SEGV in function wrap_free in libwav.c

Question

SEGV in function wrap_free in libwav.c

fouzhe opened this issue 7 years ago · 1 comments

I use Clang 6.0 and AddressSanitizer to build libwav, this file can cause SEGV signal in function wrap_free when running the wav_gain in folder tools/wav_gain with the following command:

./wav_gain wav_gain__crash__SEGV_gain_file 1.wav

This is the ASAN information:

LibWAV v. 0.0.1 A (c) 2016 - 2017 Marc Volker Dickmann

ASAN:DEADLYSIGNAL
=================================================================
==89112==ERROR: AddressSanitizer: SEGV on unknown address 0x0000ff564147 (pc 0x0001060e8809 bp 0x7fff59b24ee0 sp 0x7fff59b24eb0 T0)
==89112==The signal is caused by a WRITE memory access.
    #0 0x1060e8808 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x3808)
    #1 0x10613e130 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59130)
    #2 0x1060db8fc in wav_free libwav.c:196
    #3 0x1060dc54f in gain_file wav_gain.c:33
    #4 0x1060dc3b2 in main wav_gain.c:43
    #5 0x7fff8bb96234 in start (libdyld.dylib:x86_64+0x5234)

==89112==Register values:
rax = 0x0000000000000002  rbx = 0x00000000ff564157  rcx = 0x00007fff59b24f03  rdx = 0x0000000000000000
rdi = 0x00000000ff564157  rsi = 0x00000000ff564157  rbp = 0x00007fff59b24ee0  rsp = 0x00007fff59b24eb0
 r8 = 0x0000000000000001   r9 = 0x000000000000001e  r10 = 0x000000000000002e  r11 = 0x000000010613dfa0
r12 = 0x00000000ff564147  r13 = 0x0000000000000000  r14 = 0x00007fff59b24f08  r15 = 0x0000000000000001
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x3808) in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType)
==89112==ABORTING
Abort trap: 6

Answer 1 · 2018-07-14T09:31:01.000Z

https://nvd.nist.gov/vuln/detail/CVE-2018-14050