Debian Bug report logs - #772978
vorbis-tools: oggdec crashes with SIGFPE (was: "oggdec goes into an infinite loop while processing file")

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Martin Steghöfer <martin@steghoefer.eu>

To: submit@bugs.debian.org

Subject: vorbis-tools: oggdec crashes with SIGFPE (was: "oggdec goes into an infinite loop while processing file")

Date: Fri, 12 Dec 2014 18:31:38 +0100

Package: vorbis-tools
Version: 1.4.0-6
Severity: normal
File: /usr/bin/oggdec
Tags: confirmed


I'm forwarding this bug report from Ubuntu bug 629135 [1].


Original description:

/
| Binary package hint: vorbis-tools
|
| oggdec goes into an infinite loop while processing the
| file at http://bazaar.launchpad.net/%7Eubuntu-bugcontrol/
|     qa-regression-testing/master/annotate/head%3A/scripts/
|     libvorbis/011.ogg:
|
|   $ oggdec libvorbis/011.ogg -o /tmp/011.ogg-converted.wav
|   oggdec from vorbis-tools 1.2.0
|   Decoding "libvorbis/011.ogg" to "/tmp/011.ogg-converted
|     .wav"
|   Warning: hole in data (-137)
|   Warning: hole in data (-137)
|   Warning: hole in data (-137)
|   [....]
|
| The test file in question was generated as part of
| http://redpig.dataspill.org/2008/05/multiple-
|   vulnerabilities-in-ogg-tremor.html
|
| ProblemType: Bug
| DistroRelease: Ubuntu 10.10
| Package: vorbis-tools 1.2.0-6build1
| ProcVersionSignature: Ubuntu 2.6.35-19.26-generic 2.6.35.3
| Uname: Linux 2.6.35-19-generic x86_64
| Architecture: amd64
| Date: Thu Sep 2 15:11:57 2010
| InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" -
|   Alpha amd64 (20100827)
| ProcEnviron:
|  LANG=en_US.UTF-8
|  SHELL=/bin/bash
| SourcePackage: vorbis-tools
\


I couldn't confirm the infinite loop with vorbis-tools/1.4.0-6 and 
libvorbis/1.3.4-2, but received a SIGFPE with the following stacktrace:

Process terminating with default action of
    signal 8 (SIGFPE)
 Integer divide by zero at address 0x802FA8133
   at 0x50632A6: res2_inverse (res0.c:830)
   by 0x50654A8: mapping0_inverse (mapping0.c:756)
   by 0x5054071: vorbis_synthesis (synthesis.c:88)
   by 0x4E3AC66: _fetch_and_process_packet
                 (vorbisfile.c:707)
   by 0x4E3E073: ov_read_filter (vorbisfile.c:1971)
   by 0x4E3E6D2: ov_read (vorbisfile.c:2092)
   by 0x40212A: decode_file (oggdec.c:304)
   by 0x402692: main (oggdec.c:455)

The referenced input file is corrupted and it's therefore fine for 
oggdec to refuse decoding it. It should, however, do that by aborting 
gracefully with an error message. The SIGFPE smells like undefined 
behavior, especially considering that the original bug submitter 
reported an infinite loop - whose disappearance in the most recent 
versions might be a coincidence.

As far as I can see, the main culprit in the case of this concrete file 
is in the oggdec executable, which keeps on decoding after libvorbis 
reports a stream error. This is mainly due to oggdec not distinguishing 
between harmless "holes" in the stream (after which you can keep on 
decoding) and fatal stream corruptions (that should trigger abort). I am 
going to provide a patch for this.

Nevertheless, the libvorbis code gives me the impression that the 
division by zero may happen (in other cases) even if oggdec handled the 
reported errors correctly. However, so far I haven't been able to 
produce an ogg vorbis file that triggers this problem. I will file a 
separate bug for this and look into it.

Cheers,
Martin

[1] https://bugs.launchpad.net/ubuntu/+source/vorbis-tools/+bug/629135

Message #12 received at 772978-close@bugs.debian.org (full text, mbox, reply):

From: Petter Reinholdtsen <pere@debian.org>

To: 772978-close@bugs.debian.org

Subject: Bug#772978: fixed in vorbis-tools 1.4.0-7

Date: Wed, 23 Sep 2015 16:11:29 +0000

Source: vorbis-tools
Source-Version: 1.4.0-7

We believe that the bug you reported is fixed in the latest version of
vorbis-tools, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 772978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated vorbis-tools package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 23 Sep 2015 12:15:44 +0000
Source: vorbis-tools
Binary: vorbis-tools vorbis-tools-dbg
Architecture: source
Version: 1.4.0-7
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
 vorbis-tools - several Ogg Vorbis tools
 vorbis-tools-dbg - several Ogg Vorbis tools (debug files)
Closes: 239073 312185 728062 771448 772391 772766 772976 772978 776086 797461
Changes:
 vorbis-tools (1.4.0-7) unstable; urgency=low
 .
   [ Martin Steghöfer ]
   * Format patches for gbp-pq, correct tagging and add missing
     information to tagging.
   * Add sampling rate sanity check to avoid crash (in case of unpatched
     libvorbis version) or to improve error message (with patched libvorbis).
   * Fix vorbistagedit: Reading of file list from stdin was broken.
     (Closes: #771448)
   * Documentation of vorbistagedit: Improve wording of error message.
   * Fix bashism in /usr/bin/vorbistagedit (negative status code).
     (Closes: #772391)
   * Truncate long status lines on small terminals (Closes: #239073)
   * Fix ogg123 speex stereo playback: Initialize stereo information
     data structure (Closes: #312185)
   * Fix ogg123 speex playback: Initialize channel matrix (Closes: #772766)
   * Add low-priority mailcap entry for "ogginfo" on action "cat".
     (Closes: #728062)
   * Fix oggdec crash/hang: Don't ignore stream errors (Closes: #772978)
   * Use translations in oggdec (Closes: #772976)
 .
   [ Petter Reinholdtsen ]
   * Add debian/gbp.conf to enforce the user of pristine-tar.
   * oggenc: Fix large alloca on bad AIFF input to oggenc
     (CVE-2015-6749). (Closes: #797461)
   * oggenc: Validate count of channels in the header
     (CVE-2014-9638, CVE-2014-9639). (Closes: #776086)
Checksums-Sha1:
 d66bf4c51506b3265eb650ad4d95acfce7615c22 2380 vorbis-tools_1.4.0-7.dsc
 c55fa8ba764e47c73b0451a268a976924420d341 21040 vorbis-tools_1.4.0-7.debian.tar.xz
Checksums-Sha256:
 52359ff2669f482e1afa28c2728ee02bd099e9049c738620185b38df093143bf 2380 vorbis-tools_1.4.0-7.dsc
 03d11b1a3d708d46c857211885034af4d9eea4ed103eccbcdcbcbc1c5fe6067f 21040 vorbis-tools_1.4.0-7.debian.tar.xz
Files:
 e1d497e619c703fdcc773c7503ca4ece 2380 sound optional vorbis-tools_1.4.0-7.dsc
 1100d666f68549f3476b8dbb6e460b20 21040 sound optional vorbis-tools_1.4.0-7.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!

iQJ8BAEBCgBmBQJWAq48XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGM0REMDlGOERBODdEMURGNTA0NkM5OUIw
NjEyRjQ5NDRFQ0RDRDVBAAoJEAYS9JROzc1aiHwP/jgHOPc2ArPyAbwV52iRfLGv
a+H10hA8f5OTof1hubfysZ6vfvY6XPjQN3wFFFqIhEi1AKVRMLTArpOptLdTUOwa
Bl/E1ZQ0L64+FVvq5FPhx0nmCK8VCrIy3VX9IZFtzYSGoMUbUGCh7HGT75P8JQTS
y6aDRjjufeoqU7dafqvrZsZF+3IOJ/+LFnEdxyDitpAjzm20YbLrXIJD6V6sUEBA
S0D5TNHbD0Rv+jTszaNcb5EpWKdsNPd4MNcH63c0RBrU2UOQ+GsT0ehMzsxa33tz
Q5TmipBJU5S6P70RnYc4gjLO/R2HiVgyhwyxccJZqED8LYWXw03sjhfB/ushX11y
HXg/eY3cproxisu+sTNgOToGXRkIV2W+hxemvPU4+EwMQIRVOvnsIDdmY6NY/aUG
CK9M+9ajg0ta0TCjSCtuKzmmAtJIggIQrD1Td0yRjLH+UKmjeBHzXa0/fSj5cwXM
iIEiyG2saLC4mUvRkhe/eWNN0z3o1Pk6qV7bapa6CLX8t41OXzJMm5btpNJWHvYT
rBWJGe5NiOwaS0y5Jic7Ye1ZZ7sY+zX7/LbwBCcJpdnDOG9KVR/87K5rKHBUe95n
JikrhQtEW/ZBPVan4ZmRSEV+FawWzgTNwz7kXvxOENE9ux7J7ls9YcGMCbGJ9gmi
XqMYujFuK0yLmVQO4+QK
=/6uU
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.