fuzzing lame

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

fuzzing lame

Henri Salo
Hi,

I found lots of crashes when testing lame using a fuzzer. Who is the correct
person to coordinate these or should I just file bugs to http://sourceforge.net
bug tracker? Some of these might have security implications.

--
Henri Salo

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: fuzzing lame

Alexander Leidinger
On Sat, 14 Feb 2015 12:01:52 +0200
Henri Salo <[hidden email]> wrote:

> Hi,
>
> I found lots of crashes when testing lame using a fuzzer. Who is the
> correct person to coordinate these or should I just file bugs to
> http://sourceforge.net bug tracker? Some of these might have security
> implications.

In general:
 - security issues should be handled in a secure way
 - we are low on active members
 - we don't really have a security contact


Based upon this, my personal point of view:
 - lame is not a player and as such has less of such an target audience
 - we haven't announced it explicitly, but we never did a security
   audit of the code, as such I wouldn't be surprised if there are
   issues in this regard, and anyone with just a little bit of security
   background will see this when reading the commit logs
 - I would assume it is less common that someone downloads something
   from an untrusted source and re-encodes it, than someone creates
   original content and produces an MP3 or someone rips a CD and
   generates a MP3 for personal use
 - yes, I'm aware now with CC licensed music the chance that someone
   downloads something from an untrusted source and uses it to create
   his own content he then feeds to lame is higher than years ago, but
   I would expect that the decoding happens in some other code

As such I'm inclined to say that normal bugreports are enough... but
only as we are low on active people (me included).

For the MP3 decoding part it also depends where the problems are, maybe
it would be better to spend time to update the decoding part from
upstream, than to fix existing problems. But again, we're low on active
people...

For problems in the WAV input path we surely should fix problems. My
expectation here is that WAVs are more used with original content from
trusted sources, than something coming from an untrusted stranger.

So while there may be security implications, we don't have the
man-power to handle them like they shall be handled, and as such we
don't have other options left than to add them as normal bug reports.

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org    [hidden email]  : PGP 0xC773696B3BAC17DC

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: fuzzing lame

Thomas Orgis
Am Fri, 20 Feb 2015 16:55:14 +0100
schrieb Alexander Leidinger <[hidden email]>:

> For the MP3 decoding part it also depends where the problems are, maybe
> it would be better to spend time to update the decoding part from
> upstream, than to fix existing problems. But again, we're low on active
> people...

I have a hard time imagining crashing lame via fuzzed PCM data (you did
test with random noise, right?;-), so would assume the MP3 input part,
too.

There were some crashes discovered in mpg123 in 2009 via fuzzed input
and fixed since then. It's possible that those very same issues are
present in the mpglib in lame. In case the very same samples still
manage to crash mpg123, too, I'd be interested, too, of course.

Regarding updating the decoder part with current mpg123: AFAIR, there
is still that interfacing for the frame analyzer (?) missing. I guess I
need to get up and dig into the Lame code for that.


Alrighty then,

Thomas

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: fuzzing lame

Rogério Brito
In reply to this post by Henri Salo
Hi, Henri and others.

Do you have patches?

I hate using CVS (I have always to relearn the commands---if we had
been using git, then I would almost instantly apply the patches) and
given that I just committed one bugfix, if you have something in hand
while the commands are still fresh in my mind, I may apply them soon.

For the record, the patch that I just applied was related to having
sample rates of 0.


Regards,

Rogério Brito.

--
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA
http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: fuzzing lame

Henri Salo
On Sat, Feb 21, 2015 at 08:42:13PM -0200, Rogério Brito wrote:
> Do you have patches?

Please see:

fill_buffer_resample segmentation fault
https://bugs.debian.org/778529

segmentation fault at get_audio.c:865
https://bugs.debian.org/778703

--
Henri Salo

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: fuzzing lame

Rogério Brito
Hi, Henri.

On Sat, Feb 21, 2015 at 8:47 PM, Henri Salo <[hidden email]> wrote:

> On Sat, Feb 21, 2015 at 08:42:13PM -0200, Rogério Brito wrote:
>> Do you have patches?
>
> Please see:
>
> fill_buffer_resample segmentation fault
> https://bugs.debian.org/778529
>
> segmentation fault at get_audio.c:865
> https://bugs.debian.org/778703

Great.

I may take a look at those tomorrow, since I am super tired today (and
I almost commited something that was obviously incorrect in an
unrelated change).

Please, ping me if you don't see the changes appearing in my github
repository in the next week:

    https://github.com/rbrito/lame

Of course, the canonical repository is (still)
<http://lame.cvs.sf.net/viewvc/lame/lame/>.


Thanks,

--
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA
http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev
Reply | Threaded
Open this post in threaded view
|

Re: fuzzing lame

Alexander Leidinger
In reply to this post by Rogério Brito
On Sat, 21 Feb 2015 20:42:13 -0200
Rogério Brito <[hidden email]> wrote:

> Hi, Henri and others.
>
> Do you have patches?
>
> I hate using CVS (I have always to relearn the commands---if we had
> been using git, then I would almost instantly apply the patches) and

I would not object to switch to moving to GIT, if someone else does the
work (well, should be not so hard with the webinterface of SF), and
provides some copy&paste-able GIT HOWTO for "checkout with git from the
new location as an SF-lame-write-access user", "update with git as
SF-user", "commit with GIT to LAME repo as SF-user".

Bye,
Alexander.

--
http://www.Leidinger.net [hidden email]: PGP 0xC773696B3BAC17DC
http://www.FreeBSD.org    [hidden email]  : PGP 0xC773696B3BAC17DC

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev