Debian Bug report logs -
#775959
lame: invalid sample rate -> segmentation fault
Reported by: Jakub Wilk <[email protected]>
Date: Wed, 21 Jan 2015 23:09:01 UTC
Severity: normal
Tags: security
Found in version lame/3.99.5+repack1-5
Fixed in versions lame/3.99.5+repack1-6, lame/3.99.5+repack1-3+deb7u1
Done: Fabian Greffrath <[email protected]>
Bug is archived. No further changes may be made.
Toggle useless messages
Message #3 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: lame
Version: 3.99.5+repack1-5
Usertags: afl
lame crashes while trying compress the attached WAV file, which
apparently has bogus sample rate:
$ lame crash.wav
LAME 3.99.5 32bits (http://lame.sf.net)
CPU features: MMX (ASM used), 3DNow! (ASM used), SSE (ASM used), SSE2
Resampling: input -2.14748e+06 kHz output 8 kHz
Using polyphase lowpass filter, transition band: 3000 Hz - 3097 Hz
Encoding crash.wav to crash.mp3
Encoding as 8 kHz single-ch MPEG-2.5 Layer III (16x) 8 kbps qval=3
Frame | CPU time/estim | REAL time/estim | play/CPU | ETA
0/ ( 0%)| 0:00/ : | 0:00/ : | x|
:
00:00------------------------------------------------------------------
kbps % %
0.0 Segmentation fault
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the
first crash (which took a few seconds). It's likely that extensive
fuzzing would uncover more interesting crashers. I'd encourage LAME
maintainers to perform fuzzing with AFL on their own. :-)
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'experimental')
Architecture: i386 (x86_64)
Foreign Architectures: amd64
Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)
Versions of packages lame depends on:
ii libc6 2.19-13
ii libmp3lame0 3.99.5+repack1-5
ii libncurses5 5.9+20140913-1+b1
ii libtinfo5 5.9+20140913-1+b1
--
Jakub Wilk
[crash.wav (audio/x-wav, attachment)]
Message #8 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Need to check for input sample rate.
[0001-Add-check-for-invalid-input-sample-rate.patch (application/x-patch, attachment)]
Message #13 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Rogerio,
would you apply the attached patch, courtesy of Maks Naumov, to LAME
upstream?
Thanks!
Cheers,
Fabian
Am Donnerstag, den 22.01.2015, 00:05 +0100 schrieb Jakub Wilk:
Package: lame
> Version: 3.99.5+repack1-5
> Usertags: afl
>
> lame crashes while trying compress the attached WAV file, which
> apparently has bogus sample rate:
>
> $ lame crash.wav
> LAME 3.99.5 32bits (http://lame.sf.net)
> CPU features: MMX (ASM used), 3DNow! (ASM used), SSE (ASM used), SSE2
> Resampling: input -2.14748e+06 kHz output 8 kHz
> Using polyphase lowpass filter, transition band: 3000 Hz - 3097 Hz
> Encoding crash.wav to crash.mp3
> Encoding as 8 kHz single-ch MPEG-2.5 Layer III (16x) 8 kbps qval=3
> Frame | CPU time/estim | REAL time/estim | play/CPU |
ETA
> 0/ ( 0%)| 0:00/ : | 0:00/ : | x|
> :
>
00:00------------------------------------------------------------------
> kbps % %
> 0.0 Segmentation fault
>
>
> This bug was found using American fuzzy lop:
> https://packages.debian.org/experimental/afl
>
> Disclaimer: I don't have spare CPU cycles, so I fuzzed only till the
> first crash (which took a few seconds). It's likely that extensive
> fuzzing would uncover more interesting crashers. I'd encourage LAME
> maintainers to perform fuzzing with AFL on their own. :-)
>
>
> -- System Information:
> Debian Release: 8.0
> APT prefers unstable
> APT policy: (990, 'unstable'), (500, 'experimental')
> Architecture: i386 (x86_64)
> Foreign Architectures: amd64
>
> Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores)
> Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: sysvinit (via /sbin/init)
>
> Versions of packages lame depends on:
> ii libc6 2.19-13
> ii libmp3lame0 3.99.5+repack1-5
> ii libncurses5 5.9+20140913-1+b1
> ii libtinfo5 5.9+20140913-1+b1
>
> _______________________________________________
> pkg-multimedia-maintainers mailing list
> [email protected]
>
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers
>
-------- Weitergeleitete Nachricht --------
Von: Maks Naumov <[email protected]>
Reply-to: Maks Naumov <[email protected]>, [email protected]
An: [email protected]
Betreff: Bug#775959: Patch for this issue
Datum: Thu, 22 Jan 2015 16:22:50 +0200
Need to check for input sample rate.
[0001-Add-check-for-invalid-input-sample-rate.patch (application/x-patch, attachment)]
Message #18 received at [email protected] (full text, mbox, reply):
Control: tags -1 + pending
Hi Brian,
thank you very much for reporting these crashes. Fortunately, the latter
two are already fixed by the patch that Maks Naumov attached to #775959.
Cheers,
Fabian
Message #25 received at [email protected] (full text, mbox, reply):
Source: lame
Source-Version: 3.99.5+repack1-6
We believe that the bug you reported is fixed in the latest version of
lame, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <[email protected]> (supplier of updated lame package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 09 Feb 2015 07:11:42 +0100
Source: lame
Binary: lame lame-doc libmp3lame0 libmp3lame-dev
Architecture: source amd64 all
Version: 3.99.5+repack1-6
Distribution: unstable
Urgency: high
Maintainer: Debian Multimedia Maintainers <[email protected]>
Changed-By: Fabian Greffrath <[email protected]>
Description:
lame - MP3 encoding library (frontend)
lame-doc - MP3 encoding library (documentation)
libmp3lame-dev - MP3 encoding library (development)
libmp3lame0 - MP3 encoding library
Closes: 775955 775959 777159 777160 777161
Changes:
lame (3.99.5+repack1-6) unstable; urgency=high
.
* Do not mangle CFLAGS in debian/rules anymore, leave this to
dpkg-buildflags (Closes: #775955). Thanks, Jakub Wilk.
* Add check for invalid input sample rate, thanks Maks Naumov
(Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
Brian Carpenter for the bug reports and test cases.
* Remove chunks modifying */Makefile.in from parallel-builds-fix.patch,
we are running autoreconf anyway.
* Remove unbreak-ftbfs-gcc4.4.patch, does not apply anymore.
* Avoid malformed wav causing floating point exception in the frontend
(Closes: #777159).
Checksums-Sha1:
bef2b697b4be1890467eba7c9a8315db2bd81ad0 2222 lame_3.99.5+repack1-6.dsc
424b365d6f174de57b0bbd1b15b832bc6f3d5f05 13756 lame_3.99.5+repack1-6.debian.tar.xz
3e91584967131a8a2d7901d21c28aff1db9f997e 270752 lame_3.99.5+repack1-6_amd64.deb
5c0e8326ef94c8a330537a492e221618287eea28 286370 lame-doc_3.99.5+repack1-6_all.deb
6c5a03b0e73eceb6f53260e6831bccd1b06fa6ff 352150 libmp3lame0_3.99.5+repack1-6_amd64.deb
4c964fa181a42b9bd9d4189b30f4446a5915c13f 368810 libmp3lame-dev_3.99.5+repack1-6_amd64.deb
Checksums-Sha256:
187aabe22c1860a5264cd2ebc9fbfc11fc9171561c952ce6b99f0e38134edb3e 2222 lame_3.99.5+repack1-6.dsc
6f51abef5c629218e0a028d92974593894a8294eb668c7a33b5d8befb1865ae9 13756 lame_3.99.5+repack1-6.debian.tar.xz
b9e0b5b7caaef37242930caf2acc3c14aee7425de09fa77822cee72ebb86d812 270752 lame_3.99.5+repack1-6_amd64.deb
3e3ee597d1a6163e4810421aecfbbf36f8b44ec2b8afba29ac8f9f337faeec00 286370 lame-doc_3.99.5+repack1-6_all.deb
7fe1373c3fae7677e70f9fe70cfc5587aabef158d22ab85cc7a66c77c8151862 352150 libmp3lame0_3.99.5+repack1-6_amd64.deb
50589c4728f34ffbca96a65c06ee4ac177f7ff38282b6c9bcca27ab18cf9bd74 368810 libmp3lame-dev_3.99.5+repack1-6_amd64.deb
Files:
4451cfd20f74dd929db14ad5cabedef9 2222 sound optional lame_3.99.5+repack1-6.dsc
2f6ee33e9b7e77e9cd6350054f03ef99 13756 sound optional lame_3.99.5+repack1-6.debian.tar.xz
434f779fd42d8f1e6d09f69b5acc1b4e 270752 sound optional lame_3.99.5+repack1-6_amd64.deb
642bd60a76ac15750930383c96c52f84 286370 doc optional lame-doc_3.99.5+repack1-6_all.deb
8ba894225629716a115f534773ee54ef 352150 libs optional libmp3lame0_3.99.5+repack1-6_amd64.deb
3504d6ff3b73fa8b73377c82d8bd7379 368810 libdevel optional libmp3lame-dev_3.99.5+repack1-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJU2GaYAAoJEMvqjpcMzVnfbHoQAKN7YuxuP1iNsxUxwG6RUMFz
58F9JK9+bHKSFeiL5KG1oat8H2d2I+NyF0HKRgaOFQY1leejAxZ+yqNLTB/Qfc0D
dwliboMcu4E2nN8XjiMcBHKpBFL/Rzbl3Uo1BRZPwlaaBawzUyTiQgCQSqrJCe+k
6ySta6uQzXMkhgwtMZdUIQppHIYmQv0MpsJGFelWkGvWa7v7qvITdRf4IieDQuwS
a3nEW+lFmJoBuHjiMHDBcvaws2sDeISfBsObgDlqiljCoXoL0tB4qF72a+pRE23q
OziSDfMm1f1+nbg0rVanIFfhNURS45h9bEj62LdCy2Ol2qZEHATUMAePK74vG1CP
fcTU6vjjSUgKtnSpqO/havoHi9XA7Y+wpG/ORIpMaC41+lEGSFd9uR8vZ3AjM3HB
wz4yUshHVQkrS4UjY8i4QgZtOLbpOcs6ZhyxLl/COJqPPiP3xxtL0lkJegZBoRdQ
XLTb5grJefea67o8BFKfdpWqYr/7aUgoDqcD+/fHeF3ZdRvfk6uxADlv0PpTUrHa
TsvGoHnhT2a9fI8jHegt7lbHQ0elJKm6Q+90xdrCCsvDQfDz2yh5LOAJ2jK7o6J7
qv9RnCrVIZ8KKHhnYSopiQx+x/QWeQgQA3pqNuWW6QrXtAp0Vo9K3fq5VXtbaRcA
71Nnbcvzdkqpm1k+DV2R
=X2Lb
-----END PGP SIGNATURE-----
Message #32 received at [email protected] (full text, mbox, reply):
Hi there, Fabian and Maks.
On Jan 22 2015, Fabian Greffrath wrote:
> would you apply the attached patch, courtesy of Maks Naumov, to LAME
> upstream?
I just applied the patch. If you have more, please send them my way.
Thanks for letting me know,
--
Rogério Brito : rbrito@{ime.usp.br,gmail.com} : GPG key 4096R/BCFCAAAA
http://cynic.cc/blog/ : github.com/rbrito : profiles.google.com/rbrito
DebianQA: http://qa.debian.org/developer.php?login=rbrito%40ime.usp.br
Message #37 received at [email protected] (full text, mbox, reply):
Hi Rogerio,
Am Samstag, den 21.02.2015, 20:37 -0200 schrieb Rogério Brito:
> I just applied the patch. If you have more, please send them my way.
Oh, yes, I have. A lot has happened in the past weeks.
1) Fix a crash in the frontend if (bits_per_sample < 0):
http://anonscm.debian.org/cgit/pkg-multimedia/lame.git/commit/?id=2b84d36c2d864e6578d228ff1f30dc57309d6a2c
2) Fix a crash if the ratio between input and output sample rate is very
close to an integer:
http://anonscm.debian.org/cgit/pkg-multimedia/lame.git/commit/?id=bcf5295dd99c3e0a2eb2bd0717a239c459310093
3) Extend Maks' patch to also error out if (num_channels < 0):
http://anonscm.debian.org/cgit/pkg-multimedia/lame.git/commit/?id=1c7c62d3c5614443524b5ad170ba2713a14d4e09
These patches fix all the bugs triggered by fuzzed samples reported
against the lame package so far.
- Fabian
Message #42 received at [email protected] (full text, mbox, reply):
Source: lame
Source-Version: 3.99.5+repack1-3+deb7u1
We believe that the bug you reported is fixed in the latest version of
lame, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Greffrath <[email protected]> (supplier of updated lame package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 24 Feb 2015 09:46:48 +0100
Source: lame
Binary: lame lame-doc libmp3lame0 libmp3lame-dev
Architecture: source amd64 all
Version: 3.99.5+repack1-3+deb7u1
Distribution: wheezy
Urgency: medium
Maintainer: Debian multimedia packages maintainers <[email protected]>
Changed-By: Fabian Greffrath <[email protected]>
Description:
lame - MP3 encoding library (frontend)
lame-doc - MP3 encoding library (documentation)
libmp3lame-dev - MP3 encoding library (development)
libmp3lame0 - MP3 encoding library
Closes: 775959 777159 777160 777161 778529 778703
Changes:
lame (3.99.5+repack1-3+deb7u1) wheezy; urgency=medium
.
* Add check for invalid input sample rate, thanks Maks Naumov
(Closes: #775959, #777160, #777161). Thanks Jakub Wilk and
Brian Carpenter for the bug reports and test cases.
* Extend Maks Naumov's patch to also include a sanity check for
a valid amount of input channels (Closes: #778703).
* Avoid malformed wav causing floating point exception in the
frontend (Closes: #777159).
* Fix decision if sample rate ratio is an integer value or not
(Closes: #778529). Thanks to Henri Salo for the bug reports
and the fuzzed samples!
Checksums-Sha1:
38832155db1ae5789a4fa66f0403b6e177f5cb5c 2250 lame_3.99.5+repack1-3+deb7u1.dsc
92ab7a4eb5ba00b2dfae3852c41e26ac7b9ef636 13987 lame_3.99.5+repack1-3+deb7u1.debian.tar.gz
ae693c1c10d88ea7b1929d551f10dd802a78ec18 279810 lame_3.99.5+repack1-3+deb7u1_amd64.deb
f3c4c40dfc09d3737cd827631e8f94289d44feb9 296004 lame-doc_3.99.5+repack1-3+deb7u1_all.deb
8e4a90f838a5ffe5220657087dc71e21b137f064 413878 libmp3lame0_3.99.5+repack1-3+deb7u1_amd64.deb
b1b565c32557a7335e0f82be0d946f7353829af4 451362 libmp3lame-dev_3.99.5+repack1-3+deb7u1_amd64.deb
Checksums-Sha256:
40311ff26ede470a373225e7c69a3a69c4e48a25cf63c2f14e0c53c06cb4516b 2250 lame_3.99.5+repack1-3+deb7u1.dsc
a4e3819241382ef96e16a36cfa39041f22772b7aa2b8358ec33c3b823cfb6482 13987 lame_3.99.5+repack1-3+deb7u1.debian.tar.gz
4cd29d1c91b6f16e11956c74b6d94f41f357eeecc2f775f3ffdcf39e4427949d 279810 lame_3.99.5+repack1-3+deb7u1_amd64.deb
d07ac2f8f08bc2fdf3fce72cc583467d3f7fe784f9b932b84047cd152ba21604 296004 lame-doc_3.99.5+repack1-3+deb7u1_all.deb
20f4e1d1b5e3cb2cf689d9d68291fa0276add303d988386f518faae36fc238ef 413878 libmp3lame0_3.99.5+repack1-3+deb7u1_amd64.deb
d675730777c481ffa66e30bf97d2c400275b32f1af36a839f91bb1f6f183fe55 451362 libmp3lame-dev_3.99.5+repack1-3+deb7u1_amd64.deb
Files:
240dc9f80c9016c7f1b99ae1f18ad644 2250 sound optional lame_3.99.5+repack1-3+deb7u1.dsc
cae33c8d915ab4a7d84edc3cce64f2e8 13987 sound optional lame_3.99.5+repack1-3+deb7u1.debian.tar.gz
e45e70276d154ac20b872ee1ed95bc7a 279810 sound optional lame_3.99.5+repack1-3+deb7u1_amd64.deb
568fee660f20860b930aa39987ee5a24 296004 doc optional lame-doc_3.99.5+repack1-3+deb7u1_all.deb
4ed9ed9c722c69eb112ccb782df3ad2d 413878 libs optional libmp3lame0_3.99.5+repack1-3+deb7u1_amd64.deb
50a815012cf846f78edafa116d70c950 451362 libdevel optional libmp3lame-dev_3.99.5+repack1-3+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJU7IYrAAoJEMvqjpcMzVnfm2oQALwxODTxUC+ah2wUV3VUo4U2
MdqzJRtrZJyRO+CjGhgLnb3rYbphVKzX9OdU6hHgOsezYktvNl95fbKUNrNONbUR
2gmjdBI8sCgEsr7x+3q04j2uaIa4HTzcsI9kxIJAriCjxLz4HxcCp5NcV3w/Qa6c
0xVsqUINwkiQgTJbTuJg7XzIuaB5Wf4/AeGhOuKwgaynrqBDItzj0ORr2Ah0TDNt
SkznoRjlpio6+sJGvMFBGT9FmSoezay9h6X3jPOb9pFcay3sMebQSAV8DPSM09rq
NM4rCUbPusiTUZK9lD+ydV2ACqprVZ2FIGSMZ2NqTN63MhdsBwIcY1j1flNzy1o2
+lvJMi5r1EMMfhF0hs4xIk+FBu5y06Bxa/SYzeS4t4ZEWuhX3jEZbzTlCPy8+loW
MLX1/V7kwaVfV1xAhmFlebkP892imDDPpSRwT+bHs6clNdRdyAd/NpPt3eEAsBxB
1p04byqa+5PKQOokvYJbdnzBQI2v2Je2+ZF0+ocU619DxQv+vAOG8h8gKrUgI6Up
bBK7q5kZ1+FePwr0qkcUUY4ZTnpmQs+GquBlzIqajw8Jnh9f8vlpMhSTi/iTWBdc
VAULVSCJxdI+JhpOyltX7bnNRgYQ/f/vx7NKQfJ4Z9vmkPOt4TRHinoUM9LYg7LO
C5Nx/m0HLh8o5Xxr/87D
=MKWs
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>.
Last modified:
Sun Jun 16 11:39:04 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.