Created attachment 1336094 [details] POC file that crashing libextract Description of problem: libextract get a null pointer from libFlac Version-Release number of selected component (if applicable): libextract v1.4 libFlac v1.3.2 How reproducible: ./extract -i $POC Steps to Reproduce: The output with address sanitizer enabled ./extract -i extract-flac_metadata-344.crash Keywords for file extract-flac_metadata-344.crash: resource type - 44100 Hz, 2 channels ASAN:SIGSEGV ================================================================= ==30641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb791b19479 bp 0x7ffc62c98f50 sp 0x7ffc62c98df0 T0) #0 0x7fb791b19478 in flac_metadata /root/libextractor-1.4/src/plugins/flac_extractor.c:344 #1 0x7fb7918d1f31 in read_metadata_ /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1511 #2 0x7fb7918d676f in FLAC__stream_decoder_process_until_end_of_metadata /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1054 #3 0x7fb791b198e5 in EXTRACTOR_flac_extract_method /root/libextractor-1.4/src/plugins/flac_extractor.c:475 #4 0x7fb797e4c792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577 #5 0x7fb797e4cb98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655 #6 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977 #7 0x7fb797a8782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #8 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /root/libextractor-1.4/src/plugins/flac_extractor.c:344 flac_metadata ==30641==ABORTING gdb output and backtrace Starting program: /opt/asan/bin/extract -i extract-flac_metadata-344.crash [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Keywords for file extract-flac_metadata-344.crash: resource type - 44100 Hz, 2 channels Program received signal SIGSEGV, Segmentation fault. 0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344 344 while ( ('=' != *eq) && ('\0' != *eq) && (gdb) p eq $1 = 0x0 (gdb) bt #0 0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344 #1 0x00007ffff06d1f32 in read_metadata_ (decoder=decoder@entry=0x60200000cc90) at stream_decoder.c:1511 #2 0x00007ffff06d6770 in FLAC__stream_decoder_process_until_end_of_metadata (decoder=0x60200000cc90) at stream_decoder.c:1054 #3 0x00007ffff09198e6 in EXTRACTOR_flac_extract_method (ec=0x7fffffffa060) at flac_extractor.c:475 #4 0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577 #5 0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520, filename=0x60800000be59 "extract-flac_metadata-344.crash", data=0x0, size=0, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655 #6 0x00000000004044ca in main (argc=3, argv=0x7fffffffe4c8) at extract.c:977 (gdb) l 339 { 340 entry = &vc->comments[count]; 341 eq = (const char*) entry->entry; 342 len = entry->length; 343 ilen = 0; 344 while ( ('=' != *eq) && ('\0' != *eq) && 345 (ilen < len) ) 346 { 347 eq++; 348 ilen++; (gdb) Actual results: crash Expected results: crash Additional info: This vulnerability is detected Zhao Liang, Huawei Weiran Labs
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.