Bug#716613: [Mayhem] Bug report on vorbis-tools: oggenc crashes with exit status 136
Martin Steghöfer
martin at steghoefer.eu
Sun Oct 26 21:22:51 UTC 2014
reassign 716613 libvorbisenc2
thanks
This test case actually triggers 2 bugs that are both related to the
sampling rate of the input file being 0:
The first one being in libvorbis (including the most recent version
1.3.4-1):
==29485== Invalid read of size 4
==29485== at 0x50F62C2: _vp_psy_init
(psy.c:308)
==29485== by 0x50EE7AA: _vds_shared_init
(block.c:225)
==29485== by 0x50EEB9D: vorbis_analysis_init
(block.c:298)
==29485== by 0x409294: oe_encode
(encode.c:357)
==29485== by 0x403E8F: main
(oggenc.c:431)
==29485== Address 0x5e3189c is 4 bytes before
a block of size 1,024 alloc'd
==29485== at 0x4C2AB80: malloc
(in /usr/lib/valgrind/vgpreload_
memcheck-amd64-linux.so)
==29485== by 0x50F609A: _vp_psy_init
(psy.c:279)
==29485== by 0x50EE7AA: _vds_shared_init
(block.c:225)
==29485== by 0x50EEB9D: vorbis_analysis_init
(block.c:298)
==29485== by 0x409294: oe_encode
(encode.c:357)
==29485== by 0x403E8F: main
(oggenc.c:431)
The second one being in vorbis-tools:
==29485== Process terminating with default
action of signal 8 (SIGFPE)
==29485== Integer divide by zero
at address 0x8031102BE
==29485== at 0x409D22: final_statistics
(encode.c:752)
==29485== by 0x4099AA: oe_encode
(encode.c:697)
==29485== by 0x403E8F: main
(oggenc.c:431)
Neither software is prepared to handle the (useless) case of having an
input with sampling rate 0. Instead of accessing invalid memory or
producing a SIGFPE, they should both separately bail out thanks to a
sanity check.
Reassigning this bug to libvorbis because that's the library where the
change has more impact (and even fixing it only in libvorbis would avoid
the crash), but both packages should be fixed up. Will provide patches soon.
Cheers,
Martin
More information about the pkg-xiph-maint
mailing list