Bug#774516: vorbis-tools: null pointer dereference
Jakub Wilk
jwilk at debian.org
Sun Jan 4 22:37:17 UTC 2015
* Martin Steghöfer <martin at steghoefer.eu>, 2015-01-04, 17:26:
>>#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at synthesis.c:168
>>#1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at vorbisfile.c:440
>>#2 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
>>#3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
>>#4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0, callbacks=...) at vorbisfile.c:997
>>#5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out at entry=0x804d188, infile=0xffffd88d "crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265
>>#6 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455
>
>Judging from this stacktrace and from the fact that your file crashes
>audacity, too, I'd say we're dealing with a problem in the decoder
>library. Reassigning to package libvorbis.
Yeah, I suspected the bug might be in libvorbis. But then, mpv(1) didn't
crash on the fuzzed file, which raised my doubts. Thanks for reassigning
to the correct package.
>I am going to look into this and/or forward it to upstream.
>
>>This bug was found using American fuzzy lop:
>>https://packages.debian.org/experimental/afl
>
>Huh! Didn't know about this tool (although I've heard about the
>general concept of fuzzing to discover bugs). I will have to give it a
>spin...
Cool! AFL comes with comprehensive documentation, but if you had trouble
setting it up, please let me know. :-)
You will almost certainly need to disable checksumming in libogg:
https://bitbucket.org/jwilk/security-research/raw/default/fuzzing-patches/libogg.diff
With checksumming enabled, AFL (or any other fuzzer, really) won't get
ahead very far...
BTW, AFL also runs into SIGFPE (probably #772978).
--
Jakub Wilk
More information about the pkg-xiph-maint
mailing list