Fixed in version libvorbis/1.3.4-2

Done: Petter Reinholdtsen <pere@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#716613; Package vorbis-tools. (Wed, 10 Jul 2013 20:30:42 GMT) (full text, mbox, link).

Acknowledgement sent to Alexandre Rebert <alexandre@cmu.edu>:
New Bug report received and forwarded. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>. (Wed, 10 Jul 2013 20:30:42 GMT) (full text, mbox, link).

Message #5 received at maintonly@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: vorbis-tools
Version: 1.4.0-1
Severity: normal
User: mayhem@forallsecure.com
Usertags: mayhem

oggenc crashes with exit status 136. We confirmed the crash by
re-running it in a fresh debian unstable installation.

The attachment [1] contains a testcase (under ./crash) crashing the
program. It ensures that you can easily reproduce the bug. Additionally,
under ./crash_info/, we include more information about the crash such as
a core dump, the dmesg generated by the crash, and its output.

Regards,
The Mayhem Team (Alexandre Rebert, Thanassis Avgerinos, Sang Kil Cha, David Brumley, Manuel Egele)
Cylab, Carnegie Mellon University

[1] http://www.forallsecure.com/bug-reports/f76a8f2337d3ae4dda87005872c9dd49117c9b78/full_report


-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 3.9-1-686-pae (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages vorbis-tools depends on:
ii  libao4           1.1.0-2
ii  libc6            2.17-6
ii  libcurl3-gnutls  7.31.0-1
ii  libflac8         1.3.0-1
ii  libogg0          1.3.1-1
ii  libspeex1        1.2~rc1-7
ii  libvorbis0a      1.3.2-1.3
ii  libvorbisenc2    1.3.2-1.3
ii  libvorbisfile3   1.3.2-1.3

vorbis-tools recommends no packages.

vorbis-tools suggests no packages.

-- no debconf information

[oggenc-report.tar.bz2 (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#716613; Package vorbis-tools. (Sun, 26 Oct 2014 21:27:04 GMT) (full text, mbox, link).

Acknowledgement sent to Martin Steghöfer <martin@steghoefer.eu>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>. (Sun, 26 Oct 2014 21:27:04 GMT) (full text, mbox, link).

Message #10 received at 716613@bugs.debian.org (full text, mbox, reply):

reassign 716613 libvorbisenc2
thanks



This test case actually triggers 2 bugs that are both related to the 
sampling rate of the input file being 0:

The first one being in libvorbis (including the most recent version 
1.3.4-1):

==29485== Invalid read of size 4
==29485==    at 0x50F62C2: _vp_psy_init
             (psy.c:308)
==29485==    by 0x50EE7AA: _vds_shared_init
             (block.c:225)
==29485==    by 0x50EEB9D: vorbis_analysis_init
             (block.c:298)
==29485==    by 0x409294: oe_encode
             (encode.c:357)
==29485==    by 0x403E8F: main
             (oggenc.c:431)
==29485==  Address 0x5e3189c is 4 bytes before
           a block of size 1,024 alloc'd
==29485==    at 0x4C2AB80: malloc
             (in /usr/lib/valgrind/vgpreload_
             memcheck-amd64-linux.so)
==29485==    by 0x50F609A: _vp_psy_init
             (psy.c:279)
==29485==    by 0x50EE7AA: _vds_shared_init
             (block.c:225)
==29485==    by 0x50EEB9D: vorbis_analysis_init
             (block.c:298)
==29485==    by 0x409294: oe_encode
             (encode.c:357)
==29485==    by 0x403E8F: main
             (oggenc.c:431)

The second one being in vorbis-tools:

==29485== Process terminating with default
           action of signal 8 (SIGFPE)
==29485==  Integer divide by zero
           at address 0x8031102BE
==29485==    at 0x409D22: final_statistics
             (encode.c:752)
==29485==    by 0x4099AA: oe_encode
             (encode.c:697)
==29485==    by 0x403E8F: main
             (oggenc.c:431)

Neither software is prepared to handle the (useless) case of having an 
input with sampling rate 0. Instead of accessing invalid memory or 
producing a SIGFPE, they should both separately bail out thanks to a 
sanity check.

Reassigning this bug to libvorbis because that's the library where the 
change has more impact (and even fixing it only in libvorbis would avoid 
the crash), but both packages should be fixed up. Will provide patches soon.

Cheers,
Martin

Bug reassigned from package 'vorbis-tools' to 'libvorbisenc2'. Request was from Martin Steghöfer <martin@steghoefer.eu> to control@bugs.debian.org. (Sun, 26 Oct 2014 21:27:08 GMT) (full text, mbox, link).

No longer marked as found in versions vorbis-tools/1.4.0-1. Request was from Martin Steghöfer <martin@steghoefer.eu> to control@bugs.debian.org. (Sun, 26 Oct 2014 21:27:09 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Petter Reinholdtsen <pere@hungry.com> to control@bugs.debian.org. (Sat, 01 Nov 2014 06:15:14 GMT) (full text, mbox, link).

Reply sent to Petter Reinholdtsen <pere@debian.org>:
You have taken responsibility. (Tue, 04 Nov 2014 11:21:18 GMT) (full text, mbox, link).

Notification sent to Alexandre Rebert <alexandre@cmu.edu>:
Bug acknowledged by developer. (Tue, 04 Nov 2014 11:21:18 GMT) (full text, mbox, link).

Message #21 received at 716613-close@bugs.debian.org (full text, mbox, reply):

Source: libvorbis
Source-Version: 1.3.4-2

We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 716613@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated libvorbis package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 03 Nov 2014 09:08:25 +0100
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev libvorbis-dbg
Architecture: source amd64
Version: 1.3.4-2
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
 libvorbis-dbg - debug files for Vorbis General Audio Compression Codec
 libvorbis-dev - development files for Vorbis General Audio Compression Codec
 libvorbis0a - decoder library for Vorbis General Audio Compression Codec
 libvorbisenc2 - encoder library for Vorbis General Audio Compression Codec
 libvorbisfile3 - high-level API for Vorbis General Audio Compression Codec
Closes: 716613
Changes:
 libvorbis (1.3.4-2) unstable; urgency=low
 .
   [ Martin Steghöfer ]
   * Add sampling rate sanity check to avoid invalid memory access.
     (Closes: #716613)
Checksums-Sha1:
 8d3346c8ad3327ba422bb94855553b9dc099ff64 1627 libvorbis_1.3.4-2.dsc
 351682d519acc51a8ed3ba04f42f3af862350492 11792 libvorbis_1.3.4-2.debian.tar.xz
 a9835981dd847f4680e6dcd02b59cff6012ead82 92934 libvorbis0a_1.3.4-2_amd64.deb
 f02dc3c55bbc7c4d4d66b76f5a0b0fdee5325205 77914 libvorbisenc2_1.3.4-2_amd64.deb
 4e97ade06604ac15e0fc3f4f79a942261da2c810 23652 libvorbisfile3_1.3.4-2_amd64.deb
 800291b06fedfc9c8b4b3efafdc128046c5ab50f 346618 libvorbis-dev_1.3.4-2_amd64.deb
 78691a0699c5938efe7743a635298e473ab0fa44 230398 libvorbis-dbg_1.3.4-2_amd64.deb
Checksums-Sha256:
 16d565a65348feca9155ebcee09d7ccc2151367c8cc47954a699175dc1e8eb61 1627 libvorbis_1.3.4-2.dsc
 6562be5dd6964f72cbccd219b8300b21843f17c3c633e9d243947347eae076de 11792 libvorbis_1.3.4-2.debian.tar.xz
 faa77cea87aa9e6a8f9e7754d3a534e6498d9c96fa5235db06a1f55686caedde 92934 libvorbis0a_1.3.4-2_amd64.deb
 27a2324079153546250c97556098a20c2263f15a140255afe98e86ed49997cf3 77914 libvorbisenc2_1.3.4-2_amd64.deb
 4176a247ddbed0b4cfd9a2ef98d7f1f4e5225a733497ad17362c1fe235b233c3 23652 libvorbisfile3_1.3.4-2_amd64.deb
 55166d04ef45ca6a5fecccdfcc92d249ea2fe8b9b48cc0dfa71e5e191d4e17ec 346618 libvorbis-dev_1.3.4-2_amd64.deb
 aaf63246940ac8c10d5beb878abbb70c898a027eda2b9ba46c778161a845f71b 230398 libvorbis-dbg_1.3.4-2_amd64.deb
Files:
 a9d0c881e764f7108dae1c108c5d6bea 1627 libs optional libvorbis_1.3.4-2.dsc
 3932aac91b37641ae3f118acd115aaab 11792 libs optional libvorbis_1.3.4-2.debian.tar.xz
 fb9595503939dcbca9d1785c1e573d06 92934 libs optional libvorbis0a_1.3.4-2_amd64.deb
 0583586550498cf2f85e8777c05dc2d2 77914 libs optional libvorbisenc2_1.3.4-2_amd64.deb
 10c7f091096092a6bd9b45c6bde7402f 23652 libs optional libvorbisfile3_1.3.4-2_amd64.deb
 78b937f98901e93920a962f869aa8e6d 346618 libdevel optional libvorbis-dev_1.3.4-2_amd64.deb
 c849eaf83485ad65ed8fb628f9aa0344 230398 debug extra libvorbis-dbg_1.3.4-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUWLSx20zMSyow1ykRAkAnAKDdzHwI/kaxY/nJmITU133VwUYMPACg1fHg
2iiWLXEBpb903DtqdUXdM3E=
=Vb2c
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#716613; Package libvorbisenc2. (Tue, 04 Nov 2014 11:27:10 GMT) (full text, mbox, link).

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>. (Tue, 04 Nov 2014 11:27:10 GMT) (full text, mbox, link).

Message #26 received at 716613@bugs.debian.org (full text, mbox, reply):

Control: found -1 1.3.2-1.3
Control: severity -1 important

Just documenting which version of the library had the problem when it
was discovered to make the issue easier to track, and raising the
severity.  The issue is of important severity if there is no security
problem with the handling of invalid input, and higher if there is a
security problem.  I am not sure if the issue is a security problem or
not.

-- 
Happy hacking
Petter Reinholdtsen

Marked as found in versions libvorbis/1.3.2-1.3. Request was from Petter Reinholdtsen <pere@hungry.com> to 716613-submit@bugs.debian.org. (Tue, 04 Nov 2014 11:27:10 GMT) (full text, mbox, link).

Severity set to 'important' from 'normal' Request was from Petter Reinholdtsen <pere@hungry.com> to 716613-submit@bugs.debian.org. (Tue, 04 Nov 2014 11:27:11 GMT) (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 13 Dec 2014 07:26:58 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Jul 2 00:13:40 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Debian Bug report logs - #716613 [Mayhem] Bug report on vorbis-tools: oggenc crashes with exit status 136

Debian Bug report logs - #716613
[Mayhem] Bug report on vorbis-tools: oggenc crashes with exit status 136