Bug#774516: vorbis-tools: null pointer dereference

Jakub Wilk jwilk at debian.org
Sat Jan 3 20:24:32 UTC 2015


Package: vorbis-tools
Version: 1.4.0-6
Usertags: afl

Both oggdec and ogg123 crash on the attached file, trying to dereference 
null pointer:

$ oggdec crash.ogg
oggdec from vorbis-tools 1.4.0
Segmentation fault

$ ogg123 crash.ogg

Audio Device:   Advanced Linux Sound Architecture (ALSA) output

Segmentation fault


Backtrace:

#0  0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168
#1  0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440
#2  0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
#3  0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
#4  ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997
#5  0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out at entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265
#6  0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455


This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages vorbis-tools depends on:
ii  libao4           1.1.0-3
ii  libc6            2.19-13
ii  libcurl3-gnutls  7.38.0-3
ii  libflac8         1.3.0-3
ii  libogg0          1.3.2-1
ii  libspeex1        1.2~rc1.2-1
ii  libvorbis0a      1.3.4-2
ii  libvorbisenc2    1.3.4-2
ii  libvorbisfile3   1.3.4-2

-- 
Jakub Wilk



More information about the pkg-xiph-maint mailing list