heap-buffer-overflow in mpg123 at src/libmpg123/synth_mono.h:39
Brought to you by:
sobukus
Hello,
We are currently working on fuzz testing feature, and we found a heap-buffer-overflow error on mpg123
.
The stack traces are as follow:
==29456==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140000003ce at pc 0x7fbdd30dcb57 bp 0x7ffeba507e10 sp 0x7ffeba507e00 WRITE of size 2 at 0x6140000003ce thread T0 #0 0x7fbdd30dcb56 in INT123_synth_2to1_mono src/libmpg123/synth_mono.h:39 #1 0x7fbdd30acef7 in INT123_do_layer2 src/libmpg123/layer2.c:371 #2 0x7fbdd309cd19 in decode_the_frame src/libmpg123/libmpg123.c:828 #3 0x7fbdd309d86b in mpg123_decode_frame src/libmpg123/libmpg123.c:972 #4 0x560f4215647a in play_frame src/mpg123.c:806 #5 0x560f42159b99 in main src/mpg123.c:1495
The full stack trace is attached
Step to reproduce
We configured mpg123
using CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" ./configure --prefix=$(pwd)/
and built in using make -j10
, and run it with:
./mpg123 --smooth --listentry -z -w l --quiet --index --4to1 -2 -q --fifo --outfile <attached file>
The input file is attached.
Environment
- OS: Ubuntu 18.04.5 LTS
- GCC version: gcc 7.5.0
- mpg123 version: mpg123 1.29.0
Thank you.
Interesting approach … you find stuff where oss-fuzz didn't anymore. The minimal command line is
The combination of index and the 2to1 downsampling triggers the issue.
OK, I diagnosed and fixed a failure to check for decoder sanity on multiple levels. The combination of forced downsampling and indexing managed to make that fatal.
Can you confirm the fix? There's a new https://mpg123.org/snapshot for you convenience.
I have tried reproducing the crash on the snapshot you gave me and the crash disappeared.
Thanks for confirming and fixing the bug.
Nice. I'll wait a moment for your next find. Then, a 1.29.1 release should follow soon.