Menu

#350 Double Free bug in resample_free

svn
closed-fixed
nobody
None
5
2023-03-19
2023-03-09
No

Hello, we are developing a new fuzzing technique. Our fuzzer found a double free bug.

Command Input
./mpg123 -r 2424 -w8 <file_input></file_input>

The file for file_input is attached.

Stack Trace

==8396==ERROR: AddressSanitizer: attempting double-free on 0x610000000040 in thread T0:
    #0 0x7f3aa5ccc7a8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7a8)
    #1 0x7f3aa6c912ff in resample_free src/libsyn123/resample.c:2301
    #2 0x7f3aa6c935e8 in syn123_setup_resample src/libsyn123/resample.c:2576
    #3 0x557fabab062b in audio_prepare src/audio.c:132
    #4 0x557fabac7349 in play_frame src/mpg123.c:903
    #5 0x557fabaca315 in main src/mpg123.c:1479
    #6 0x7f3aa5480c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86)
    #7 0x557fabaaff39 in _start (/home/youngseok/latest-subjects/mpg123/src/.libs/lt-mpg123+0x1ef39)

stdout

High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
        version 1.32.0-dev; written and copyright by Michael Hipp and others
        free software (LGPL) without any warranty but with best wishes


Terminal control enabled, press 'h' for listing of keys and functions.

Playing MPEG stream 1 of 1: poc_file ...

MPEG 2.5 L III cbr64 12000 stereo
[src/libmpg123/layer3.c:INT123_do_layer3():1804] error: dequantization failed!
Note: Illegal Audio-MPEG-Header 0x0d0a3030 at offset 1097.
Note: Trying to resync...
Note: Skipped 851 bytes in input.

Warning: Big change from first (MPEG version, layer, rate). Frankenstein stream?
cannot allocate decimator state: Success

Environment
- OS: Ubuntu 18.04.1
- gcc: 7.5.0
- mpg123 (master branch, git-svn-id: svn://scm.orgis.org/mpg123/trunk@5247 35dc7657-300d-0410-a2e5-dc2837fedb5)

mpg123 is built with address sanitizers. Here is the build script:

autoreconf -f -i
CFLAGS="-fsanitize=address -g -O0" CXXFLAGS="-fsanitize=address -g -O0" ./configure
make -j
1 Attachments

Discussion

  • Youngseok Choi

    Youngseok Choi - 2023-03-09

    Sorry, the command is messed up. This one is correct:

    ./mpg123 -r 2424 -w8 <input_file>
    
     
  • Thomas Orgis

    Thomas Orgis - 2023-03-09

    Thanks for finding that. Indeed a blunder where I did not handle a case of realloc(ptr, 0) correctly. This is triggered when a track changes sampling rate on the fly with the resampler in mpg123 being active.

    Without the sanitizer, mpg123 would fail to adapt to the changed sampling rate. Two buffers get realloc(p, 0), freeing both and returning NULL (with glibc). The initial pointer is then directly free()d again for both, with allocations or writes in between, in the same translation unit and thread.

    I am tempted to say that this is not exploitable beyond denial of service when the double free is detected, but of course I could be proven wrong.

    Revision 5248 has the fix. Maybe you can confirm?

     
    • Youngseok Choi

      Youngseok Choi - 2023-03-10

      I can see the bug is fixed. Thanks for your hard work!

       
  • Thomas Orgis

    Thomas Orgis - 2023-03-19
    • status: open --> closed-fixed
     

Log in to post a comment.