Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

[Salvatore Bonaccorso]

And additionally the results from an ASAN build:

For the one related to the CVE-2017-15000 reproducer:

root@sid:~# extract -i extract-nsf_extract_method-nsf_extractor-164.crash
Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash:
xm_extractor.c:80:7: runtime error: null pointer passed as argument 1, which is 
declared to never be null
ASAN:DEADLYSIGNAL
=================================================================
==22442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 
0x7f916bdf6d06 bp 0x7ffd356d46c0 sp 0x7ffd356d4520 T0)
==22442==The signal is caused by a READ memory access.
==22442==Hint: address points to the zero page.
    #0 0x7f916bdf6d05 in EXTRACTOR_xm_extract_method 
(/usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so+0x1d05)
    #1 0x7f917a6d709c  (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x3209c)
    #2 0x7f917a6d85d3 in EXTRACTOR_extract 
(/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x335d3)
    #3 0x403892  (/usr/bin/extract+0x403892)
    #4 0x7f91793fa560 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #5 0x404ce9  (/usr/bin/extract+0x404ce9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
(/usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so+0x1d05) in 
EXTRACTOR_xm_extract_method
==22442==ABORTING
root@sid:~#

for the one related to the CVE-2017-15602 reproducer:

root@sid:~# extract -i bin_6iRW3tXve.bin 
Keywords for file bin_6iRW3tXve.bin:
=================================================================
==22470==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7fb94e64279b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
    #1 0x7fb93ba7be6c  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8e6c)
    #2 0x7fb93ba7bc89  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8c89)
    #3 0x7fb93ba9f231  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c231)
    #4 0x7fb93ba9f5f2  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c5f2)
    #5 0x7fb93ba7f94d  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xc94d)
    #6 0x7fb93ba7eb7b in gme_load_data 
(/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbb7b)
    #7 0x7fb93ba7ec33 in gme_open_data 
(/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbc33)
    #8 0x7fb93f2be581  (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0xbc581)
    #9 0x7fb93f3ad16f in avformat_open_input 
(/usr/lib/x86_64-linux-gnu/libavformat.so.57+0x1ab16f)
    #10 0x7fb93f8ece71 in EXTRACTOR_previewopus_extract_method 
(/usr/lib/x86_64-linux-gnu/libextractor/libextractor_previewopus.so+0x4e71)
    #11 0x7fb94e39b09c  (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x3209c)
    #12 0x7fb94e39c5d3 in EXTRACTOR_extract 
(/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x335d3)
    #13 0x403892  (/usr/bin/extract+0x403892)
    #14 0x7fb94d0be560 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #15 0x404ce9  (/usr/bin/extract+0x404ce9)

0x61600000789e is located 30 bytes inside of 482-byte region 
[0x616000007880,0x616000007a62)
allocated by thread T0 here:
    #0 0x7fb94e6a6758 in __interceptor_posix_memalign 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
    #1 0x7fb93f68c782 in av_malloc 
(/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31782)

SUMMARY: AddressSanitizer: negative-size-param 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b) 
==22470==ABORTING
root@sid:~#

Regards,
Salvatore