Bug 1465819 - There is a heap buffer overflow in mpg123 latest version.
There is a heap buffer overflow in mpg123 latest version.
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mpg123 (Show other bugs)
27
x86_64 Linux
unspecified Severity urgent
: ---
: ---
Assigned To: Wim Taymans
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-28 05:41 EDT by owl337
Modified: 2017-09-22 19:23 EDT (History)
2 users (show)

See Also:
Fixed In Version: mpg123-1.25.6-1.fc26 mpg123-1.25.6-1.fc25
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-20 18:54:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Triggered by "mpg123 POC1" (4.35 KB, application/x-rar)
2017-06-28 05:41 EDT, owl337
no flags Details

  None (edit)
Description owl337 2017-06-28 05:41:48 EDT
Created attachment 1292604 [details]
Triggered by  "mpg123 POC1"

Description of problem:

There is a heap buffer overflow in the function messageAddArgument() at line 414. 

Version-Release number of selected component (if applicable):

<= latest version

How reproducible:

$./mpg123 POC1

Steps to Reproduce:

The debugging information is as follows:

$./mpg123 POC1

High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
	version 1.25.0; written and copyright by Michael Hipp and others
	free software (LGPL) without any warranty but with best wishes

Directory: fuzz/

Terminal control enabled, press 'h' for listing of keys and functions.

Playing MPEG stream 1 of 1: POC1 ...
=================================================================
==6766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8f5 at pc 0x7fe0e3ced812 bp 0x7ffe8de06150 sp 0x7ffe8de06148
READ of size 1 at 0x60400000c8f5 thread T0
    #0 0x7fe0e3ced811  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811)
    #1 0x7fe0e3ce2067  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3c067)
    #2 0x7fe0e3ce4e3b  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3ee3b)
    #3 0x7fe0e3cbc241  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241)
    #4 0x7fe0e3d033eb  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb)
    #5 0x7fe0e3d03e74  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5de74)
    #6 0x5060f7  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x5060f7)
    #7 0x50a177  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x50a177)
    #8 0x7fe0e2b8282f  (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x41af28  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x41af28)

0x60400000c8f5 is located 0 bytes to the right of 37-byte region [0x60400000c8d0,0x60400000c8f5)
allocated by thread T0 here:
    #0 0x4bb058  (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x4bb058)
    #1 0x7fe0e3ce2bae  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3cbae)
    #2 0x7fe0e3cbc241  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241)
    #3 0x7fe0e3d033eb  (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811) 
Shadow bytes around the buggy address:
  0x0c087fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9910: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[05]fa
  0x0c087fff9920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9930: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff9940: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c087fff9950: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c087fff9960: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6766==ABORTING


The GDB debugging information is as follows:

(gdb)set args POC1
(gdb) r
=12531==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8b5 at pc 0x7ffff7b0e812 bp 0x7fffffffd690 sp 0x7fffffffd688
READ of size 1 at 0x60400000c8b5 thread T0
...
(gdb) bt
#0  convert_latin1 (sb=0x60600000e440, s=0x60400000c89b "SoundJay.com Sound Effect", l=27, noquiet=<optimized out>)
    at src/libmpg123/id3.c:979
#1  0x00007ffff7b03068 in INT123_id3_to_utf8 (sb=<optimized out>, encoding=<optimized out>, 
    source=0x60400000c89b "SoundJay.com Sound Effect", source_size=27, noquiet=<optimized out>)
    at src/libmpg123/id3.c:309
#2  0x00007ffff7b05e3c in store_id3_text (sb=0x60600000e440, noquiet=<optimized out>, source=<optimized out>, 
    source_size=<optimized out>, notranslate=<optimized out>) at src/libmpg123/id3.c:274
#3  process_text (fr=0x62c000000200, realsize=28, id=0x7fffffffd880 "TPE1", realdata=<optimized out>)
    at src/libmpg123/id3.c:368
#4  INT123_parse_new_id3 (fr=0x62c000000200, first4bytes=105827994224784) at src/libmpg123/id3.c:917
#5  0x00007ffff7add242 in handle_id3v2 (fr=0x62c000000200, newhead=1229206275) at src/libmpg123/parse.c:1071
#6  skip_junk (fr=<optimized out>, newheadp=<optimized out>, headcount=<optimized out>) at src/libmpg123/parse.c:1152
#7  INT123_read_frame (fr=<optimized out>) at src/libmpg123/parse.c:525
#8  0x00007ffff7b243ec in get_next_frame (mh=<optimized out>) at src/libmpg123/libmpg123.c:625
#9  0x00007ffff7b24e75 in mpg123_decode_frame (mh=<optimized out>, num=<optimized out>, audio=<optimized out>, 
    bytes=<optimized out>) at src/libmpg123/libmpg123.c:861
#10 0x00000000005060f8 in play_frame () at src/mpg123.c:739
#11 0x000000000050a178 in main (sys_argc=<optimized out>, sys_argv=<optimized out>) at src/mpg123.c:1363


Actual results:

crash

Expected results:

crash

Additional info:

Credits:

This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao@gmail.com   and chaoz@tsinghua.edu.cn if you need more info about the team, the tool or the vulnerability.
Comment 1 Salvatore Bonaccorso 2017-07-02 05:10:57 EDT
This is possibly a duplicate of upstream reported https://sourceforge.net/p/mpg123/bugs/252/
Comment 4 Jan Kurik 2017-08-15 05:11:21 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle.
Changing version to '27'.
Comment 5 Fedora Update System 2017-09-17 19:35:27 EDT
mpg123-1.25.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812
Comment 6 Fedora Update System 2017-09-17 19:35:51 EDT
mpg123-1.25.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92
Comment 7 Fedora Update System 2017-09-17 19:36:08 EDT
mpg123-1.25.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6
Comment 8 Fedora Update System 2017-09-18 18:22:14 EDT
mpg123-1.25.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6
Comment 9 Fedora Update System 2017-09-19 00:21:06 EDT
mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812
Comment 10 Fedora Update System 2017-09-19 01:22:16 EDT
mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92
Comment 11 Fedora Update System 2017-09-20 18:54:06 EDT
mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2017-09-22 19:23:32 EDT
mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.