Debian Bug report logs -
#774516
vorbis-tools: null pointer dereference
Reported by: Jakub Wilk <jwilk@debian.org>
Date: Sat, 3 Jan 2015 20:27:01 UTC
Severity: normal
Tags: confirmed
Found in version libvorbis/1.3.4-2
Fixed in version libvorbis/1.3.4-3
Done: Petter Reinholdtsen <pere@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, jwilk@debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#774516; Package vorbis-tools.
(Sat, 03 Jan 2015 20:27:05 GMT) (full text, mbox, link).
Message #3 received at submit@bugs.debian.org (full text, mbox, reply):
Package: vorbis-tools
Version: 1.4.0-6
Usertags: afl
Both oggdec and ogg123 crash on the attached file, trying to dereference
null pointer:
$ oggdec crash.ogg
oggdec from vorbis-tools 1.4.0
Segmentation fault
$ ogg123 crash.ogg
Audio Device: Advanced Linux Sound Architecture (ALSA) output
Segmentation fault
Backtrace:
#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168
#1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440
#2 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
#3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
#4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997
#5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out@entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265
#6 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages vorbis-tools depends on:
ii libao4 1.1.0-3
ii libc6 2.19-13
ii libcurl3-gnutls 7.38.0-3
ii libflac8 1.3.0-3
ii libogg0 1.3.2-1
ii libspeex1 1.2~rc1.2-1
ii libvorbis0a 1.3.4-2
ii libvorbisenc2 1.3.4-2
ii libvorbisfile3 1.3.4-2
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#774516; Package vorbis-tools.
(Sat, 03 Jan 2015 20:33:04 GMT) (full text, mbox, link).
Message #6 received at 774516@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
* Jakub Wilk <jwilk@debian.org>, 2015-01-03, 21:24:
>Both oggdec and ogg123 crash on the attached file,
Now really attached.
--
Jakub Wilk
[crash.ogg (audio/ogg, attachment)]
No longer marked as found in versions vorbis-tools/1.4.0-6.
Request was from Martin Steghöfer <martin@steghoefer.eu>
to control@bugs.debian.org.
(Sun, 04 Jan 2015 16:27:05 GMT) (full text, mbox, link).
Added tag(s) confirmed.
Request was from Martin Steghöfer <martin@steghoefer.eu>
to control@bugs.debian.org.
(Sun, 04 Jan 2015 16:27:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#774516; Package libvorbisfile3.
(Sun, 04 Jan 2015 16:33:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Martin Steghöfer <martin@steghoefer.eu>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Sun, 04 Jan 2015 16:33:11 GMT) (full text, mbox, link).
Message #17 received at 774516@bugs.debian.org (full text, mbox, reply):
Forgot to CC the bug report itself. Here comes the message:
Martin Steghöfer wrote:
> reassign 774516 libvorbisfile3
> tags 774516 confirmed
> thanks
>
>
> Hi Jakub,
>
> Thank you for the bug report!
>
>
> Jakub Wilk wrote:
>> Both oggdec and ogg123 crash on the attached file, trying to
>> dereference null pointer:
>>
>> [...]
>
> Confirmed, I can reproduce this.
>
>> #0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0,
>> op=0xffff910c) at synthesis.c:168
>> #1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at
>> vorbisfile.c:440
>> #2 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
>> #3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
>> #4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0,
>> ibytes=0, callbacks=...) at vorbisfile.c:997
>> #5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098,
>> out@entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008
>> "crash.wav") at oggdec.c:265
>> #6 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455
>
> Judging from this stacktrace and from the fact that your file crashes
> audacity, too, I'd say we're dealing with a problem in the decoder
> library. Reassigning to package libvorbis.
>
> I am going to look into this and/or forward it to upstream.
>
>> This bug was found using American fuzzy lop:
>> https://packages.debian.org/experimental/afl
>
> Huh! Didn't know about this tool (although I've heard about the
> general concept of fuzzing to discover bugs). I will have to give it a
> spin...
>
> Cheers,
> Martin
>
>
Marked as found in versions libvorbis/1.3.4-2.
Request was from Martin Steghöfer <martin@steghoefer.eu>
to control@bugs.debian.org.
(Sun, 04 Jan 2015 18:15:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Martin Steghöfer <martin@steghoefer.eu>
to control@bugs.debian.org.
(Sun, 04 Jan 2015 22:27:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#774516; Package libvorbis0a.
(Sun, 04 Jan 2015 22:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Jakub Wilk <jwilk@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Sun, 04 Jan 2015 22:39:04 GMT) (full text, mbox, link).
Message #28 received at 774516@bugs.debian.org (full text, mbox, reply):
* Martin Steghöfer <martin@steghoefer.eu>, 2015-01-04, 17:26:
>>#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168
>>#1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440
>>#2 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
>>#3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
>>#4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997
>>#5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out@entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265
>>#6 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455
>
>Judging from this stacktrace and from the fact that your file crashes
>audacity, too, I'd say we're dealing with a problem in the decoder
>library. Reassigning to package libvorbis.
Yeah, I suspected the bug might be in libvorbis. But then, mpv(1) didn't
crash on the fuzzed file, which raised my doubts. Thanks for reassigning
to the correct package.
>I am going to look into this and/or forward it to upstream.
>
>>This bug was found using American fuzzy lop:
>>https://packages.debian.org/experimental/afl
>
>Huh! Didn't know about this tool (although I've heard about the
>general concept of fuzzing to discover bugs). I will have to give it a
>spin...
Cool! AFL comes with comprehensive documentation, but if you had trouble
setting it up, please let me know. :-)
You will almost certainly need to disable checksumming in libogg:
https://bitbucket.org/jwilk/security-research/raw/default/fuzzing-patches/libogg.diff
With checksumming enabled, AFL (or any other fuzzer, really) won't get
ahead very far...
BTW, AFL also runs into SIGFPE (probably #772978).
--
Jakub Wilk
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>:
Bug#774516; Package libvorbis0a.
(Mon, 05 Jan 2015 17:36:17 GMT) (full text, mbox, link).
Acknowledgement sent
to Martin Steghöfer <martin@steghoefer.eu>:
Extra info received and forwarded to list. Copy sent to Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>.
(Mon, 05 Jan 2015 17:36:17 GMT) (full text, mbox, link).
Message #33 received at 774516@bugs.debian.org (full text, mbox, reply):
Jakub Wilk wrote:
> AFL comes with comprehensive documentation, but if you had trouble
> setting it up, please let me know. :-)
No real trouble, but some questions I'd like to ask you (seeing that you
seem to have more experience with the tool). But that is better done
off-list, this bug report isn't the proper place.
> BTW, AFL also runs into SIGFPE (probably #772978).
I'm also seeing those with my own executions of AFL. I'm gonna check, if
it's the same issue that has already been reported.
Cheers,
Martin
Reply sent
to Petter Reinholdtsen <pere@debian.org>:
You have taken responsibility.
(Tue, 22 Sep 2015 12:51:10 GMT) (full text, mbox, link).
Notification sent
to Jakub Wilk <jwilk@debian.org>:
Bug acknowledged by developer.
(Tue, 22 Sep 2015 12:51:10 GMT) (full text, mbox, link).
Message #38 received at 774516-close@bugs.debian.org (full text, mbox, reply):
Source: libvorbis
Source-Version: 1.3.4-3
We believe that the bug you reported is fixed in the latest version of
libvorbis, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 774516@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Petter Reinholdtsen <pere@debian.org> (supplier of updated libvorbis package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 22 Sep 2015 14:30:24 +0200
Source: libvorbis
Binary: libvorbis0a libvorbisenc2 libvorbisfile3 libvorbis-dev libvorbis-dbg
Architecture: source
Version: 1.3.4-3
Distribution: unstable
Urgency: low
Maintainer: Debian Xiph.org Maintainers <pkg-xiph-maint@lists.alioth.debian.org>
Changed-By: Petter Reinholdtsen <pere@debian.org>
Description:
libvorbis-dbg - debug files for Vorbis General Audio Compression Codec
libvorbis-dev - development files for Vorbis General Audio Compression Codec
libvorbis0a - decoder library for Vorbis General Audio Compression Codec
libvorbisenc2 - encoder library for Vorbis General Audio Compression Codec
libvorbisfile3 - high-level API for Vorbis General Audio Compression Codec
Closes: 774516 782831
Changes:
libvorbis (1.3.4-3) unstable; urgency=low
.
[ Martin Steghöfer ]
* Fix crash on corrupt input file (invalid mode index). (Closes: #774516)
* Take into account error codes returned from
"vorbis_packet_blocksize" in "_initial_pcmoffset" (follow-up
problem related to #774516). Thanks to Timothy B. Terriberry
* Fix segmentation fault on two subsequent seeks to 0. (Closes: #782831)
.
[ Petter Reinholdtsen ]
* Add debian/gbp.conf to enforce the user of pristine-tar.
Checksums-Sha1:
93e59c70a89c685d48e75f4fc6376df635789d53 2395 libvorbis_1.3.4-3.dsc
058c505b71d17ef8af3fb13cef91b82db772397f 14640 libvorbis_1.3.4-3.debian.tar.xz
Checksums-Sha256:
34a977cf3ff7ad95171d08d2a057ad07d7b1a048c6ff6030cb6da82009e9be99 2395 libvorbis_1.3.4-3.dsc
5f6e1cd62f001fa9a3f5ed1e9fb601e32d8addf244e3f01d27ab85b13e74509e 14640 libvorbis_1.3.4-3.debian.tar.xz
Files:
5faba14886b486b01d283aed47a16381 2395 libs optional libvorbis_1.3.4-3.dsc
d6664163c34443784b26f3c11f1084be 14640 libs optional libvorbis_1.3.4-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Comment: Debian powered!
iQJ8BAEBCgBmBQJWAUzfXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRGM0REMDlGOERBODdEMURGNTA0NkM5OUIw
NjEyRjQ5NDRFQ0RDRDVBAAoJEAYS9JROzc1a5qwQALYft9m8omYS4cbkLMwGZcL3
dZrVni1XeSh8ZXMenzyiYptyVUu5zfolgV8IH4yZ1Xm1Hseu6T8OUEOk7ps920+t
p42PRZglgJ+njLQgkomQ4h05w0NrzyenESpQ/WeuE0C7ByFRxwqJsWKDRInsR0cZ
f9eFbrfMcLZpKeNJpEHlX60NsrmLkXTPhrv3/uSzLVCHWXWRq8ErfnFg0co7bYwO
p9qQ9wRd4NZ96Yg0oA7C/DylbsrBln/NXjwDaWKe5LTOCFE1rA9vVN/CvNLziyyr
h/03sRUXs7rQM2NS7eErpnOF9VJbEOQ7qihh7cBSYx3dZ8ZorextoYag+jIR0Bm7
iC0Zjd5eaBqYcT0wutnIZA9OLtBFLplCGWVEWR+zoqZcm14hDALx3LupQc1JQXDh
UblmWy84dD/EYheIbxem96jotxSqtxC6oueZsrwsIJwnaYO6Gon0PFFPnqlTY025
11xlK+wM0G4y0+RZKbc0t5ehEA48kRUr9OzmijTqEi+9/WsNIq293QIeRLmL8zT8
zCdZigK/1HmwBjwws+pY2q1sQbwkQL5HRxJfWy3UIsa1+vF9jvjoNcpk74BW6Azh
dc4IpIYBJb4HWjw0MAwXSxeqWT9b87X4aTA4uegtUAJsiixpYKXU2jAUxcInOjXN
+JBNhhLb4STEl+n/xarK
=NFhp
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 31 Oct 2015 07:26:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jul 2 00:17:03 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.