Skip to content

GitLab

  • Menu
Projects Groups Snippets
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Vorbis tools Vorbis tools
  • Project information
    • Project information
    • Activity
    • Labels
    • Planning hierarchy
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 63
    • Issues 63
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Xiph.Org
  • Vorbis toolsVorbis tools
  • Issues
  • #2321

Closed
Open
Created May 15, 2018 by Jaeseung Choi@jschoi

Segmentation fault in wav_open() function of oggenc

During a fuzz testing, I found a program-crashing bug in the latest version of oggenc. When a malicious WAV file is provided as an input, segmentation fault occurs inside memcpy() called from wav_open().

I downloaded http://downloads.xiph.org/releases/vorbis/vorbis-tools-1.4.0.tar.gz file, and compiled it with clang 3.8.

I attach the PoC file, and GDB/ASAN log.

poc_segv

[GDB log]

jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-clang$ gdb ./oggenc/oggenc  -q
Reading symbols from ./oggenc/oggenc...done.
(gdb) run ~/poc_segv
Starting program: /home/jason/ground/vorbis-tools-1.4.0-clang/oggenc/oggenc ~/poc_segv
Warning: INVALID format chunk in wav header.
 Trying to read anyway (may not work)...
WARNING: Unknown WAV surround channel mask: -1465341784
blindly mapping speakers using default SMPTE/ITU ordering.
Warning: WAV 'block alignment' value is incorrect, ignoring.
The software that created this file is incorrect.

Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363
363     ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) x/i $rip
=> 0x7ffff6f09f4c <__memmove_avx_unaligned_erms+364>:   vmovdqu (%rsi),%ymm4
(gdb) info reg rsi
rsi            0x3d0730 3999536
(gdb) where
#0  __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363
#1  0x00000000004055ff in wav_open (in=<optimized out>, opt=<optimized out>, oldbuf=<optimized out>, buflen=<optimized out>) at audio.c:576
#2  0x0000000000405f00 in open_audio_file (in=<optimized out>, opt=<optimized out>) at audio.c:86
#3  0x0000000000404355 in main (argc=<optimized out>, argv=<optimized out>) at oggenc.c:256

[ASAN log]

jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-ASAN$ export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer
jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-ASAN$ export ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=1
jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-ASAN$ ./oggenc/oggenc ~/poc_segv
Warning: INVALID format chunk in wav header.
 Trying to read anyway (may not work)...
WARNING: Unknown WAV surround channel mask: -1465341784
blindly mapping speakers using default SMPTE/ITU ordering.
Warning: WAV 'block alignment' value is incorrect, ignoring.
The software that created this file is incorrect.
==13504==WARNING: AddressSanitizer failed to allocate 0xffffffffffff84a0 bytes
=================================================================
==13504==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x000000000000,0xffffffffffff84a0) and [0x0000004e2200, 0x0000004da6a0) overlap
    #0 0x4a46c2 in __asan_memcpy (/home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc+0x4a46c2)
    #1 0x4f506b in wav_open /home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/audio.c:576:13
    #2 0x4f6c13 in open_audio_file /home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/audio.c:86:16
    #3 0x4f1495 in main /home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc.c:256:22
    #4 0x7ffff65c12e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #5 0x41c689 in _start (/home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc+0x41c689)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: memcpy-param-overlap (/home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc+0x4a46c2) in __asan_memcpy
==13504==ABORTING
Assignee
Assign to
Time tracking