Bug#774516: vorbis-tools: null pointer dereference

Jakub Wilk jwilk at debian.org
Sun Jan 4 22:37:17 UTC 2015

* Martin Steghöfer <martin at steghoefer.eu>, 2015-01-04, 17:26:
>>#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168
>>#1  0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440
>>#2  0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
>>#3  0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
>>#4  ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997
>>#5  0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out at entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265
>>#6  0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455
>Judging from this stacktrace and from the fact that your file crashes 
>audacity, too, I'd say we're dealing with a problem in the decoder 
>library. Reassigning to package libvorbis.

Yeah, I suspected the bug might be in libvorbis. But then, mpv(1) didn't 
crash on the fuzzed file, which raised my doubts. Thanks for reassigning 
to the correct package.

>I am going to look into this and/or forward it to upstream.
>>This bug was found using American fuzzy lop:
>Huh! Didn't know about this tool (although I've heard about the 
>general concept of fuzzing to discover bugs). I will have to give it a 

Cool! AFL comes with comprehensive documentation, but if you had trouble 
setting it up, please let me know. :-)

You will almost certainly need to disable checksumming in libogg:
With checksumming enabled, AFL (or any other fuzzer, really) won't get 
ahead very far...

BTW, AFL also runs into SIGFPE (probably #772978).

Jakub Wilk

More information about the pkg-xiph-maint mailing list