Bug#772978: vorbis-tools: oggdec crashes with SIGFPE (was: "oggdec goes into an infinite loop while processing file")

Martin Steghöfer martin at steghoefer.eu
Fri Dec 12 17:31:38 UTC 2014 

Package: vorbis-tools
Version: 1.4.0-6
Severity: normal
File: /usr/bin/oggdec
Tags: confirmed


I'm forwarding this bug report from Ubuntu bug 629135 [1].


Original description:

/
| Binary package hint: vorbis-tools
|
| oggdec goes into an infinite loop while processing the
| file at http://bazaar.launchpad.net/%7Eubuntu-bugcontrol/
|     qa-regression-testing/master/annotate/head%3A/scripts/
|     libvorbis/011.ogg:
|
|   $ oggdec libvorbis/011.ogg -o /tmp/011.ogg-converted.wav
|   oggdec from vorbis-tools 1.2.0
|   Decoding "libvorbis/011.ogg" to "/tmp/011.ogg-converted
|     .wav"
|   Warning: hole in data (-137)
|   Warning: hole in data (-137)
|   Warning: hole in data (-137)
|   [....]
|
| The test file in question was generated as part of
| http://redpig.dataspill.org/2008/05/multiple-
|   vulnerabilities-in-ogg-tremor.html
|
| ProblemType: Bug
| DistroRelease: Ubuntu 10.10
| Package: vorbis-tools 1.2.0-6build1
| ProcVersionSignature: Ubuntu 2.6.35-19.26-generic 2.6.35.3
| Uname: Linux 2.6.35-19-generic x86_64
| Architecture: amd64
| Date: Thu Sep 2 15:11:57 2010
| InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" -
|   Alpha amd64 (20100827)
| ProcEnviron:
|  LANG=en_US.UTF-8
|  SHELL=/bin/bash
| SourcePackage: vorbis-tools
\


I couldn't confirm the infinite loop with vorbis-tools/1.4.0-6 and 
libvorbis/1.3.4-2, but received a SIGFPE with the following stacktrace:

Process terminating with default action of
     signal 8 (SIGFPE)
  Integer divide by zero at address 0x802FA8133
    at 0x50632A6: res2_inverse (res0.c:830)
    by 0x50654A8: mapping0_inverse (mapping0.c:756)
    by 0x5054071: vorbis_synthesis (synthesis.c:88)
    by 0x4E3AC66: _fetch_and_process_packet
                  (vorbisfile.c:707)
    by 0x4E3E073: ov_read_filter (vorbisfile.c:1971)
    by 0x4E3E6D2: ov_read (vorbisfile.c:2092)
    by 0x40212A: decode_file (oggdec.c:304)
    by 0x402692: main (oggdec.c:455)

The referenced input file is corrupted and it's therefore fine for 
oggdec to refuse decoding it. It should, however, do that by aborting 
gracefully with an error message. The SIGFPE smells like undefined 
behavior, especially considering that the original bug submitter 
reported an infinite loop - whose disappearance in the most recent 
versions might be a coincidence.

As far as I can see, the main culprit in the case of this concrete file 
is in the oggdec executable, which keeps on decoding after libvorbis 
reports a stream error. This is mainly due to oggdec not distinguishing 
between harmless "holes" in the stream (after which you can keep on 
decoding) and fatal stream corruptions (that should trigger abort). I am 
going to provide a patch for this.

Nevertheless, the libvorbis code gives me the impression that the 
division by zero may happen (in other cases) even if oggdec handled the 
reported errors correctly. However, so far I haven't been able to 
produce an ogg vorbis file that triggers this problem. I will file a 
separate bug for this and look into it.

Cheers,
Martin

[1] https://bugs.launchpad.net/ubuntu/+source/vorbis-tools/+bug/629135

More information about the pkg-xiph-maint mailing list