Menu

#322 heap-buffer-overflow in mpg123 at src/libmpg123/synth_mono.h:39

1.28.x
closed-fixed
nobody
None
5
2021-10-23
2021-09-30
Irfan Ariq
No

Hello,

We are currently working on fuzz testing feature, and we found a heap-buffer-overflow error on mpg123.

The stack traces are as follow:

==29456==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000003ce at pc 0x7fbdd30dcb57 bp 0x7ffeba507e10 sp 0x7ffeba507e00
WRITE of size 2 at 0x6140000003ce thread T0
    #0 0x7fbdd30dcb56 in INT123_synth_2to1_mono src/libmpg123/synth_mono.h:39
    #1 0x7fbdd30acef7 in INT123_do_layer2 src/libmpg123/layer2.c:371
    #2 0x7fbdd309cd19 in decode_the_frame src/libmpg123/libmpg123.c:828
    #3 0x7fbdd309d86b in mpg123_decode_frame src/libmpg123/libmpg123.c:972
    #4 0x560f4215647a in play_frame src/mpg123.c:806
    #5 0x560f42159b99 in main src/mpg123.c:1495

The full stack trace is attached

Step to reproduce

We configured mpg123 using CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" ./configure --prefix=$(pwd)/ and built in using make -j10, and run it with:

./mpg123 --smooth --listentry -z -w l --quiet --index --4to1 -2 -q --fifo --outfile <attached file>

The input file is attached.

Environment
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- mpg123 version: mpg123 1.29.0

Thank you.

1 Attachments

Discussion

  • Thomas Orgis

    Thomas Orgis - 2021-10-01

    Interesting approach … you find stuff where oss-fuzz didn't anymore. The minimal command line is

    src//mpg123 -vvv  -t --index  -2     input_mpg123_poc_1
    

    The combination of index and the 2to1 downsampling triggers the issue.

     
  • Thomas Orgis

    Thomas Orgis - 2021-10-02

    OK, I diagnosed and fixed a failure to check for decoder sanity on multiple levels. The combination of forced downsampling and indexing managed to make that fatal.

    Can you confirm the fix? There's a new https://mpg123.org/snapshot for you convenience.

     
  • Irfan Ariq

    Irfan Ariq - 2021-10-02

    I have tried reproducing the crash on the snapshot you gave me and the crash disappeared.

    Thanks for confirming and fixing the bug.

     
  • Thomas Orgis

    Thomas Orgis - 2021-10-02

    Nice. I'll wait a moment for your next find. Then, a 1.29.1 release should follow soon.

     
  • Thomas Orgis

    Thomas Orgis - 2021-10-23
    • status: open --> closed-fixed
     

Log in to post a comment.