"Null pointer dereference" [forwarded from Debian #774516] (#2140) · Issues · Xiph.Org / Vorbis

"Null pointer dereference" [forwarded from Debian #774516]

I'm forwarding the bug 774516 (https://bugs.debian.org/774516) from the Debian bug tracker, so I can discuss with you the fix I'd propose.

Original report from Jakub Wilk jwilk@debian.org:

Package: vorbis-tools Version: 1.4.0-6 Usertags: afl

Both oggdec and ogg123 crash on the attached file, trying to dereference null pointer:

$ oggdec crash.ogg oggdec from vorbis-tools 1.4.0 Segmentation fault

$ ogg123 crash.ogg

Audio Device: Advanced Linux Sound Architecture (ALSA) output

Segmentation fault

Backtrace:

#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168 #1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440 #2 (closed) 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625 #3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941 #4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997 #5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out@entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265 #6 (closed) 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455

This bug was found using American fuzzy lop: https://packages.debian.org/experimental/afl

-- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)

Versions of packages vorbis-tools depends on: ii libao4 1.1.0-3 ii libc6 2.19-13 ii libcurl3-gnutls 7.38.0-3 ii libflac8 1.3.0-3 ii libogg0 1.3.2-1 ii libspeex1 1.2~rc1.2-1 ii libvorbis0a 1.3.4-2 ii libvorbisenc2 1.3.4-2 ii libvorbisfile3 1.3.4-2

-- Jakub Wilk

I'm forwarding the bug 774516 (https://bugs.debian.org/774516) from the Debian bug tracker, so I can discuss with you the fix I'd propose.

----

Original report from Jakub Wilk <jwilk@debian.org>:

Package: vorbis-tools
Version: 1.4.0-6
Usertags: afl

Both oggdec and ogg123 crash on the attached file, trying to dereference 
null pointer:

$ oggdec crash.ogg
oggdec from vorbis-tools 1.4.0
Segmentation fault

$ ogg123 crash.ogg

Audio Device:   Advanced Linux Sound Architecture (ALSA) output

Segmentation fault

Backtrace:

#0  0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168
#1  0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440
#2  0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
#3  0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
#4  ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997
#5  0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out@entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265
#6  0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455

This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

-- System Information:
Debian Release: 8.0
 APT prefers unstable
 APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages vorbis-tools depends on:
ii  libao4           1.1.0-3
ii  libc6            2.19-13
ii  libcurl3-gnutls  7.38.0-3
ii  libflac8         1.3.0-3
ii  libogg0          1.3.2-1
ii  libspeex1        1.2~rc1.2-1
ii  libvorbis0a      1.3.4-2
ii  libvorbisenc2    1.3.4-2
ii  libvorbisfile3   1.3.4-2

-- 
Jakub Wilk