Multiple vulnerabilities/bugs

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Multiple vulnerabilities/bugs

Joshua Rogers
> # ./lame --version
> LAME 64bits version 3.99.3 (http://lame.sf.net)

 # ./lame nonexistant
Segmentation fault

'nonexistant' does not exist.

gdb backtrack:

> #0  0x000000000041e090 in local_strcasecmp (s1=0x7fffffffb01b "",
> s2=0x15 <Address 0x15 out of bounds>) at parse.c:1086
> #1  0x000000000041fa16 in isCommonSuffix (s_ext=0x7fffffffb01b "") at
> parse.c:1263
> #2  0x000000000042044a in generateOutPath (gfp=0x737230,
> inPath=0x7fffffffb010 "nonexistant", outDir=0x7ffffff32480 "",
> outPath=0x7fffffffc020 "nonexistant") at parse.c:1326
> #3  0x00000000004289e4 in parse_args (gfp=0x737230, argc=2,
> argv=0x7fffffffe178, inPath=0x7fffffffb010 "nonexistant",
> outPath=0x7fffffffc020 "nonexistant", nogap_inPath=0x7fffffffa9a0,
>     num_nogap=0x7fffffffaffc) at parse.c:2343
> #4  0x0000000000406a68 in lame_main (gf=0x737230, argc=2,
> argv=0x7fffffffe178) at lame_main.c:653



----

Bug 2:
Per the vulnerable file: https://internot.info/docs/lame_bug2.wav


gdb backtrace:

> Program received signal SIGFPE, Arithmetic exception.
> 0x0000000000413528 in parse_wave_header (gfp=0x737230, sf=0x74fd90) at
> get_audio.c:1450
> 1450            (void) lame_set_num_samples(gfp, data_length /
> (channels * ((bits_per_sample + 7) / 8)));
> (gdb) bt
> #0  0x0000000000413528 in parse_wave_header (gfp=0x737230,
> sf=0x74fd90) at get_audio.c:1450
> #1  0x0000000000414d83 in parse_file_header (gfp=0x737230,
> sf=0x74fd90) at get_audio.c:1679
> #2  0x00000000004156eb in open_wave_file (gfp=0x737230,
> inPath=0x7fffffffafe0 "lame_bug1.wav") at get_audio.c:1750
> #3  0x000000000040e923 in init_infile (gfp=0x737230,
> inPath=0x7fffffffafe0 "lame_bug1.wav") at get_audio.c:616
> #4  0x000000000040252b in init_files (gf=0x737230,
> inPath=0x7fffffffafe0 "lame_bug1.wav", outPath=0x7fffffffbff0
> "lame_bug1.mp3") at lame_main.c:151
> #5  0x0000000000406d80 in lame_main (gf=0x737230, argc=2,
> argv=0x7fffffffe148) at lame_main.c:674

---

Bug 3:

Per the vulnerable file: https://internot.info/docs/lame_bug2.wav


gdb backtrace:

> Program received signal SIGSEGV, Segmentation fault.
> 0x00000000004ab842 in fill_buffer_resample (gfc=0x73a3c0,
> outbuf=0x748170, desired_len=576, inbuf=0x754e10, len=576,
> num_used=0x7ffffff0c2b8, ch=0) at util.c:615
> 615                 y = (j2 < 0) ? inbuf_old[BLACKSIZE + j2] : inbuf[j2];
> (gdb) bt
> #0  0x00000000004ab842 in fill_buffer_resample (gfc=0x73a3c0,
> outbuf=0x748170, desired_len=576, inbuf=0x754e10, len=576,
> num_used=0x7ffffff0c2b8, ch=0) at util.c:615
> #1  0x00000000004ac236 in fill_buffer (gfc=0x73a3c0,
> mfbuf=0x7ffffff0c270, in_buffer=0x7ffffff0c290, nsamples=576,
> n_in=0x7ffffff0c2b8, n_out=0x7ffffff0c2bc) at util.c:685
> #2  0x0000000000457f13 in lame_encode_buffer_sample_t (gfc=0x73a3c0,
> nsamples=576, mp3buf=0x7ffffff0e8d8 "", mp3buf_size=147456) at lame.c:1736
> #3  0x0000000000459686 in lame_encode_buffer_template (gfp=0x737230,
> buffer_l=0x7ffffff0c3d0, buffer_r=0x7ffffff0d5d0, nsamples=576,
> mp3buf=0x7ffffff0e800 "\377\343\070D", mp3buf_size=147456,
>     pcm_type=pcm_int_type, aa=1, norm=1.52587891e-05) at lame.c:1891
> #4  0x0000000000459b40 in lame_encode_buffer_int (gfp=0x737230,
> pcm_l=0x7ffffff0c3d0, pcm_r=0x7ffffff0d5d0, nsamples=576,
> mp3buf=0x7ffffff0e800 "\377\343\070D", mp3buf_size=147456)
>     at lame.c:1963
> #5  0x000000000040508e in lame_encoder_loop (gf=0x737230,
> outf=0x74ffd0, nogap=0, inPath=0x7fffffffafe0 "lame_bug2.wav",
> outPath=0x7fffffffbff0 "lame_bug2.mp3") at lame_main.c:462
> #6  0x0000000000405b59 in lame_encoder (gf=0x737230, outf=0x74ffd0,
> nogap=0, inPath=0x7fffffffafe0 "lame_bug2.wav", outPath=0x7fffffffbff0
> "lame_bug2.mp3") at lame_main.c:531
> #7  0x0000000000407167 in lame_main (gf=0x737230, argc=2,
> argv=0x7fffffffe148) at lame_main.c:707



Thanks,
--
-- Joshua Rogers <https://internot.info/>


------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple vulnerabilities/bugs

Robert Hegemann
Am 06.11.2014, 19:30 Uhr, schrieb Joshua Rogers <[hidden email]>:

> Bug 2:
> Per the vulnerable file: https://internot.info/docs/lame_bug2.wav

Sorry, but I can't reach your site:

The webpage at https://internot.info/docs/lame_bug2.wav might be  
temporarily down or it may have moved permanently to a new web address.
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Ciao Robert


------------------------------------------------------------------------------
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: Multiple vulnerabilities/bugs

Joshua Rogers
On 08/11/14 02:26, Robert Hegemann wrote:
>
> The webpage at https://internot.info/docs/lame_bug2.wav might be
> temporarily down or it may have moved permanently to a new web address.
> Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
That's very strange.
Perhaps it's because I'm using Cloudflare's free SSL.

Use http://nes-wiki.org/docs/lame_bug2.wav and
http://nes-wiki.org/docs/lame_bug1.wav instead.

Thanks,
--
-- Joshua Rogers <https://internot.info/>


------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev