Menu

#322 heap-buffer-overflow in mpg123 at src/libmpg123/synth_mono.h:39

1.28.x
closed-fixed
nobody
None
5
2024-10-26
2021-09-30
Irfan Ariq
No

Hello,

We are currently working on fuzz testing feature, and we found a heap-buffer-overflow error on mpg123.

The stack traces are as follow:

==29456==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000003ce at pc 0x7fbdd30dcb57 bp 0x7ffeba507e10 sp 0x7ffeba507e00
WRITE of size 2 at 0x6140000003ce thread T0
    #0 0x7fbdd30dcb56 in INT123_synth_2to1_mono src/libmpg123/synth_mono.h:39
    #1 0x7fbdd30acef7 in INT123_do_layer2 src/libmpg123/layer2.c:371
    #2 0x7fbdd309cd19 in decode_the_frame src/libmpg123/libmpg123.c:828
    #3 0x7fbdd309d86b in mpg123_decode_frame src/libmpg123/libmpg123.c:972
    #4 0x560f4215647a in play_frame src/mpg123.c:806
    #5 0x560f42159b99 in main src/mpg123.c:1495

The full stack trace is attached

Step to reproduce

We configured mpg123 using CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" ./configure --prefix=$(pwd)/ and built in using make -j10, and run it with:

./mpg123 --smooth --listentry -z -w l --quiet --index --4to1 -2 -q --fifo --outfile <attached file>

The input file is attached.

Environment
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- mpg123 version: mpg123 1.29.0

Thank you.

1 Attachments
mpg123_attachment.zip

Discussion

  • Thomas Orgis

    Thomas Orgis - 2021-10-01

    Interesting approach … you find stuff where oss-fuzz didn't anymore. The minimal command line is

    src//mpg123 -vvv  -t --index  -2     input_mpg123_poc_1

    The combination of index and the 2to1 downsampling triggers the issue.

     

  • Thomas Orgis

    Thomas Orgis - 2021-10-02

    OK, I diagnosed and fixed a failure to check for decoder sanity on multiple levels. The combination of forced downsampling and indexing managed to make that fatal.

    Can you confirm the fix? There's a new https://mpg123.org/snapshot for you convenience.

     

  • Irfan Ariq

    Irfan Ariq - 2021-10-02

    I have tried reproducing the crash on the snapshot you gave me and the crash disappeared.

    Thanks for confirming and fixing the bug.

     

  • Thomas Orgis

    Thomas Orgis - 2021-10-02

    Nice. I'll wait a moment for your next find. Then, a 1.29.1 release should follow soon.

     

  • Thomas Orgis

    Thomas Orgis - 2021-10-23
    • status: open --> closed-fixed
     

  • kkkkk123

    kkkkk123 - 2024-10-20

    Hello, this bug is not fixed. I found such bug in 1.32.7. I used the command
    ./mpg123 --index --skip 1 POC
    And there is a buffer-overflow bug.

    =================================================================
==4067409==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61800000078e at pc 0x7fe1af44cc77 bp 0x7ffe49115000 sp 0x7ffe49114ff0
WRITE of size 2 at 0x61800000078e thread T0
    #0 0x7fe1af44cc76 in INT123_synth_1to1_mono src/libmpg123/synth_mono.h:39
    #1 0x7fe1af43edc9 in INT123_do_layer3 src/libmpg123/layer3.c:2023
    #2 0x7fe1af415a99 in get_next_frame src/libmpg123/libmpg123.c:822
    #3 0x7fe1af417171 in mpg123_decode_frame64 src/libmpg123/libmpg123.c:1076
    #4 0x7fe1af472ade in mpg123_decode_frame src/libmpg123/lfs_wrap.c:242
    #5 0x56102ce4e1c3 in play_frame src/mpg123.c:787
    #6 0x56102ce51a6c in main src/mpg123.c:1480
    #7 0x7fe1af03c082 in __libc_start_main ../csu/libc-start.c:308
    #8 0x56102ce36e2d in _start (/home/root/mpg123/mpg123-1.32.7/install/bin/mpg123+0x1fe2d)

0x61800000078f is located 0 bytes to the right of 783-byte region [0x618000000480,0x61800000078f)
allocated by thread T0 here:
    #0 0x7fe1af5b9808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x7fe1af3efe53 in INT123_frame_outbuffer src/libmpg123/frame.c:210

SUMMARY: AddressSanitizer: heap-buffer-overflow src/libmpg123/synth_mono.h:39 in INT123_synth_1to1_mono
Shadow bytes around the buggy address:
  0x0c307fff80a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c307fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c307fff80f0: 00[07]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c307fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==4067409==ABORTING
     
    mpg123_heapoverflow_write

  • Thomas Orgis

    Thomas Orgis - 2024-10-20

    Please try revision 5432 / https://mpg123.org/snapshot just being generated.

    Maybe a better fix has to be devised, but this one seems to catch this particular confusion of parsed header state and actual frame to decode.

     

  • Thomas Orgis

    Thomas Orgis - 2024-10-20
    • status: closed-fixed --> open
     

  • kkkkk123

    kkkkk123 - 2024-10-21

    Ok. I tried the command in the latest version. And this error could not be reproduced. Thank you for the reply.

     

    Last edit: kkkkk123 2024-10-21

  • Thomas Orgis

    Thomas Orgis - 2024-10-24

    I did a more thourough fix now for this and similar bugs. Main point: separate header parsing and decoder structure update. Sounds simple, but wasn't as relevant when the code initially was written, before mpg123 even supported decoding streams with varying properties (concatenated files in the best case, exploits in the worst).

    Can you check the current revision 5433 / https://mpg123.org/snapshot ? I'll plan to make this a release 1.32.8 soon.

     

  • kkkkk123

    kkkkk123 - 2024-10-24

    I used the same POC to test the new version, and I did not found the same bug. In addition, I will use the fuzzing tool to test the program for 24h. If there is new bug, I will report it to you.

     

  • Thomas Orgis

    Thomas Orgis - 2024-10-24

    Great, thanks. I'll release the fix after this round of testing.

     

  • kkkkk123

    kkkkk123 - 2024-10-26

    Hello, I tested the mpg123 and out123, and I did not found crashes.

     

  • Thomas Orgis

    Thomas Orgis - 2024-10-26
    • status: open --> closed-fixed
     

  • Thomas Orgis

    Thomas Orgis - 2024-10-26

    1.32.8 is out

     

Log in to post a comment.

Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.