Bug#508133: [pkg-mad-maintainers] Bug#508133: audacity: munmap_chunk(): invalid pointer: 0x00000000026f4eb0
On Sat, Dec 13, 2008 at 04:30:52PM +0100, Kurt Roeckx wrote: > tags 508133 + patch security > thanks > > On Tue, Dec 09, 2008 at 06:59:08AM +0100, Max Kellermann wrote: > > > > It's a raw PCM file (16 bit stereo, 44.1 or 48 kHz). The crash is > > reproducible by invoking "audacity libmad-crash-test". > > I've attached a diff that fixes it for me. But I'm not really > happy with it. > > I'm abusing the MAD_ERROR_LOSTSYNC which make it an existing > recoverable error. I should probably create new errors instead. > > I'm also not sure that the changes I've made in layer12.c also > don't affect layer3.c. I just didn't see such problems in layer3.c > with your test file. > An other comment is that the checks in layer12.c might not be completly correct and that it only gives an error 1 byte after frame has ended. But I think it shouldn't be a problem because of the MAD_BUFFER_GUARD. Kurt -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#508133: [pkg-mad-maintainers] Bug#508133: audacity: munmap_chunk(): invalid pointer: 0x00000000026f4eb0
tags 508133 + patch security
thanks
On Tue, Dec 09, 2008 at 06:59:08AM +0100, Max Kellermann wrote:
>
> It's a raw PCM file (16 bit stereo, 44.1 or 48 kHz). The crash is
> reproducible by invoking "audacity libmad-crash-test".
I've attached a diff that fixes it for me. But I'm not really
happy with it.
I'm abusing the MAD_ERROR_LOSTSYNC which make it an existing
recoverable error. I should probably create new errors instead.
I'm also not sure that the changes I've made in layer12.c also
don't affect layer3.c. I just didn't see such problems in layer3.c
with your test file.
Kurt
--- libmad-0.15.1b.orig/layer12.c
+++ libmad-0.15.1b/layer12.c
@@ -134,6 +134,12 @@
for (sb = 0; sb < bound; ++sb) {
for (ch = 0; ch < nch; ++ch) {
nb = mad_bit_read(&stream->ptr, 4);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
if (nb == 15) {
stream->error = MAD_ERROR_BADBITALLOC;
@@ -146,6 +152,12 @@
for (sb = bound; sb < 32; ++sb) {
nb = mad_bit_read(&stream->ptr, 4);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
if (nb == 15) {
stream->error = MAD_ERROR_BADBITALLOC;
@@ -162,6 +174,12 @@
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
scalefactor[ch][sb] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
# if defined(OPT_STRICT)
/*
@@ -187,6 +205,12 @@
frame->sbsample[ch][s][sb] = nb ?
mad_f_mul(I_sample(&stream->ptr, nb),
sf_table[scalefactor[ch][sb]]) : 0;
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
}
@@ -195,6 +219,12 @@
mad_fixed_t sample;
sample = I_sample(&stream->ptr, nb);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
for (ch = 0; ch < nch; ++ch) {
frame->sbsample[ch][s][sb] =
@@ -403,7 +433,15 @@
nbal = bitalloc_table[offsets[sb]].nbal;
for (ch = 0; ch < nch; ++ch)
+{
allocation[ch][sb] = mad_bit_read(&stream->ptr, nbal);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
+}
}
for (sb = bound; sb < sblimit; ++sb) {
@@ -411,6 +449,13 @@
allocation[0][sb] =
allocation[1][sb] = mad_bit_read(&stream->ptr, nbal);
+
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
/* decode scalefactor selection info */
@@ -419,6 +464,12 @@
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb])
scfsi[ch][sb] = mad_bit_read(&stream->ptr, 2);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
}
@@ -442,6 +493,12 @@
for (ch = 0; ch < nch; ++ch) {
if (allocation[ch][sb]) {
scalefactor[ch][sb][0] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
switch (scfsi[ch][sb]) {
case 2:
@@ -452,11 +509,23 @@
case 0:
scalefactor[ch][sb][1] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
/* fall through */
case 1:
case 3:
scalefactor[ch][sb][2] = mad_bit_read(&stream->ptr, 6);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
}
if (scfsi[ch][sb] & 1)
@@ -488,6 +557,12 @@
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
II_samples(&stream->ptr, &qc_table[index], samples);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
for (s = 0; s < 3; ++s) {
frame->sbsample[ch][3 * gr + s][sb] =
@@ -506,6 +581,12 @@
index = offset_table[bitalloc_table[offsets[sb]].offset][index - 1];
II_samples(&stream->ptr, &qc_table[index], samples);
+ if (mad_bit_nextbyte(&stream->ptr) > stream->next_frame)
+ {
+ stream->error = MAD_ERROR_LOSTSYNC;
+ stream->sync = 0;
+ return -1;
+ }
for (ch = 0; ch < nch; ++ch) {
for (s = 0; s < 3; ++s) {
--- libmad-0.15.1b.orig/layer3.c
+++ libmad-0.15.1b/layer3.c
@@ -2608,6 +2608,12 @@
next_md_begin = 0;
md_len = si.main_data_begin + frame_space - next_md_begin;
+ if (md_len + MAD_BUFFER_GUARD > MAD_BUFFER_MDLEN)
+
Processed: Re: [pkg-mad-maintainers] Bug#508133: audacity: munmap_chunk(): invalid pointer: 0x00000000026f4eb0
Processing commands for cont...@bugs.debian.org: > tags 508133 + patch security Bug#508133: audacity: munmap_chunk(): invalid pointer: 0x026f4eb0 There were no tags set. Tags added: patch, security > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#508133: [pkg-mad-maintainers] Bug#508133: audacity: munmap_chunk(): invalid pointer: 0x00000000026f4eb0
On Mon, Dec 08, 2008 at 08:17:13AM +0100, Max Kellermann wrote: > Package: libmad0 > Version: 0.15.1b-3 > Severity: grave > > I generated a raw audio file and tried to load it into audacity > (1.3.5-2). Audacity crashed with the following message. Looks like > it attempted to load the file as mp3; the file name had no extension. > This bug is always reproducible (tell me if you need my test file; > /dev/urandom might also do well). Please give the test file. /dev/urandom or other files do not seem to produce anything like that. Kurt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#508133: audacity: munmap_chunk(): invalid pointer: 0x00000000026f4eb0
Package: libmad0 Version: 0.15.1b-3 Severity: grave I generated a raw audio file and tried to load it into audacity (1.3.5-2). Audacity crashed with the following message. Looks like it attempted to load the file as mp3; the file name had no extension. This bug is always reproducible (tell me if you need my test file; /dev/urandom might also do well). Severity grave because this bug may be a remote vulnerability (e.g. when playing remote mp3 streams). *** glibc detected *** audacity: munmap_chunk(): invalid pointer: 0x024d7950 *** === Backtrace: = /lib/libc.so.6[0x7f4c0a23e948] /usr/lib/libmad.so.0(mad_frame_finish+0x15)[0x7f4c0d7b3bb5] /usr/lib/libmad.so.0[0x7f4c0d7b5cd1] /usr/lib/libmad.so.0(mad_decoder_run+0x5f)[0x7f4c0d7b5b2f] audacity[0x5ce4c9] audacity[0x5c9a5c] audacity[0x4c6680] audacity[0x4c796c] audacity[0x4477be] audacity(_ZN12wxAppConsole10CallOnInitEv+0xd)[0x44812d] /usr/lib/libwx_baseu-2.6.so.0(_Z7wxEntryRiPPw+0x23)[0x7f4c0b669573] audacity[0x442dc2] /lib/libc.so.6(__libc_start_main+0xe6)[0x7f4c0a1e91a6] audacity(_ZN8wxDCBase22GetMultiLineTextExtentERK8wxStringPiS3_S3_P6wxFont+0x1a9)[0x43] === Memory map: 0040-00896000 r-xp 08:02 50951588 /usr/bin/audacity 00a95000-00ae1000 rw-p 00495000 08:02 50951588 /usr/bin/audacity 00ae1000-00b0 rw-p 00ae1000 00:00 0 01eea000-025fa000 rw-p 01eea000 00:00 0 [heap] 41ea4000-41ea5000 ---p 41ea4000 00:00 0 41ea5000-426a5000 rw-p 41ea5000 00:00 0 7f4bfd8d7000-7f4bfd937000 rw-s 00:07 9404421 /SYSV (deleted) 7f4bfd937000-7f4bfd93d000 r-xp 08:02 8494344 /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so 7f4bfd93d000-7f4bfdb3d000 ---p 6000 08:02 8494344 /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so 7f4bfdb3d000-7f4bfdb3e000 rw-p 6000 08:02 8494344 /usr/lib/gtk-2.0/2.10.0/loaders/libpixbufloader-xpm.so 7f4bfdb3e000-7f4bfdb4 r-xp 08:02 33723161 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so 7f4bfdb4-7f4bfdd3f000 ---p 2000 08:02 33723161 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so 7f4bfdd3f000-7f4bfdd4 rw-p 1000 08:02 33723161 /usr/lib/pango/1.6.0/modules/pango-basic-fc.so 7f4bfdd4-7f4bfdda rw-s 00:07 9338884 /SYSV (deleted) 7f4bfdda-7f4bfdda7000 r-xp 08:02 59226866 /usr/lib/libgailutil.so.18.0.1 7f4bfdda7000-7f4bfdfa7000 ---p 7000 08:02 59226866 /usr/lib/libgailutil.so.18.0.1 7f4bfdfa7000-7f4bfdfa8000 rw-p 7000 08:02 59226866 /usr/lib/libgailutil.so.18.0.1 7f4bfdfa8000-7f4bfdfdc000 r-xp 08:02 59148264 /usr/lib/libgnomecanvas-2.so.0.2001.0 7f4bfdfdc000-7f4bfe1db000 ---p 00034000 08:02 59148264 /usr/lib/libgnomecanvas-2.so.0.2001.0 7f4bfe1db000-7f4bfe1dd000 rw-p 00033000 08:02 59148264 /usr/lib/libgnomecanvas-2.so.0.2001.0 7f4bfe1dd000-7f4bfe221000 r-xp 08:02 59226871 /usr/lib/libgnomeprintui-2-2.so.0.1.0 7f4bfe221000-7f4bfe421000 ---p 00044000 08:02 59226871 /usr/lib/libgnomeprintui-2-2.so.0.1.0 7f4bfe421000-7f4bfe424000 rw-p 00044000 08:02 59226871 /usr/lib/libgnomeprintui-2-2.so.0.1.0 7f4bfe424000-7f4bfe576000 r-xp 08:02 59241068 /usr/lib/libxml2.so.2.6.32 7f4bfe576000-7f4bfe775000 ---p 00152000 08:02 59241068 /usr/lib/libxml2.so.2.6.32 7f4bfe775000-7f4bfe77f000 rw-p 00151000 08:02 59241068 /usr/lib/libxml2.so.2.6.32 7f4bfe77f000-7f4bfe78 rw-p 7f4bfe77f000 00:00 0 7f4bfe78-7f4bfe797000 r-xp 08:02 59226843 /usr/lib/libart_lgpl_2.so.2.3.20 7f4bfe797000-7f4bfe996000 ---p 00017000 08:02 59226843 /usr/lib/libart_lgpl_2.so.2.3.20 7f4bfe996000-7f4bfe997000 rw-p 00016000 08:02 59226843 /usr/lib/libart_lgpl_2.so.2.3.20 7f4bfe997000-7f4bfea0c000 r-xp 08:02 59812713 /usr/lib/libgnomeprint-2-2.so.0.1.0 7f4bfea0c000-7f4bfec0b000 ---p 00075000 08:02 59812713 /usr/lib/libgnomeprint-2-2.so.0.1.0 7f4bfec0b000-7f4bfec0e000 rw-p 00074000 08:02 59812713 /usr/lib/libgnomeprint-2-2.so.0.1.0 7f4bfec0e000-7f4bfec0f000 rw-p 7f4bfec0e000 00:00 0 7f4bfec0f000-7f4bfec19000 r-xp 08:02 26811946 /lib/libnss_files-2.7.so 7f4bfec19000-7f4bfee19000 ---p a000 08:02 26811946 /lib/libnss_files-2.7.so 7f4bfee19000-7f4bfee1b000 rw-p a000 08:02 26811946 /lib/libnss_files-2.7.so 7f4bfee1b000-7f4bfee25000 r-xp 08:02 25172845 /lib/libnss_nis-2.7.so 7f4bfee25000-7f4bff024000 ---p a000 08:02
