heap-buffer-overflow write
asarubbo opened this issue · 3 comments
asarubbo commented
On 1.2.2
# minimal-example $FILE
==947==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6150000004e0 at pc 0x7ff54458561a bp 0x7ffedb2069d0 sp 0x7ffedb2069c8
WRITE of size 8 at 0x6150000004e0 thread T0
#0 0x7ff544585619 in ebur128_filter_double /var/tmp/portage/media-libs/libebur128-1.2.2/work/libebur128-1.2.2/ebur128/ebur128.c:596:1
#1 0x7ff544582456 in ebur128_add_frames_double /var/tmp/portage/media-libs/libebur128-1.2.2/work/libebur128-1.2.2/ebur128/ebur128.c:926:1
#2 0x50e319 in main /var/tmp/portage/media-libs/libebur128-1.2.2/work/libebur128-1.2.2/test/minimal-example.c:46:7
#3 0x7ff543440680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
#4 0x419d58 in _start (/usr/bin/minimal-example+0x419d58)
0x6150000004e0 is located 0 bytes to the right of 480-byte region [0x615000000300,0x6150000004e0)
allocated by thread T0 here:
#0 0x4d7f48 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-5.0.0/work/compiler-rt-5.0.0.src/lib/asan/asan_malloc_linux.cc:67
#1 0x7ff544572d9e in ebur128_init /var/tmp/portage/media-libs/libebur128-1.2.2/work/libebur128-1.2.2/ebur128/ebur128.c:387:33
#2 0x50e112 in main /var/tmp/portage/media-libs/libebur128-1.2.2/work/libebur128-1.2.2/test/minimal-example.c:30:14
#3 0x7ff543440680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-libs/libebur128-1.2.2/work/libebur128-1.2.2/ebur128/ebur128.c:596:1 in ebur128_filter_double
Shadow bytes around the buggy address:
0x0c2a7fff8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff8080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2a7fff8090: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c2a7fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2a7fff80b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff80c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff80d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2a7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==947==ABORTING
testcase attached
10.crashes.zip
jiixyj commented
Thank you for finding those issues! Those test files have very unusual numbers of channels/samplerates. The checks currently done in ebur128_init and ebur128_change_parameters are not enough, resulting in arithmetic overflows, for example. The library should validate the arguments to those functions better.
asarubbo commented
Thank you for finding those issues!
YW. If you have any other suggestion/way to test the library from corrupted input I can do further tests.+
jiixyj commented
This particular crash should be fixed now after the last round of commits. Thanks again!