Bug 1465819 - There is a heap buffer overflow in mpg123 latest version.
Summary: There is a heap buffer overflow in mpg123 latest version.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: mpg123
Version: 27
Hardware: x86_64
OS: Linux
unspecified
urgent
Target Milestone: ---
Assignee: Wim Taymans
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-06-28 09:41 UTC by owl337
Modified: 2017-09-30 06:38 UTC (History)
2 users (show)

Fixed In Version: mpg123-1.25.6-1.fc26 mpg123-1.25.6-1.fc25 mpg123-1.25.6-1.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-20 22:54:06 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
Triggered by "mpg123 POC1" (4.35 KB, application/x-rar)
2017-06-28 09:41 UTC, owl337
no flags Details

Description owl337 2017-06-28 09:41:48 UTC
Created attachment 1292604 [details]
Triggered by  "mpg123 POC1"

Description of problem:

There is a heap buffer overflow in the function messageAddArgument() at line 414. 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

$./mpg123 POC1

Steps to Reproduce:

The debugging information is as follows:

$./mpg123 POC1

High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
	version 1.25.0; written and copyright by Michael Hipp and others
	free software (LGPL) without any warranty but with best wishes

Directory: fuzz/

Terminal control enabled, press 'h' for listing of keys and functions.

Playing MPEG stream 1 of 1: POC1 ...
=================================================================
==6766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8f5 at pc 0x7fe0e3ced812 bp 0x7ffe8de06150 sp 0x7ffe8de06148
READ of size 1 at 0x60400000c8f5 thread T0
    #0 0x7fe0e3ced811  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811)
    #1 0x7fe0e3ce2067  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3c067)
    #2 0x7fe0e3ce4e3b  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3ee3b)
    #3 0x7fe0e3cbc241  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241)
    #4 0x7fe0e3d033eb  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb)
    #5 0x7fe0e3d03e74  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5de74)
    #6 0x5060f7  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x5060f7)
    #7 0x50a177  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x50a177)
    #8 0x7fe0e2b8282f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41af28  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x41af28)

0x60400000c8f5 is located 0 bytes to the right of 37-byte region [0x60400000c8d0,0x60400000c8f5)
allocated by thread T0 here:
    #0 0x4bb058  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x4bb058)
    #1 0x7fe0e3ce2bae  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3cbae)
    #2 0x7fe0e3cbc241  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241)
    #3 0x7fe0e3d033eb  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811) 
Shadow bytes around the buggy address:
  0x0c087fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9910: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[05]fa
  0x0c087fff9920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9930: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff9940: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9950: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9960: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6766==ABORTING


The GDB debugging information is as follows:

(gdb)set args POC1
(gdb) r
=12531==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8b5 at pc 0x7ffff7b0e812 bp 0x7fffffffd690 sp 0x7fffffffd688
READ of size 1 at 0x60400000c8b5 thread T0
...
(gdb) bt
#0  convert_latin1 (sb=0x60600000e440, s=0x60400000c89b "SoundJay.com Sound Effect", l=27, noquiet=<optimized out>)
    at src/libmpg123/id3.c:979
#1  0x00007ffff7b03068 in INT123_id3_to_utf8 (sb=<optimized out>, encoding=<optimized out>, 
    source=0x60400000c89b "SoundJay.com Sound Effect", source_size=27, noquiet=<optimized out>)
    at src/libmpg123/id3.c:309
#2  0x00007ffff7b05e3c in store_id3_text (sb=0x60600000e440, noquiet=<optimized out>, source=<optimized out>, 
    source_size=<optimized out>, notranslate=<optimized out>) at src/libmpg123/id3.c:274
#3  process_text (fr=0x62c000000200, realsize=28, id=0x7fffffffd880 "TPE1", realdata=<optimized out>)
    at src/libmpg123/id3.c:368
#4  INT123_parse_new_id3 (fr=0x62c000000200, first4bytes=105827994224784) at src/libmpg123/id3.c:917
#5  0x00007ffff7add242 in handle_id3v2 (fr=0x62c000000200, newhead=1229206275) at src/libmpg123/parse.c:1071
#6  skip_junk (fr=<optimized out>, newheadp=<optimized out>, headcount=<optimized out>) at src/libmpg123/parse.c:1152
#7  INT123_read_frame (fr=<optimized out>) at src/libmpg123/parse.c:525
#8  0x00007ffff7b243ec in get_next_frame (mh=<optimized out>) at src/libmpg123/libmpg123.c:625
#9  0x00007ffff7b24e75 in mpg123_decode_frame (mh=<optimized out>, num=<optimized out>, audio=<optimized out>, 
    bytes=<optimized out>) at src/libmpg123/libmpg123.c:861
#10 0x00000000005060f8 in play_frame () at src/mpg123.c:739
#11 0x000000000050a178 in main (sys_argc=<optimized out>, sys_argv=<optimized out>) at src/mpg123.c:1363


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao   and chaoz.cn if you need more info about the team, the tool or the vulnerability.

Comment 1 Salvatore Bonaccorso 2017-07-02 09:10:57 UTC
This is possibly a duplicate of upstream reported https://sourceforge.net/p/mpg123/bugs/252/

Comment 4 Jan Kurik 2017-08-15 09:11:21 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.

Comment 5 Fedora Update System 2017-09-17 23:35:27 UTC
mpg123-1.25.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812

Comment 6 Fedora Update System 2017-09-17 23:35:51 UTC
mpg123-1.25.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92

Comment 7 Fedora Update System 2017-09-17 23:36:08 UTC
mpg123-1.25.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6

Comment 8 Fedora Update System 2017-09-18 22:22:14 UTC
mpg123-1.25.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6

Comment 9 Fedora Update System 2017-09-19 04:21:06 UTC
mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812

Comment 10 Fedora Update System 2017-09-19 05:22:16 UTC
mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92

Comment 11 Fedora Update System 2017-09-20 22:54:06 UTC
mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2017-09-22 23:23:32 UTC
mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2017-09-30 06:38:20 UTC
mpg123-1.25.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.