Heap corruption (double free or corruption (out))
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
mpg321 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Hi,
My fuzzer found several crashing inputs that cause mpg321 (from Ubuntu 18.04.2 repo) to currupt the heap.
The output is:
$ mpg321 id:000003,
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Playing MPEG stream from id:000003,
MPEG 1.0 layer I, 55 kbit/s, 44100 Hz stereo
double free or corruption (out)
Aborted (core dumped)
The Valgrind output is:
$ valgrind mpg321 id:000003,
==20559== Memcheck, a memory error detector
==20559== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20559== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20559== Command: mpg321 id:000003,
==20559==
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!
Playing MPEG stream from id:000003,
==20559== Invalid write of size 8
==20559== at 0x10F318: ??? (in /usr/bin/mpg321)
==20559== by 0x5581594: ??? (in /usr/lib/
==20559== by 0x5581B82: mad_decoder_run (in /usr/lib/
==20559== by 0x10C5EA: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559== Address 0x677f908 is 0 bytes after a block of size 8 alloc'd
==20559== at 0x4C2FB0F: malloc (in /usr/lib/
==20559== by 0x10CFC5: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559==
==20559== Invalid write of size 8
==20559== at 0x10F324: ??? (in /usr/bin/mpg321)
==20559== by 0x5581594: ??? (in /usr/lib/
==20559== by 0x5581B82: mad_decoder_run (in /usr/lib/
==20559== by 0x10C5EA: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559== Address 0x677f960 is 0 bytes after a block of size 16 alloc'd
==20559== at 0x4C2FB0F: malloc (in /usr/lib/
==20559== by 0x10CFD5: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559==
MPEG 1.0 layer I, 55 kbit/s, 44100 Hz stereo
==20559== Invalid read of size 8
==20559== at 0x10F2DC: ??? (in /usr/bin/mpg321)
==20559== by 0x5581594: ??? (in /usr/lib/
==20559== by 0x5581B82: mad_decoder_run (in /usr/lib/
==20559== by 0x10C5EA: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559== Address 0x677f908 is 0 bytes after a block of size 8 alloc'd
==20559== at 0x4C2FB0F: malloc (in /usr/lib/
==20559== by 0x10CFC5: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559==
[0:00] Decoding of id:000003,
==20559==
==20559== HEAP SUMMARY:
==20559== in use at exit: 97,550 bytes in 192 blocks
==20559== total heap usage: 643 allocs, 451 frees, 342,034 bytes allocated
==20559==
==20559== LEAK SUMMARY:
==20559== definitely lost: 4,120 bytes in 1 blocks
==20559== indirectly lost: 16,449 bytes in 2 blocks
==20559== possibly lost: 0 bytes in 0 blocks
==20559== still reachable: 76,981 bytes in 189 blocks
==20559== suppressed: 0 bytes in 0 blocks
==20559== Rerun with --leak-check=full to see details of leaked memory
==20559==
==20559== For counts of detected and suppressed errors, rerun with: -v
==20559== ERROR SUMMARY: 15 errors from 3 contexts (suppressed: 0 from 0)
An Invalid write of size 8 that causes an abort due to the ptmalloc checks is at 99% an heap overflow that corrupt the metadata of the next chunk in memory.
I attach one of the inputs that triggers the bug.
information type: | Private Security → Public |
Looking at the changelog for the new version included in the not LTS release of Ubuntu the bug should be also there.