Package: faad
Version: 2.7-8
Severity: normal
Tags: upstream
I have an ADTS AAC file with an ID3v2 tag containing an image. Attempting to
skip this header by passing a value larger than the buffer size to
advance_buffer causes fill_buffer to misbehave. The problem is detected in
free() during a normal build but the problem is clearer when running under
valgrind:
==23880== Invalid write of size 8
==23880== at 0x50F81CB: __GI_memcpy (memcpy.S:267)
==23880== by 0x50E17D2: _IO_file_xsgetn (fileops.c:1414)
==23880== by 0x50D79B1: fread (iofread.c:44)
==23880== by 0x403930: ??? (in /usr/bin/faad)
==23880== by 0x401BAE: ??? (in /usr/bin/faad)
==23880== by 0x508EEAC: (below main) (libc-start.c:228)
==23880== Address 0x567a830 is 0 bytes after a block of size 4,608 alloc'd
==23880== at 0x4C28BED: malloc (in /usr/lib/valgrind/vgpreload_memcheck-
amd64-linux.so)
==23880== by 0x401AC2: ??? (in /usr/bin/faad)
==23880== by 0x508EEAC: (below main) (libc-start.c:228)
Here's a more useful log generated by a version of faad I compiled myself on
squeeze-i386:
==28965== Syscall param read(buf) points to unaddressable byte(s)
==28965== at 0x4A06073: __read_nocancel (syscall-template.S:82)
==28965== by 0x49B16F7: _IO_sgetn (genops.c:500)
==28965== by 0x49A52CD: fread (iofread.c:44)
==28965== by 0x8049150: fill_buffer (main.c:100)
==28965== by 0x8049544: decodeAACfile (main.c:478)
==28965== by 0x804A484: main (main.c:1249)
==28965== Address 0x6d20548 is 0 bytes after a block of size 4,608 alloc'd
==28965== at 0x48DEF50: malloc (vg_replace_malloc.c:236)
==28965== by 0x8049461: decodeAACfile (main.c:454)
==28965== by 0x804A484: main (main.c:1249)
==28965==
==28965== Invalid write of size 1
==28965== at 0x48E091F: memcpy (mc_replace_strmem.c:497)
==28965== by 0x49AF737: _IO_file_xsgetn (fileops.c:1414)
==28965== by 0x49B16F7: _IO_sgetn (genops.c:500)
==28965== by 0x49A52CD: fread (iofread.c:44)
==28965== by 0x8049150: fill_buffer (main.c:100)
==28965== by 0x8049544: decodeAACfile (main.c:478)
==28965== by 0x804A484: main (main.c:1249)
==28965== Address 0x6d24d95 is not stack'd, malloc'd or (recently) free'd
The attached patch fixes the problem for me. I've submitted it upstream at
https://sourceforge.net/tracker/?func=detail&aid=3574761&group_id=704&atid=100704
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages faad depends on:
ii libc6 2.13-35
ii libfaad2 2.7-8
faad recommends no packages.
faad suggests no packages.
Only in faad2-2.7/common: Makefile
Only in faad2-2.7/common/mp4ff: .deps
Only in faad2-2.7/common/mp4ff: libmp4ff.a
Only in faad2-2.7/common/mp4ff: libmp4ff_a-mp4atom.o
Only in faad2-2.7/common/mp4ff: libmp4ff_a-mp4ff.o
Only in faad2-2.7/common/mp4ff: libmp4ff_a-mp4meta.o
Only in faad2-2.7/common/mp4ff: libmp4ff_a-mp4sample.o
Only in faad2-2.7/common/mp4ff: libmp4ff_a-mp4tagupdate.o
Only in faad2-2.7/common/mp4ff: libmp4ff_a-mp4util.o
Only in faad2-2.7/common/mp4ff: Makefile
Only in faad2-2.7: config.h
Only in faad2-2.7: config.log
Only in faad2-2.7: config.status
Only in faad2-2.7: faad2.spec
Only in faad2-2.7/frontend: audio.o
Only in faad2-2.7/frontend: .deps
Only in faad2-2.7/frontend: faad
Only in faad2-2.7/frontend: getopt.o
Only in faad2-2.7/frontend: .libs
diff -rup faad2-2.7.stock/frontend/main.c faad2-2.7/frontend/main.c
--- faad2-2.7.stock/frontend/main.c 2008-09-22 18:55:09.000000000 +0100
+++ faad2-2.7/frontend/main.c 2012-10-04 21:46:31.175490401 +0100
@@ -130,11 +130,22 @@ static int fill_buffer(aac_buffer *b)
static void advance_buffer(aac_buffer *b, int bytes)
{
- b->file_offset += bytes;
- b->bytes_consumed = bytes;
- b->bytes_into_buffer -= bytes;
- if (b->bytes_into_buffer < 0)
- b->bytes_into_buffer = 0;
+ while ((b->bytes_into_buffer > 0) && (bytes > 0))
+ {
+ assert(b->bytes_into_buffer > 0);
+ int chunk = min(bytes, b->bytes_into_buffer);
+
+ bytes -= chunk;
+ b->file_offset += chunk;
+ b->bytes_consumed = chunk;
+ b->bytes_into_buffer -= chunk;
+ assert(b->bytes_into_buffer >= 0);
+
+ if (b->bytes_into_buffer == 0)
+ fill_buffer(b);
+ }
+
+ assert(b->bytes_into_buffer >= 0);
}
static int adts_sample_rates[] = {96000,88200,64000,48000,44100,32000,24000,22050,16000,12000,11025,8000,7350,0,0,0};
Only in faad2-2.7/frontend: main.c~
Only in faad2-2.7/frontend: main-debug.c
Only in faad2-2.7/frontend: main.o
Only in faad2-2.7/frontend: Makefile
Only in faad2-2.7/libfaad: bits.lo
Only in faad2-2.7/libfaad: bits.o
Only in faad2-2.7/libfaad: cfft.lo
Only in faad2-2.7/libfaad: cfft.o
Only in faad2-2.7/libfaad: common.lo
Only in faad2-2.7/libfaad: common.o
Only in faad2-2.7/libfaad: decoder.lo
Only in faad2-2.7/libfaad: decoder.o
Only in faad2-2.7/libfaad: .deps
Only in faad2-2.7/libfaad: drc.lo
Only in faad2-2.7/libfaad: drc.o
Only in faad2-2.7/libfaad: drm_dec.lo
Only in faad2-2.7/libfaad: drm_dec.o
Only in faad2-2.7/libfaad: error.lo
Only in faad2-2.7/libfaad: error.o
Only in faad2-2.7/libfaad: filtbank.lo
Only in faad2-2.7/libfaad: filtbank.o
Only in faad2-2.7/libfaad: hcr.lo
Only in faad2-2.7/libfaad: hcr.o
Only in faad2-2.7/libfaad: huffman.lo
Only in faad2-2.7/libfaad: huffman.o
Only in faad2-2.7/libfaad: ic_predict.lo
Only in faad2-2.7/libfaad: ic_predict.o
Only in faad2-2.7/libfaad: is.lo
Only in faad2-2.7/libfaad: is.o
Only in faad2-2.7/libfaad: libfaad.la
Only in faad2-2.7/libfaad: .libs
Only in faad2-2.7/libfaad: lt_predict.lo
Only in faad2-2.7/libfaad: lt_predict.o
Only in faad2-2.7/libfaad: Makefile
Only in faad2-2.7/libfaad: mdct.lo
Only in faad2-2.7/libfaad: mdct.o
Only in faad2-2.7/libfaad: mp4.lo
Only in faad2-2.7/libfaad: mp4.o
Only in faad2-2.7/libfaad: ms.lo
Only in faad2-2.7/libfaad: ms.o
Only in faad2-2.7/libfaad: output.lo
Only in faad2-2.7/libfaad: output.o
Only in faad2-2.7/libfaad: pns.lo
Only in faad2-2.7/libfaad: pns.o
Only in faad2-2.7/libfaad: ps_dec.lo
Only in faad2-2.7/libfaad: ps_dec.o
Only in faad2-2.7/libfaad: ps_syntax.lo
Only in faad2-2.7/libfaad: ps_syntax.o
Only in faad2-2.7/libfaad: pulse.lo
Only in faad2-2.7/libfaad: pulse.o
Only in faad2-2.7/libfaad: rvlc.lo
Only in faad2-2.7/libfaad: rvlc.o
Only in faad2-2.7/libfaad: sbr_dct.lo
Only in faad2-2.7/libfaad: sbr_dct.o
Only in faad2-2.7/libfaad: sbr_dec.lo
Only in faad2-2.7/libfaad: sbr_dec.o
Only in faad2-2.7/libfaad: sbr_e_nf.lo
Only in faad2-2.7/libfaad: sbr_e_nf.o
Only in faad2-2.7/libfaad: sbr_fbt.lo
Only in faad2-2.7/libfaad: sbr_fbt.o
Only in faad2-2.7/libfaad: sbr_hfadj.lo
Only in faad2-2.7/libfaad: sbr_hfadj.o
Only in faad2-2.7/libfaad: sbr_hfgen.lo
Only in faad2-2.7/libfaad: sbr_hfgen.o
Only in faad2-2.7/libfaad: sbr_huff.lo
Only in faad2-2.7/libfaad: sbr_huff.o
Only in faad2-2.7/libfaad: sbr_qmf.lo
Only in faad2-2.7/libfaad: sbr_qmf.o
Only in faad2-2.7/libfaad: sbr_syntax.lo
Only in faad2-2.7/libfaad: sbr_syntax.o
Only in faad2-2.7/libfaad: sbr_tf_grid.lo
Only in faad2-2.7/libfaad: sbr_tf_grid.o
Only in faad2-2.7/libfaad: specrec.lo
Only in faad2-2.7/libfaad: specrec.o
Only in faad2-2.7/libfaad: ssr_fb.lo
Only in faad2-2.7/libfaad: ssr_fb.o
Only in faad2-2.7/libfaad: ssr_ipqf.lo
Only in faad2-2.7/libfaad: ssr_ipqf.o
Only in faad2-2.7/libfaad: ssr.lo
Only in faad2-2.7/libfaad: ssr.o
Only in faad2-2.7/libfaad: syntax.lo
Only in faad2-2.7/libfaad: syntax.o
Only in faad2-2.7/libfaad: tns.lo
Only in faad2-2.7/libfaad: tns.o
Only in faad2-2.7: libtool
Only in faad2-2.7: Makefile
Only in faad2-2.7/plugins: Makefile
Only in faad2-2.7/plugins/mpeg4ip: .deps
Only in faad2-2.7/plugins/mpeg4ip: Makefile
Only in faad2-2.7/plugins/xmms: Makefile
Only in faad2-2.7/plugins/xmms/src: .deps
Only in faad2-2.7/plugins/xmms/src: Makefile
Only in faad2-2.7: stamp-h1
