Package: vorbis-tools
Version: 1.4.0-6
Severity: normal
File: /usr/bin/oggdec
Tags: confirmed
I'm forwarding this bug report from Ubuntu bug 629135 [1].
Original description:
/
| Binary package hint: vorbis-tools
|
| oggdec goes into an infinite loop while processing the
| file at http://bazaar.launchpad.net/%7Eubuntu-bugcontrol/
| qa-regression-testing/master/annotate/head%3A/scripts/
| libvorbis/011.ogg:
|
| $ oggdec libvorbis/011.ogg -o /tmp/011.ogg-converted.wav
| oggdec from vorbis-tools 1.2.0
| Decoding "libvorbis/011.ogg" to "/tmp/011.ogg-converted
| .wav"
| Warning: hole in data (-137)
| Warning: hole in data (-137)
| Warning: hole in data (-137)
| [....]
|
| The test file in question was generated as part of
| http://redpig.dataspill.org/2008/05/multiple-
| vulnerabilities-in-ogg-tremor.html
|
| ProblemType: Bug
| DistroRelease: Ubuntu 10.10
| Package: vorbis-tools 1.2.0-6build1
| ProcVersionSignature: Ubuntu 2.6.35-19.26-generic 2.6.35.3
| Uname: Linux 2.6.35-19-generic x86_64
| Architecture: amd64
| Date: Thu Sep 2 15:11:57 2010
| InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" -
| Alpha amd64 (20100827)
| ProcEnviron:
| LANG=en_US.UTF-8
| SHELL=/bin/bash
| SourcePackage: vorbis-tools
\
I couldn't confirm the infinite loop with vorbis-tools/1.4.0-6 and
libvorbis/1.3.4-2, but received a SIGFPE with the following stacktrace:
Process terminating with default action of
signal 8 (SIGFPE)
Integer divide by zero at address 0x802FA8133
at 0x50632A6: res2_inverse (res0.c:830)
by 0x50654A8: mapping0_inverse (mapping0.c:756)
by 0x5054071: vorbis_synthesis (synthesis.c:88)
by 0x4E3AC66: _fetch_and_process_packet
(vorbisfile.c:707)
by 0x4E3E073: ov_read_filter (vorbisfile.c:1971)
by 0x4E3E6D2: ov_read (vorbisfile.c:2092)
by 0x40212A: decode_file (oggdec.c:304)
by 0x402692: main (oggdec.c:455)
The referenced input file is corrupted and it's therefore fine for
oggdec to refuse decoding it. It should, however, do that by aborting
gracefully with an error message. The SIGFPE smells like undefined
behavior, especially considering that the original bug submitter
reported an infinite loop - whose disappearance in the most recent
versions might be a coincidence.
As far as I can see, the main culprit in the case of this concrete file
is in the oggdec executable, which keeps on decoding after libvorbis
reports a stream error. This is mainly due to oggdec not distinguishing
between harmless "holes" in the stream (after which you can keep on
decoding) and fatal stream corruptions (that should trigger abort). I am
going to provide a patch for this.
Nevertheless, the libvorbis code gives me the impression that the
division by zero may happen (in other cases) even if oggdec handled the
reported errors correctly. However, so far I haven't been able to
produce an ogg vorbis file that triggers this problem. I will file a
separate bug for this and look into it.
Cheers,
Martin
[1] https://bugs.launchpad.net/ubuntu/+source/vorbis-tools/+bug/629135
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
