Ubuntu
mpg321 package

Heap corruption (double free or corruption (out))

Bug #1842445 reported by Andrea Fioraldi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
mpg321 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Hi,
My fuzzer found several crashing inputs that cause mpg321 (from Ubuntu 18.04.2 repo) to currupt the heap.

The output is:

$ mpg321 id:000003,sig:11,src:000020+000063,time:937975,op:splice,rep:128
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!

Playing MPEG stream from id:000003,sig:11,src:000020+000063,time:937975,op:splice,rep:128 ...
MPEG 1.0 layer I, 55 kbit/s, 44100 Hz stereo
double free or corruption (out)
Aborted (core dumped)

The Valgrind output is:

$ valgrind mpg321 id:000003,sig:11,src:000020+000063,time:937975,op:splice,rep:128
==20559== Memcheck, a memory error detector
==20559== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20559== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20559== Command: mpg321 id:000003,sig:11,src:000020+000063,time:937975,op:splice,rep:128
==20559==
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
--20559-- Warning: DWARF2 CFI reader: unhandled DW_OP_ opcode 0x13
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layer 1, 2, and 3.
Version 0.3.2-1 (2012/03/25). Written and copyrights by Joe Drew,
now maintained by Nanakos Chrysostomos and others.
Uses code from various people. See 'README' for more!
THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY! USE AT YOUR OWN RISK!

Playing MPEG stream from id:000003,sig:11,src:000020+000063,time:937975,op:splice,rep:128 ...
==20559== Invalid write of size 8
==20559== at 0x10F318: ??? (in /usr/bin/mpg321)
==20559== by 0x5581594: ??? (in /usr/lib/x86_64-linux-gnu/libmad.so.0.2.1)
==20559== by 0x5581B82: mad_decoder_run (in /usr/lib/x86_64-linux-gnu/libmad.so.0.2.1)
==20559== by 0x10C5EA: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559== Address 0x677f908 is 0 bytes after a block of size 8 alloc'd
==20559== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20559== by 0x10CFC5: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559==
==20559== Invalid write of size 8
==20559== at 0x10F324: ??? (in /usr/bin/mpg321)
==20559== by 0x5581594: ??? (in /usr/lib/x86_64-linux-gnu/libmad.so.0.2.1)
==20559== by 0x5581B82: mad_decoder_run (in /usr/lib/x86_64-linux-gnu/libmad.so.0.2.1)
==20559== by 0x10C5EA: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559== Address 0x677f960 is 0 bytes after a block of size 16 alloc'd
==20559== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20559== by 0x10CFD5: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559==
MPEG 1.0 layer I, 55 kbit/s, 44100 Hz stereo
==20559== Invalid read of size 8
==20559== at 0x10F2DC: ??? (in /usr/bin/mpg321)
==20559== by 0x5581594: ??? (in /usr/lib/x86_64-linux-gnu/libmad.so.0.2.1)
==20559== by 0x5581B82: mad_decoder_run (in /usr/lib/x86_64-linux-gnu/libmad.so.0.2.1)
==20559== by 0x10C5EA: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559== Address 0x677f908 is 0 bytes after a block of size 8 alloc'd
==20559== at 0x4C2FB0F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20559== by 0x10CFC5: ??? (in /usr/bin/mpg321)
==20559== by 0x5D65B96: (below main) (libc-start.c:310)
==20559==

[0:00] Decoding of id:000003,sig:11,src:000020+000063,time:937975,op:splice,rep:128 finished.
==20559==
==20559== HEAP SUMMARY:
==20559== in use at exit: 97,550 bytes in 192 blocks
==20559== total heap usage: 643 allocs, 451 frees, 342,034 bytes allocated
==20559==
==20559== LEAK SUMMARY:
==20559== definitely lost: 4,120 bytes in 1 blocks
==20559== indirectly lost: 16,449 bytes in 2 blocks
==20559== possibly lost: 0 bytes in 0 blocks
==20559== still reachable: 76,981 bytes in 189 blocks
==20559== suppressed: 0 bytes in 0 blocks
==20559== Rerun with --leak-check=full to see details of leaked memory
==20559==
==20559== For counts of detected and suppressed errors, rerun with: -v
==20559== ERROR SUMMARY: 15 errors from 3 contexts (suppressed: 0 from 0)

An Invalid write of size 8 that causes an abort due to the ptmalloc checks is at 99% an heap overflow that corrupt the metadata of the next chunk in memory.

I attach one of the inputs that triggers the bug.

Revision history for this message
Andrea Fioraldi (andreafioraldi) wrote :
Revision history for this message
Andrea Fioraldi (andreafioraldi) wrote :

Looking at the changelog for the new version included in the not LTS release of Ubuntu the bug should be also there.

Revision history for this message
Andrea Fioraldi (andreafioraldi) wrote :

Should I report the bug also in Debian or doesn't matter?
The project seems not maintained and I reported the bug only here.

Andrea Fioraldi (andreafioraldi)
information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.