Created attachment 1292604 [details] Triggered by "mpg123 POC1" Description of problem: There is a heap buffer overflow in the function messageAddArgument() at line 414. Version-Release number of selected component (if applicable): <= latest version How reproducible: $./mpg123 POC1 Steps to Reproduce: The debugging information is as follows: $./mpg123 POC1 High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3 version 1.25.0; written and copyright by Michael Hipp and others free software (LGPL) without any warranty but with best wishes Directory: fuzz/ Terminal control enabled, press 'h' for listing of keys and functions. Playing MPEG stream 1 of 1: POC1 ... ================================================================= ==6766==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8f5 at pc 0x7fe0e3ced812 bp 0x7ffe8de06150 sp 0x7ffe8de06148 READ of size 1 at 0x60400000c8f5 thread T0 #0 0x7fe0e3ced811 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811) #1 0x7fe0e3ce2067 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3c067) #2 0x7fe0e3ce4e3b (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3ee3b) #3 0x7fe0e3cbc241 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241) #4 0x7fe0e3d033eb (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb) #5 0x7fe0e3d03e74 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5de74) #6 0x5060f7 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x5060f7) #7 0x50a177 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x50a177) #8 0x7fe0e2b8282f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x41af28 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x41af28) 0x60400000c8f5 is located 0 bytes to the right of 37-byte region [0x60400000c8d0,0x60400000c8f5) allocated by thread T0 here: #0 0x4bb058 (/home/icy/real/mpg123-1.25.0-asan/install/bin/mpg123+0x4bb058) #1 0x7fe0e3ce2bae (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x3cbae) #2 0x7fe0e3cbc241 (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x16241) #3 0x7fe0e3d033eb (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x5d3eb) SUMMARY: AddressSanitizer: heap-buffer-overflow (/home/icy/real/mpg123-1.25.0-asan/install/lib/libmpg123.so.0+0x47811) Shadow bytes around the buggy address: 0x0c087fff98c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff98d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff98e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff98f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c087fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c087fff9910: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[05]fa 0x0c087fff9920: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff9930: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd 0x0c087fff9940: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c087fff9950: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c087fff9960: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6766==ABORTING The GDB debugging information is as follows: (gdb)set args POC1 (gdb) r =12531==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000c8b5 at pc 0x7ffff7b0e812 bp 0x7fffffffd690 sp 0x7fffffffd688 READ of size 1 at 0x60400000c8b5 thread T0 ... (gdb) bt #0 convert_latin1 (sb=0x60600000e440, s=0x60400000c89b "SoundJay.com Sound Effect", l=27, noquiet=<optimized out>) at src/libmpg123/id3.c:979 #1 0x00007ffff7b03068 in INT123_id3_to_utf8 (sb=<optimized out>, encoding=<optimized out>, source=0x60400000c89b "SoundJay.com Sound Effect", source_size=27, noquiet=<optimized out>) at src/libmpg123/id3.c:309 #2 0x00007ffff7b05e3c in store_id3_text (sb=0x60600000e440, noquiet=<optimized out>, source=<optimized out>, source_size=<optimized out>, notranslate=<optimized out>) at src/libmpg123/id3.c:274 #3 process_text (fr=0x62c000000200, realsize=28, id=0x7fffffffd880 "TPE1", realdata=<optimized out>) at src/libmpg123/id3.c:368 #4 INT123_parse_new_id3 (fr=0x62c000000200, first4bytes=105827994224784) at src/libmpg123/id3.c:917 #5 0x00007ffff7add242 in handle_id3v2 (fr=0x62c000000200, newhead=1229206275) at src/libmpg123/parse.c:1071 #6 skip_junk (fr=<optimized out>, newheadp=<optimized out>, headcount=<optimized out>) at src/libmpg123/parse.c:1152 #7 INT123_read_frame (fr=<optimized out>) at src/libmpg123/parse.c:525 #8 0x00007ffff7b243ec in get_next_frame (mh=<optimized out>) at src/libmpg123/libmpg123.c:625 #9 0x00007ffff7b24e75 in mpg123_decode_frame (mh=<optimized out>, num=<optimized out>, audio=<optimized out>, bytes=<optimized out>) at src/libmpg123/libmpg123.c:861 #10 0x00000000005060f8 in play_frame () at src/mpg123.c:739 #11 0x000000000050a178 in main (sys_argc=<optimized out>, sys_argv=<optimized out>) at src/mpg123.c:1363 Actual results: crash Expected results: crash Additional info: Credits: This vulnerability is detected by team OWL337, with our custom fuzzer collAFL. Please contact ganshuitao and chaoz.cn if you need more info about the team, the tool or the vulnerability.
This is possibly a duplicate of upstream reported https://sourceforge.net/p/mpg123/bugs/252/
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
mpg123-1.25.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812
mpg123-1.25.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92
mpg123-1.25.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6
mpg123-1.25.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-12794057a6
mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-c89d94d812
mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-172410ec92
mpg123-1.25.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
mpg123-1.25.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
mpg123-1.25.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.