Bug 1465819
Summary: | There is a heap buffer overflow in mpg123 latest version. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | owl337 <v.owl337> | ||||
Component: | mpg123 | Assignee: | Wim Taymans <wtaymans> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | urgent | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 27 | CC: | carnil, wtaymans | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | x86_64 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | mpg123-1.25.6-1.fc26 mpg123-1.25.6-1.fc25 mpg123-1.25.6-1.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-09-20 22:54:06 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
This is possibly a duplicate of upstream reported https://sourceforge.net/p/mpg123/bugs/252/ This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'. mpg123-1.25.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812 mpg123-1.25.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92 mpg123-1.25.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6 mpg123-1.25.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6 mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812 mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92 mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. mpg123-1.25.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1292604 [details] Triggered by "mpg123 POC1" Description of problem: There is a heap buffer overflow in the function messageAddArgument() at line 414. Version-Release number of selected component (if applicable): <= latest version How reproducible: $./mpg123 POC1 Steps to Reproduce: The debugging information is as follows: $./mpg123 POC1 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3 version 1.25.0; written and copyright by Michael Hipp and others free software (LGPL) without any warranty but with best wishes Directory: fuzz/ Terminal control enabled, press 'h' for listing of keys and functions. Playing MPEG stream 1 of 1: POC1 ... ================================================================= ==6766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8f5 at pc 0x7fe0e3ced812 bp 0x7ffe8de06150 sp 0x7ffe8de06148 READ of size 1 at 0x60400000c8f5 thread T0 #0 0x7fe0e3ced811 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811) #1 0x7fe0e3ce2067 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3c067) #2 0x7fe0e3ce4e3b (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3ee3b) #3 0x7fe0e3cbc241 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241) #4 0x7fe0e3d033eb (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb) #5 0x7fe0e3d03e74 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5de74) #6 0x5060f7 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x5060f7) #7 0x50a177 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x50a177) #8 0x7fe0e2b8282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x41af28 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x41af28) 0x60400000c8f5 is located 0 bytes to the right of 37-byte region [0x60400000c8d0,0x60400000c8f5) allocated by thread T0 here: #0 0x4bb058 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x4bb058) #1 0x7fe0e3ce2bae (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3cbae) #2 0x7fe0e3cbc241 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241) #3 0x7fe0e3d033eb (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811) Shadow bytes around the buggy address: 0x0c087fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c087fff9910: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[05]fa 0x0c087fff9920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff9930: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c087fff9940: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c087fff9950: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff9960: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6766==ABORTING The GDB debugging information is as follows: (gdb)set args POC1 (gdb) r =12531==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8b5 at pc 0x7ffff7b0e812 bp 0x7fffffffd690 sp 0x7fffffffd688 READ of size 1 at 0x60400000c8b5 thread T0 ... (gdb) bt #0 convert_latin1 (sb=0x60600000e440, s=0x60400000c89b "SoundJay.com Sound Effect", l=27, noquiet=<optimized out>) at src/libmpg123/id3.c:979 #1 0x00007ffff7b03068 in INT123_id3_to_utf8 (sb=<optimized out>, encoding=<optimized out>, source=0x60400000c89b "SoundJay.com Sound Effect", source_size=27, noquiet=<optimized out>) at src/libmpg123/id3.c:309 #2 0x00007ffff7b05e3c in store_id3_text (sb=0x60600000e440, noquiet=<optimized out>, source=<optimized out>, source_size=<optimized out>, notranslate=<optimized out>) at src/libmpg123/id3.c:274 #3 process_text (fr=0x62c000000200, realsize=28, id=0x7fffffffd880 "TPE1", realdata=<optimized out>) at src/libmpg123/id3.c:368 #4 INT123_parse_new_id3 (fr=0x62c000000200, first4bytes=105827994224784) at src/libmpg123/id3.c:917 #5 0x00007ffff7add242 in handle_id3v2 (fr=0x62c000000200, newhead=1229206275) at src/libmpg123/parse.c:1071 #6 skip_junk (fr=<optimized out>, newheadp=<optimized out>, headcount=<optimized out>) at src/libmpg123/parse.c:1152 #7 INT123_read_frame (fr=<optimized out>) at src/libmpg123/parse.c:525 #8 0x00007ffff7b243ec in get_next_frame (mh=<optimized out>) at src/libmpg123/libmpg123.c:625 #9 0x00007ffff7b24e75 in mpg123_decode_frame (mh=<optimized out>, num=<optimized out>, audio=<optimized out>, bytes=<optimized out>) at src/libmpg123/libmpg123.c:861 #10 0x00000000005060f8 in play_frame () at src/mpg123.c:739 #11 0x000000000050a178 in main (sys_argc=<optimized out>, sys_argv=<optimized out>) at src/mpg123.c:1363 Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.