Bug 1499600
Summary: | NULL Pointer Dereference vulneribility in libextract when get flac meta from libFlac | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Leon <leon.zhao.7> | ||||
Component: | libextractor | Assignee: | Gwyn Ciesla <gwync> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 27 | CC: | gwync, sheltren | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | libextractor-1.6-1.fc26 libextractor-1.6-1.fc25 libextractor-1.6-1.fc27 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-10-30 16:18:18 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16 libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16 libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 1336094 [details] POC file that crashing libextract Description of problem: libextract get a null pointer from libFlac Version-Release number of selected component (if applicable): libextract v1.4 libFlac v1.3.2 How reproducible: ./extract -i $POC Steps to Reproduce: The output with address sanitizer enabled ./extract -i extract-flac_metadata-344.crash Keywords for file extract-flac_metadata-344.crash: resource type - 44100 Hz, 2 channels ASAN:SIGSEGV ================================================================= ==30641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb791b19479 bp 0x7ffc62c98f50 sp 0x7ffc62c98df0 T0) #0 0x7fb791b19478 in flac_metadata /root/libextractor-1.4/src/plugins/flac_extractor.c:344 #1 0x7fb7918d1f31 in read_metadata_ /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1511 #2 0x7fb7918d676f in FLAC__stream_decoder_process_until_end_of_metadata /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1054 #3 0x7fb791b198e5 in EXTRACTOR_flac_extract_method /root/libextractor-1.4/src/plugins/flac_extractor.c:475 #4 0x7fb797e4c792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577 #5 0x7fb797e4cb98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655 #6 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977 #7 0x7fb797a8782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/libextractor-1.4/src/plugins/flac_extractor.c:344 flac_metadata ==30641==ABORTING gdb output and backtrace Starting program: /opt/asan/bin/extract -i extract-flac_metadata-344.crash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Keywords for file extract-flac_metadata-344.crash: resource type - 44100 Hz, 2 channels Program received signal SIGSEGV, Segmentation fault. 0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344 344 while ( ('=' != *eq) && ('\0' != *eq) && (gdb) p eq $1 = 0x0 (gdb) bt #0 0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344 #1 0x00007ffff06d1f32 in read_metadata_ (decoder=decoder@entry=0x60200000cc90) at stream_decoder.c:1511 #2 0x00007ffff06d6770 in FLAC__stream_decoder_process_until_end_of_metadata (decoder=0x60200000cc90) at stream_decoder.c:1054 #3 0x00007ffff09198e6 in EXTRACTOR_flac_extract_method (ec=0x7fffffffa060) at flac_extractor.c:475 #4 0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577 #5 0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520, filename=0x60800000be59 "extract-flac_metadata-344.crash", data=0x0, size=0, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655 #6 0x00000000004044ca in main (argc=3, argv=0x7fffffffe4c8) at extract.c:977 (gdb) l 339 { 340 entry = &vc->comments[count]; 341 eq = (const char*) entry->entry; 342 len = entry->length; 343 ilen = 0; 344 while ( ('=' != *eq) && ('\0' != *eq) && 345 (ilen < len) ) 346 { 347 eq++; 348 ilen++; (gdb) Actual results: crash Expected results: crash Additional info: This vulnerability is detected Zhao Liang, Huawei Weiran Labs