Bug#883691: game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Salvatore Bonaccorso Wed, 06 Dec 2017 08:55:10 -0800

Control: reassign 883691 src:game-music-emu 0.6.1-1
Control: retitle 883691 game-music-emu: AddressSanitizer: negative-size-param: 
(size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail


Hi

More details:

[...]
Keywords for file /root/poc-2.crash:
[New Thread 0x7ffff09aa700 (LWP 14879)]
[Thread 0x7ffff09aa700 (LWP 14879) exited]
=================================================================
==14875==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7ffff6e9d79b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
    #1 0x7fffe532c60f  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x26960f)
    #2 0x7fffe5328ed3  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x265ed3)
    #3 0x7fffe547c6d1  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x3b96d1)
    #4 0x7fffe547fcc9  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x3bccc9)
    #5 0x7fffe534ec3d  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x28bc3d)
    #6 0x7fffe5346aa7 in gme_load_data 
(/usr/lib/x86_64-linux-gnu/libgme.so.0+0x283aa7)
    #7 0x7fffe5346fd6 in gme_open_data 
(/usr/lib/x86_64-linux-gnu/libgme.so.0+0x283fd6)
    #8 0x7fffe8fea581  (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0xbc581)
    #9 0x7fffe90d916f in avformat_open_input 
(/usr/lib/x86_64-linux-gnu/libavformat.so.57+0x1ab16f)
    #10 0x7fffe9618420 in extract_audio 
/root/libextractor/src/plugins/previewopus_extractor.c:893
    #11 0x7fffe9619441 in EXTRACTOR_previewopus_extract_method 
/root/libextractor/src/plugins/previewopus_extractor.c:1159
    #12 0x7ffff6c123e7 in do_extract /root/libextractor/src/main/extractor.c:583
    #13 0x7ffff6c12824 in EXTRACTOR_extract 
/root/libextractor/src/main/extractor.c:662
    #14 0x55555555ad69 in main /root/libextractor/src/main/extract.c:983
    #15 0x7ffff666b560 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #16 0x555555557be9 in _start 
(/root/libextractor/src/main/.libs/extract+0x3be9)

0x616000007b9e is located 30 bytes inside of 482-byte region 
[0x616000007b80,0x616000007d62)
allocated by thread T0 here:
    #0 0x7ffff6f01758 in __interceptor_posix_memalign 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
    #1 0x7fffe93b8782 in av_malloc 
(/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31782)

SUMMARY: AddressSanitizer: negative-size-param 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
==14875==ABORTING

Thread 1 "extract" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
51      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0  0x00007ffff667ea70 in __GI_raise (sig=sig@entry=6) at 
../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff668019a in __GI_abort () at abort.c:89
#2  0x00007ffff6f2065b in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#3  0x00007ffff6f27df8 in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#4  0x00007ffff6f09f71 in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#5  0x00007ffff6e9d7da in  () at /usr/lib/x86_64-linux-gnu/libasan.so.4
#6  0x00007fffe532c610 in Mem_File_Reader::read_avail(void*, long) 
(this=0x7fffffffa070, p=0x6290000311b8, s=-8) at ./gme/Data_Reader.cpp:146
#7  0x00007fffe5328ed4 in Data_Reader::read(void*, long) (this=0x7fffffffa070, 
p=0x6290000311b8, s=-8) at ./gme/Data_Reader.cpp:27
#8  0x00007fffe547c6d2 in Nsfe_Info::load(Data_Reader&, Nsf_Emu*) 
(this=this@entry=0x629000031148, in=..., nsf_emu=nsf_emu@entry=0x62900002d200) 
at ./gme/Nsfe_Emu.cpp:167
#9  0x00007fffe547fcca in Nsfe_Emu::load_(Data_Reader&) (this=0x62900002d200, 
in=...)
    at ./gme/Nsfe_Emu.cpp:311
#10 0x00007fffe534ec3e in Gme_File::load(Data_Reader&) (this=0x62900002d200, 
in=...)
    at ./gme/Gme_File.cpp:96
#11 0x00007fffe5346aa8 in gme_load_data(Music_Emu*, void const*, long) 
(me=me@entry=0x62900002d200, data=data@entry=0x616000007b80, 
size=size@entry=482) at ./gme/gme.cpp:228
#12 0x00007fffe5346fd7 in gme_open_data(void const*, long, Music_Emu**, int) 
(data=0x616000007b80, size=size@entry=482, out=out@entry=0x607000002d28, 
sample_rate=<optimized out>)
    at ./gme/gme.cpp:143
#13 0x00007fffe8fea582 in read_header_gme (s=0x61b000000e80) at 
src/libavformat/libgme.c:109
#14 0x00007fffe90d9170 in avformat_open_input (ps=0x7fffffffa330, 
filename=0x7fffe9619880 "<no file>", fmt=<optimized out>, 
options=0x7fffffffa3b0) at src/libavformat/utils.c:595
#15 0x00007fffe9618421 in extract_audio (ec=0x7fffffffa6d0) at 
previewopus_extractor.c:893
#16 0x00007fffe9619442 in EXTRACTOR_previewopus_extract_method 
(ec=0x7fffffffa6d0)
    at previewopus_extractor.c:1159
#17 0x00007ffff6c123e8 in do_extract (plugins=0x6080000010a0, shm=0x0, 
ds=0x6030000003a0, proc=0x555555558a19 <print_selected_keywords>, proc_cls=0x0) 
at extractor.c:583
#18 0x00007ffff6c12825 in EXTRACTOR_extract (plugins=0x6080000010a0, 
filename=0x60800000016d "/root/poc-2.crash", data=0x0, size=0, 
proc=0x555555558a19 <print_selected_keywords>, proc_cls=0x0)
    at extractor.c:662
#19 0x000055555555ad6a in main (argc=3, argv=0x7fffffffeb38) at extract.c:983
(gdb)

So the issue seem located in game-music-emu, Sebastian can you have a look?

Regards,
Salvatore

Bug#883691: game-music-emu: AddressSanitizer: negative-size-param: (size=-8), size=-8 passed to memcpy in Mem_File_Reader::read_avail

Reply via email to