Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
Vorbis
Vorbis
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 21
    • Issues 21
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 0
    • Merge Requests 0
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • Xiph.Org
  • VorbisVorbis
  • Issues
  • #2140

Closed
Open
Opened Jan 04, 2015 by Martin Steghöfer@martin.steghoefer

"Null pointer dereference" [forwarded from Debian #774516]

I'm forwarding the bug 774516 (https://bugs.debian.org/774516) from the Debian bug tracker, so I can discuss with you the fix I'd propose.


Original report from Jakub Wilk jwilk@debian.org:

Package: vorbis-tools Version: 1.4.0-6 Usertags: afl

Both oggdec and ogg123 crash on the attached file, trying to dereference null pointer:

$ oggdec crash.ogg oggdec from vorbis-tools 1.4.0 Segmentation fault

$ ogg123 crash.ogg

Audio Device: Advanced Linux Sound Architecture (ALSA) output

Segmentation fault

Backtrace:

#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168 #1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440 #2 (closed) 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625 #3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941 #4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997 #5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out@entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265 #6 (closed) 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455

This bug was found using American fuzzy lop: https://packages.debian.org/experimental/afl

-- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init)

Versions of packages vorbis-tools depends on: ii libao4 1.1.0-3 ii libc6 2.19-13 ii libcurl3-gnutls 7.38.0-3 ii libflac8 1.3.0-3 ii libogg0 1.3.2-1 ii libspeex1 1.2~rc1.2-1 ii libvorbis0a 1.3.4-2 ii libvorbisenc2 1.3.4-2 ii libvorbisfile3 1.3.4-2

-- Jakub Wilk

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: xiph/vorbis#2140