Bug#844719: Out of bounds read when using a malformated pcap file
Package: tcptrace Version: 6.6.7-4.1 Severity: normal File: /usr/bin/tcptrace Dear Maintainer, * What led up to the situation? While developing a new fuzzer we discovered this bug. * What outcome did you expect instead? We expected the program not to crash. I'm attaching an input file that triggers this bug. The bug can be triggered on x86_64 as well. Here's a stack trace: """ Ostermann's tcptrace -- version 6.6.7 -- Thu Nov 4, 2004 TCP packet 10: reserved bits are not all zero. Further warnings disabled, use '-w' for more info Program received signal SIGSEGV, Segmentation fault. 0x08058ecc in MemCpy (vp1=0x80caab0, vp2=0x80baab6, n=4294699681) at tcptrace.c:2620 2620*p1++=*p2++; (gdb) bt #0 0x08058ecc in MemCpy (vp1=0x80caab0, vp2=0x80baab6, n=4294699681) at tcptrace.c:2620 #1 0x080558c4 in callback (user=0x0, phdr=0xb1bc, buf=0x80baaa8 "") at tcpdump.c:166 #2 0xb7f4ba18 in pcap_offline_read (p=0x80ba8a0, cnt=1, callback=0x8055850 , user=0x0) at ./savefile.c:404 #3 0xb7f3c8f6 in pcap_dispatch (p=0x80ba8a0, cnt=1, callback=0x8055850 , user=0x0) at ./pcap.c:829 #4 0x080556d8 in pread_tcpdump (ptime=0x80a75c8 , plen=0xb29c, ptlen=0xb2a0, pphys=0xb298, pphystype=0xb294, ppip=0xb28c, pplast=0xb2a4) at tcpdump.c:247 #5 0x08058098 in ProcessFile (filename=0x80caab0 "E`") at tcptrace.c:966 #6 0x08049fba in main (argc=1, argv=0xb4f4) at tcptrace.c:785 """ -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tcptrace depends on: ii libc6 2.19-18+deb8u4 ii libpcap0.8 1.6.2-2 Versions of packages tcptrace recommends: ii tcpdump 4.6.2-5+deb8u1 ii xplot-xplot.org 0.90.7.1-2 tcptrace suggests no packages. -- debconf-show failed tcptrace-2016-05-18T02-38-38.155527.pcap Description: tcptrace-2016-05-18T02-38-38.155527.pcap signature.asc Description: OpenPGP digital signature
Bug#844626: Test file for 32 bits
Hi, I'm attaching a test file that triggers roughly the same behavior on x86 Debian. Lucian mpg321-2016-05-15T11-17-17.073535.mp3 Description: mpg321-2016-05-15T11-17-17.073535.mp3
Bug#844634: mpg321: "Segmentation fault" when running mpg321 with malformated
Package: mpg321 Version: 0.3.2-1.1 Severity: normal File: /usr/bin/mpg321 Dear Maintainer, * What led up to the situation? We were developing a fuzzer and triggered this bug. * What outcome did you expect instead? I expected the program not to crash. I also attached a file that triggers this bug. Here's a stack trace: """ Program received signal SIGSEGV, Segmentation fault. 0xb7e4b612 in mad_bit_read () from /usr/lib/i386-linux-gnu/libmad.so.0 (gdb) bt #0 0xb7e4b612 in mad_bit_read () from /usr/lib/i386-linux-gnu/libmad.so.0 #1 0xb7e4f9bc in mad_layer_I () from /usr/lib/i386-linux-gnu/libmad.so.0 #2 0xb7e4d0dd in mad_frame_decode () from /usr/lib/i386-linux-gnu/libmad.so.0 #3 0xb7e4f14b in ?? () from /usr/lib/i386-linux-gnu/libmad.so.0 #4 0xb7e4f6d6 in mad_decoder_run () from /usr/lib/i386-linux-gnu/libmad.so.0 #5 0x0804b0c4 in ?? () #6 0xb7c61a63 in __libc_start_main (main=0x804a960, argc=2, argv=0xb614, init=0x8053d70, fini=0x8053d60, rtld_fini=0xb7fedc50 <_dl_fini>, stack_end=0xb60c) at libc-start.c:287 #7 0x0804c19d in ?? () """ -- System Information: Debian Release: 8.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.16.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mpg321 depends on: ii libao4 1.1.0-3 ii libasound2 1.0.28-1 ii libc6 2.19-18+deb8u4 ii libid3tag0 0.15.1b-11 ii libmad0 0.15.1b-8 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages mpg321 recommends: ii libaudio-scrobbler-perl 0.01-2.1 mpg321 suggests no packages. -- debconf-show failed mpg321-2016-05-14T21-38-57.853298.mp3 Description: mpg321-2016-05-14T21-38-57.853298.mp3 signature.asc Description: OpenPGP digital signature
Bug#844626: "Double free error or corruption" when running mpg321 with malformated input
Package: mpg321 Version: 0.3.2-1.1 Severity: normal File: /usr/bin/mpg321 Dear Maintainer, * What led up to the situation? While testing a new fuzzer we encountered this bug. * What outcome did you expect instead? I expected the program not to crash. I also attached a test file to trigger this error. -- System Information: Debian Release: 8.6 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386, armel Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages mpg321 depends on: ii libao4 1.1.0-3 ii libasound2 1.0.28-1 ii libc6 2.19-18+deb8u6 ii libid3tag0 0.15.1b-11 ii libmad0 0.15.1b-8 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages mpg321 recommends: ii libaudio-scrobbler-perl 0.01-2.1 mpg321 suggests no packages. -- no debconf information mpg321-2016-05-14T21-39-25.656643.mp3 Description: mpg321-2016-05-14T21-39-25.656643.mp3 signature.asc Description: OpenPGP digital signature
