This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug string/21346] New: crash in memcpy.S during attempted libvpx decoding

From: "brian.carpenter at gmail dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Sun, 02 Apr 2017 05:00:37 +0000
Subject: [Bug string/21346] New: crash in memcpy.S during attempted libvpx decoding
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=21346

            Bug ID: 21346
           Summary: crash in memcpy.S during attempted libvpx decoding
           Product: glibc
           Version: 2.19
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: string
          Assignee: unassigned at sourceware dot org
          Reporter: brian.carpenter at gmail dot com
  Target Milestone: ---

Created attachment 9963
  --> https://sourceware.org/bugzilla/attachment.cgi?id=9963&action=edit
malformed file that triggers crash

Compiled Google's libvpx with afl-clang-fast and while fuzzing vpxdec with AFL,
this segfault in glibc 2.19 was triggered:

ASAN_SYMBOLIZER_PATH=/usr/lib/llvm-3.5/bin/llvm-symbolizer
ASAN_OPTIONS=detect_leaks=0,symbolize=1 ~/libvpx/vpxdec --keep-going test077 -o
/dev/shm/out.file                             

Warning: Warning: Read invalid frame size (128) - not a raw file?

Warning: Warning: Read invalid frame size (150) - not a raw file?

Warning: Failed to decode frame 2: Bitstream not supported by this decoder
Warning: Warning: Read invalid frame size (9) - not a raw file?

Warning: Failed to decode frame 3: Corrupt frame detected
Warning: Additional information: Truncated packet or corrupt partition 1 length
ASAN:SIGSEGV
=================================================================
==26803==ERROR: AddressSanitizer: SEGV on unknown address 0x62a000030000 (pc
0x7f1be36ac8bb bp 0x00000000079a sp 0x7ffff38617f8 T0)
    #0 0x7f1be36ac8ba
/build/glibc-qK83Be/glibc-2.19/string/../sysdeps/x86_64/memcpy.S:270
    #1 0x7f1be369d29d in _IO_default_xsputn
/build/glibc-qK83Be/glibc-2.19/libio/genops.c:463
    #2 0x7f1be369b991 in _IO_file_xsputn
/build/glibc-qK83Be/glibc-2.19/libio/fileops.c:1345
    #3 0x7f1be3691aac in fwrite
/build/glibc-qK83Be/glibc-2.19/libio/iofwrite.c:43
    #4 0x4faffe in write_image_file /root/libvpx/vpxdec.c:291:7
    #5 0x4f6761 in main_loop /root/libvpx/vpxdec.c:980:11
    #6 0x4f6761 in main /root/libvpx/vpxdec.c:1070
    #7 0x7f1be3648b44 in __libc_start_main
/build/glibc-qK83Be/glibc-2.19/csu/libc-start.c:287
    #8 0x4edd6c in _start (/root/libvpx/vpxdec+0x4edd6c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV
/build/glibc-qK83Be/glibc-2.19/string/../sysdeps/x86_64/memcpy.S:270 ??
==26803==ABORTING

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug string/21346] crash in memcpy.S during attempted libvpx decoding
  - From: fweimer at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]