Ubuntu
oggvideotools package

oggvideotools heap overflow

Bug #1852574 reported by WangXiaoxiong on 2019-11-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	oggvideotools (Ubuntu)	New	Undecided	Unassigned

Bug Description

I use AddressSanitizer to build oggvideotools 0.9.1 and get segment fault as below. I use the command:
oggLength <testcase>
The testcase I used is put in the attachment.
This software can also be installed by command `apt install oggvideotools` but the version is 0.8a-7, which can also get segment fault with the same testcase.

MediaConverter::setAvailable(): decoder is not configured or has ended
MediaConverter::setAvailable(): decoder is not configured or has ended
MediaConverter::setAvailable(): decoder is not configured or has ended
=================================================================
==32390==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e4b8 at pc 0x00000046e493 bp 0x7ffe9af99060 sp 0x7ffe9af99050
WRITE of size 4 at 0x60600000e4b8 thread T0
    #0 0x46e492 in ExtractorInformation::operator=(ExtractorInformation const&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17
    #1 0x4407e2 in StreamConfig::operator=(StreamConfig const&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/base/streamConfig.h:12
    #2 0x43ea66 in StreamSerializer::getStreamConfig(std::vector<StreamConfig, std::allocator<StreamConfig> >&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:210
    #3 0x43b0c4 in oggLengthCmd(int, char**) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93
    #4 0x43b4e5 in main /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136
    #5 0x7f13e016782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x43aa78 in _start (/home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/install/bin/oggLength+0x43aa78)

0x60600000e4b8 is located 0 bytes to the right of 56-byte region [0x60600000e480,0x60600000e4b8)
allocated by thread T0 here:
    #0 0x7f13e0b42532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
    #1 0x4468b4 in __gnu_cxx::new_allocator<StreamConfig>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x4460b3 in std::allocator_traits<std::allocator<StreamConfig> >::allocate(std::allocator<StreamConfig>&, unsigned long) /usr/include/c++/5/bits/alloc_traits.h:491
    #3 0x4451fd in std::_Vector_base<StreamConfig, std::allocator<StreamConfig> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    #4 0x443257 in std::vector<StreamConfig, std::allocator<StreamConfig> >::_M_default_append(unsigned long) (/home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/install/bin/oggLength+0x443257)
    #5 0x441d5e in std::vector<StreamConfig, std::allocator<StreamConfig> >::resize(unsigned long) (/home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/install/bin/oggLength+0x441d5e)
    #6 0x43e9a5 in StreamSerializer::getStreamConfig(std::vector<StreamConfig, std::allocator<StreamConfig> >&) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/main/streamSerializer.cpp:206
    #7 0x43b0c4 in oggLengthCmd(int, char**) /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:93
    #8 0x43b4e5 in main /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/binaries/oggLength.cpp:136
    #9 0x7f13e016782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/wws/Music/Fuzz/target_progs/target_oggvideotools_addresssanitizer/oggvideotools-0.9.1/src/base/streamExtractor.cpp:17 ExtractorInformation::operator=(ExtractorInformation const&)
Shadow bytes around the buggy address:
  0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9c90: 00 00 00 00 00 00 00[fa]fa fa fa fa 00 00 00 00
  0x0c0c7fff9ca0: 00 00 05 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c7fff9cb0: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
  0x0c0c7fff9cc0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 06 fa
  0x0c0c7fff9ce0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==32390==ABORTING

My system is:
Description: Ubuntu 16.04.6 LTS
Release: 16.04

The software information:
oggvideotools:
  Installed: 0.8a-7
  Candidate: 0.8a-7
  Version table:
*** 0.8a-7 500
        500 https://mirrors.tuna.tsinghua.edu.cn/ubuntu xenial/universe amd64 Packages
        500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: oggvideotools 0.8a-7
ProcVersionSignature: Ubuntu 4.15.0-66.75~16.04.1-generic 4.15.18
Uname: Linux 4.15.0-66-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.21
Architecture: amd64
CurrentDesktop: Unity
Date: Thu Nov 14 19:56:47 2019
InstallationDate: Installed on 2019-01-24 (293 days ago)
InstallationMedia: Ubuntu 16.04.5 LTS "Xenial Xerus" - Release amd64 (20180731)
SourcePackage: oggvideotools
UpgradeStatus: No upgrade log present (probably fresh install)

Tags:

Revision history for this message

WangXiaoxiong (1217161407-3) wrote on 2019-11-14:

The testcase can cause oggLength segment fault. Edit (29.3 KiB, audio/ogg)
Dependencies.txt Edit (2.0 KiB, text/plain; charset="utf-8")
ProcCpuinfoMinimal.txt Edit (1.3 KiB, text/plain; charset="utf-8")
ProcEnviron.txt Edit (325 bytes, text/plain; charset="utf-8")

Revision history for this message

Paulo Flabiano Smorigo (pfsmorigo) wrote on 2019-11-14: Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuoggvideotools package