Multiple bugs/vulns(?)

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple bugs/vulns(?)

Joshua Rogers
I've found a few problems with lame.


# ./lame --version
LAME 64bits version 3.99.3 (http://lame.sf.net)

 # ./lame nonexistant
Segmentation fault

'nonexistant' does not exist.

gdb backtrack:

> #0  0x000000000041e090 in local_strcasecmp (s1=0x7fffffffb01b "",
> s2=0x15 <Address 0x15 out of bounds>) at parse.c:1086
> #1  0x000000000041fa16 in isCommonSuffix (s_ext=0x7fffffffb01b "") at
> parse.c:1263
> #2  0x000000000042044a in generateOutPath (gfp=0x737230,
> inPath=0x7fffffffb010 "nonexistant", outDir=0x7ffffff32480 "",
> outPath=0x7fffffffc020 "nonexistant") at parse.c:1326
> #3  0x00000000004289e4 in parse_args (gfp=0x737230, argc=2,
> argv=0x7fffffffe178, inPath=0x7fffffffb010 "nonexistant",
> outPath=0x7fffffffc020 "nonexistant", nogap_inPath=0x7fffffffa9a0,
>     num_nogap=0x7fffffffaffc) at parse.c:2343
> #4  0x0000000000406a68 in lame_main (gf=0x737230, argc=2,
> argv=0x7fffffffe178) at lame_main.c:653


----

Bug 2: (Looks like a divide-by-zero bug)
Per the vulnerable file: https://internot.info/docs/lame_bug2.wav


gdb backtrace:

> Program received signal SIGFPE, Arithmetic exception.
> 0x0000000000413528 in parse_wave_header (gfp=0x737230, sf=0x74fd90) at
> get_audio.c:1450
> 1450            (void) lame_set_num_samples(gfp, data_length /
> (channels * ((bits_per_sample + 7) / 8)));
> (gdb) bt
> #0  0x0000000000413528 in parse_wave_header (gfp=0x737230,
> sf=0x74fd90) at get_audio.c:1450
> #1  0x0000000000414d83 in parse_file_header (gfp=0x737230,
> sf=0x74fd90) at get_audio.c:1679
> #2  0x00000000004156eb in open_wave_file (gfp=0x737230,
> inPath=0x7fffffffafe0 "lame_bug1.wav") at get_audio.c:1750
> #3  0x000000000040e923 in init_infile (gfp=0x737230,
> inPath=0x7fffffffafe0 "lame_bug1.wav") at get_audio.c:616
> #4  0x000000000040252b in init_files (gf=0x737230,
> inPath=0x7fffffffafe0 "lame_bug1.wav", outPath=0x7fffffffbff0
> "lame_bug1.mp3") at lame_main.c:151
> #5  0x0000000000406d80 in lame_main (gf=0x737230, argc=2,
> argv=0x7fffffffe148) at lame_main.c:674
---

Bug 3:
(looks like off-by-one vuln)
Per the vulnerable file: https://internot.info/docs/lame_bug2.wav


gdb backtrace:

> Program received signal SIGSEGV, Segmentation fault.
> 0x00000000004ab842 in fill_buffer_resample (gfc=0x73a3c0,
> outbuf=0x748170, desired_len=576, inbuf=0x754e10, len=576,
> num_used=0x7ffffff0c2b8, ch=0) at util.c:615
> 615                 y = (j2 < 0) ? inbuf_old[BLACKSIZE + j2] : inbuf[j2];
> (gdb) bt
> #0  0x00000000004ab842 in fill_buffer_resample (gfc=0x73a3c0,
> outbuf=0x748170, desired_len=576, inbuf=0x754e10, len=576,
> num_used=0x7ffffff0c2b8, ch=0) at util.c:615
> #1  0x00000000004ac236 in fill_buffer (gfc=0x73a3c0,
> mfbuf=0x7ffffff0c270, in_buffer=0x7ffffff0c290, nsamples=576,
> n_in=0x7ffffff0c2b8, n_out=0x7ffffff0c2bc) at util.c:685
> #2  0x0000000000457f13 in lame_encode_buffer_sample_t (gfc=0x73a3c0,
> nsamples=576, mp3buf=0x7ffffff0e8d8 "", mp3buf_size=147456) at lame.c:1736
> #3  0x0000000000459686 in lame_encode_buffer_template (gfp=0x737230,
> buffer_l=0x7ffffff0c3d0, buffer_r=0x7ffffff0d5d0, nsamples=576,
> mp3buf=0x7ffffff0e800 "\377\343\070D", mp3buf_size=147456,
>     pcm_type=pcm_int_type, aa=1, norm=1.52587891e-05) at lame.c:1891
> #4  0x0000000000459b40 in lame_encode_buffer_int (gfp=0x737230,
> pcm_l=0x7ffffff0c3d0, pcm_r=0x7ffffff0d5d0, nsamples=576,
> mp3buf=0x7ffffff0e800 "\377\343\070D", mp3buf_size=147456)
>     at lame.c:1963
> #5  0x000000000040508e in lame_encoder_loop (gf=0x737230,
> outf=0x74ffd0, nogap=0, inPath=0x7fffffffafe0 "lame_bug2.wav",
> outPath=0x7fffffffbff0 "lame_bug2.mp3") at lame_main.c:462
> #6  0x0000000000405b59 in lame_encoder (gf=0x737230, outf=0x74ffd0,
> nogap=0, inPath=0x7fffffffafe0 "lame_bug2.wav", outPath=0x7fffffffbff0
> "lame_bug2.mp3") at lame_main.c:531
> #7  0x0000000000407167 in lame_main (gf=0x737230, argc=2,
> argv=0x7fffffffe148) at lame_main.c:707


Thanks,

--
-- Joshua Rogers <https://internot.info/>


------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

bouvigne
On 2014-11-07 11:32, Joshua Rogers wrote:
> ----
>
> Bug 2: (Looks like a divide-by-zero bug)
> Per the vulnerable file: https://internot.info/docs/lame_bug2.wav
> ---
>
> Bug 3:
> (looks like off-by-one vuln)
> Per the vulnerable file: https://internot.info/docs/lame_bug2.wav

Thank you.

Are there some specific args to be used to trigger bugs 2 and 3?

Regards,

--
Gabriel Bouvigne

------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Joshua Rogers
On 07/11/14 22:26, [hidden email] wrote:
> Are there some specific args to be used to trigger bugs 2 and 3?
Yep, my bad.

Both are -w file. (e.g: '-w file.wav file.mp3')


Thanks,
-- Joshua Rogers <https://internot.info/>



------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Robert Hegemann
Hello Joshua,

did you try with versions 3.99.5 and/or 3.100? Are the bugs still in
those current versions?


Am 07.11.2014, 12:28 Uhr, schrieb Joshua Rogers <[hidden email]>:

> On 07/11/14 22:26, [hidden email] wrote:
>> Are there some specific args to be used to trigger bugs 2 and 3?
> Yep, my bad.
>
> Both are -w file. (e.g: '-w file.wav file.mp3')
>
>
> Thanks,
> -- Joshua Rogers <https://internot.info/>


Ciao Robert

------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Joshua Rogers
Let me correct myself, sorry.
I did *not* use any flags. -w is in mpg123, not LAME.

> ~/srcs/lame-3.99.5/frontend # ./lame lame_bug2.wav lol.mp3
> LAME 3.99.5 64bits (http://lame.sf.net)
> Resampling:  input -2.14744e+06 kHz  output 8 kHz
> Using polyphase lowpass filter, transition band:  3903 Hz -  4000 Hz
> Encoding lame_bug2.wav to lol.mp3
> Encoding as 8 kHz j-stereo MPEG-2.5 Layer III (10.7x)  24 kbps qval=3
>     Frame          |  CPU time/estim | REAL time/estim | play/CPU |  
> ETA
>      0/       ( 0%)|    0:00/     :  |    0:00/     :  |        
> x|     :  
> 00:03----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>    kbps      %     %
>     0.0           Segmentation fault (core dumped)

Using 3.99.5, the second and third bug still exists.

The reason I was using lame-3.99.3+repack1 before, was because that is
what is provided in Ubuntu 12.04. Perhaps an updated version should be
pushed to Ubuntu?

Anyways, if you could link me to 3.100, I'll try that too. I can't find it.


Thanks,
-- Joshua Rogers <https://internot.info/>
On 08/11/14 01:58, Robert Hegemann wrote:

> Hello Joshua,
>
> did you try with versions 3.99.5 and/or 3.100? Are the bugs still in
> those current versions?
>
>
> Am 07.11.2014, 12:28 Uhr, schrieb Joshua Rogers <[hidden email]>:
>
>> On 07/11/14 22:26, [hidden email] wrote:
>>> Are there some specific args to be used to trigger bugs 2 and 3?
>> Yep, my bad.
>>
>> Both are -w file. (e.g: '-w file.wav file.mp3')
>>
>>
>> Thanks,
>> -- Joshua Rogers <https://internot.info/>
>
>
> Ciao Robert
>

------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Robert Hegemann
Am 07.11.2014, 16:06 Uhr, schrieb Joshua Rogers <[hidden email]>:

> Anyways, if you could link me to 3.100, I'll try that too. I can't find  
> it.

You can get sources for lame version 3.100 here:

http://lame.cvs.sourceforge.net/viewvc/lame/lame/?view=tar

Ciao Robert
------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Joshua Rogers
On 08/11/14 02:19, Robert Hegemann wrote:
>
> You can get sources for lame version 3.100 here:
>
> http://lame.cvs.sourceforge.net/viewvc/lame/lame/?view=tar
>
Both bugs still present.

But, different file lines in the files(of course):

Per bug 1:

> Program received signal SIGFPE, Arithmetic exception.
> 0x0000000000406e74 in parse_wave_header (gfp=0x69c230, sf=0x6b5960) at
> get_audio.c:1468
> 1468                (void) lame_set_num_samples(gfp, data_length /
> (channels * ((bits_per_sample + 7) / 8)));
> (gdb) bt
> #0  0x0000000000406e74 in parse_wave_header (gfp=0x69c230,
> sf=0x6b5960) at get_audio.c:1468
> #1  0x00000000004074f7 in parse_file_header (gfp=0x69c230,
> sf=0x6b5960) at get_audio.c:1697
> #2  0x0000000000407875 in open_wave_file (gfp=0x69c230,
> inPath=0x7fffffffafe0 "lame_bug1.wav", enc_delay=0x7ffffff32828,
> enc_padding=0x7ffffff3282c) at get_audio.c:1809
> #3  0x0000000000405a8d in init_infile (gfp=0x69c230,
> inPath=0x7fffffffafe0 "lame_bug1.wav") at get_audio.c:622
> #4  0x0000000000401d91 in init_files (gf=0x69c230,
> inPath=0x7fffffffafe0 "lame_bug1.wav", outPath=0x7fffffffbff0
> "lol.mp3") at lame_main.c:116
> #5  0x00000000004033aa in lame_main (gf=0x69c230, argc=3,
> argv=0x7fffffffe148) at lame_main.c:636
> #6  0x00000000004036d0 in c_main (argc=3, argv=0x7fffffffe148) at
> main.c:470
> #7  0x000000000040367d in main (argc=3, argv=0x7fffffffe148) at main.c:438

Per bug 2:

> Program received signal SIGSEGV, Segmentation fault.
> 0x0000000000431782 in fill_buffer_resample (gfc=0x69f3c0,
> outbuf=0x6ad210, desired_len=576, inbuf=0x6b9fd0, len=576,
> num_used=0x7ffffff0c2b8, ch=0) at util.c:607
> 607                 y = (j2 < 0) ? inbuf_old[BLACKSIZE + j2] : inbuf[j2];
> (gdb) bt
> #0  0x0000000000431782 in fill_buffer_resample (gfc=0x69f3c0,
> outbuf=0x6ad210, desired_len=576, inbuf=0x6b9fd0, len=576,
> num_used=0x7ffffff0c2b8, ch=0) at util.c:607
> #1  0x0000000000431a99 in fill_buffer (gfc=0x69f3c0,
> mfbuf=0x7ffffff0c270, in_buffer=0x7ffffff0c290, nsamples=576,
> n_in=0x7ffffff0c2b8, n_out=0x7ffffff0c2bc) at util.c:677
> #2  0x000000000041d6f9 in lame_encode_buffer_sample_t (gfc=0x69f3c0,
> nsamples=576, mp3buf=0x7ffffff0e8e8 "", mp3buf_size=147456) at lame.c:1707
> #3  0x000000000041e044 in lame_encode_buffer_template (gfp=0x69c230,
> buffer_l=0x7ffffff0c3d0, buffer_r=0x7ffffff0d5d0, nsamples=576,
> mp3buf=0x7ffffff0e810 "\377\343\070D", mp3buf_size=147456,
> pcm_type=pcm_int_type, aa=1,
>     norm=1.52587891e-05) at lame.c:1862
> #4  0x000000000041e2e5 in lame_encode_buffer_int (gfp=0x69c230,
> pcm_l=0x7ffffff0c3d0, pcm_r=0x7ffffff0d5d0, nsamples=576,
> mp3buf=0x7ffffff0e810 "\377\343\070D", mp3buf_size=147456) at lame.c:1934
> #5  0x0000000000402a36 in lame_encoder_loop (gf=0x69c230,
> outf=0x6b5ba0, nogap=0, inPath=0x7fffffffafe0 "lame_bug2.wav",
> outPath=0x7fffffffbff0 "lol.mp3") at lame_main.c:429
> #6  0x0000000000402cf9 in lame_encoder (gf=0x69c230, outf=0x6b5ba0,
> nogap=0, inPath=0x7fffffffafe0 "lame_bug2.wav", outPath=0x7fffffffbff0
> "lol.mp3") at lame_main.c:498
> #7  0x00000000004034b8 in lame_main (gf=0x69c230, argc=3,
> argv=0x7fffffffe148) at lame_main.c:669
> #8  0x00000000004036d0 in c_main (argc=3, argv=0x7fffffffe148) at
> main.c:470
> #9  0x000000000040367d in main (argc=3, argv=0x7fffffffe148) at main.c:438


Hope that helps.

Thanks,

--
-- Joshua Rogers <https://internot.info/>


------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Joshua Rogers
In reply to this post by Robert Hegemann
I just took a look, which I probably should have done from the start.
It seems that this is due to not checking 'j2', to see whether it is an
appropriate number.


With the code:

y = (j2 < 0) ? inbuf_old[BLACKSIZE + j2] : inbuf[j2];

> (gdb) p BLACKSIZE
> $2 = 32
> (gdb) p j2
> $3 = -268445
Since '-268445 < 0' is try, it will set ' y = inbuf_old[BLACKSIZE + j2]'.
y = intbuf_old[-268413] is going to cause problems.



Just my 2-cents on the matter anyways. I don't really understand the code.


Thanks,
--
-- Joshua Rogers <https://internot.info/>


------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Joshua Rogers
On 08/11/14 02:48, Joshua Rogers wrote:

> With the code:
>
> y = (j2 < 0) ? inbuf_old[BLACKSIZE + j2] : inbuf[j2];
>
>> (gdb) p BLACKSIZE
>> $2 = 32
>> (gdb) p j2
>> $3 = -268445
> Since '-268445 < 0' is try, it will set ' y = inbuf_old[BLACKSIZE + j2]'.
> y = intbuf_old[-268413] is going to cause problems.
>
>
Offending code variable is: cfg->samplerate_in

> (gdb) p j
> $2 = -268430
> (gdb) p i
> $3 = 0
> (gdb) p filter_l
> $4 = 31
> (gdb) p time0
> $5 = -268429.94349999999
> (gdb) p k
> $6 = 1
> (gdb) p resample_ratio
> $7 = -268429.94349999999
> (gdb) p cfg->samplerate_in
> $8 = -2147439548
> (gdb) p cfg->samplerate_out
> $9 = 8000
Arbitrary samplerate = buffer/int overflow, it would appear.
I won't look any further at this, just incase I'm heading down the wrong
track.


Thanks again,
--
-- Joshua Rogers <https://internot.info/>


------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Robert Hegemann

Here my quick findings about your problem samples:

lame_bug1.wav -> bits_per_sample is 0 !

=> lame should do sanity check and reject this file with:
"unsupported bits per sample: 0"

lame_bug2.wav -> samples_per_sec is 0x8000ac44

=> looks like junk crept into the sign bit, if we ignore the upper
16 bits, it looks like writing application meant typical 44.1 kHz.
Anyway, lame should do sanity check and reject this file with:
"unsupported sample rate: 0x8000ac44"

Ciao Robert

------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple bugs/vulns(?)

Joshua Rogers
On 08/11/14 03:18, Robert Hegemann wrote:
>
> => looks like junk crept into the sign bit, if we ignore the upper
> 16 bits, it looks like writing application meant typical 44.1 kHz.
> Anyway, lame should do sanity check and reject this file with:
> "unsupported sample rate: 0x8000ac44"
Perhaps a check should also be put in place, where if (samplerate_in <
1) then exit, since it seems that it actually overflows($18 = -2147439548).
2147483647(max int) - 2147439548 = 44099.


Thanks for the analysis, too.


Thanks,
--
-- Joshua Rogers <https://internot.info/>


------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev