Bug#881132: marked as done (bs1770gain: stack buffer overflow while running bs1770gain)

Debian Bug Tracking System Fri, 30 Jan 2026 10:37:51 -0800

Your message dated Fri, 30 Jan 2026 18:34:11 +0000
with message-id <[email protected]>
and subject line Bug#1126295: Removed package(s) from unstable
has caused the Debian Bug report #881132,
regarding bs1770gain: stack buffer overflow while running bs1770gain
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
881132: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881132
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: bs1770gain
Version: 0.4.12-2
Severity: important
Tags: security

stack buffer overflow while running bs1770gain with "poc -o output" option

Running 'bs1770gain poc -o output' with the attached file raises stack buffer 
overflow
which may allow a remote attack to cause a denial-of-service attack or ????
I expected the program to terminate without segfault, but the program crashes 
as follow

-------------------------------------------

june@yuweol:~/poc/bs1770gain/crash2$ bs1770gain poc -o output
analyzing ...
  [1/1] "poc": Segmentation fault

-------------------------------------------

june@yuweol:~/poc/bs1770gain/crash2$ 
~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc -o output
analyzing ...
  [1/1] "poc": =================================================================
==5034==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fffded69470 at pc 0x55e89c1c8419 bp 0x7fffded693b0 sp 0x7fffded693a8
WRITE of size 8 at 0x7fffded69470 thread T0
    #0 0x55e89c1c8418 in convert_fltp 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
    #1 0x55e89c1c99af in ffsox_frame_convert_sox 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2c9af)
    #2 0x55e89c1c1f29 in sox_reader_run 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x24f29)
    #3 0x55e89c1bd686 in ffsox_machine_run 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x20686)
    #4 0x55e89c1c19d3 in ffsox_sox_reader_read 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x249d3)
    #5 0x55e89c1c2577 in drain 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x25577)
    #6 0x7f2434b9db4d in sox_flow_effects 
(/usr/lib/x86_64-linux-gnu/libsox.so.2+0x28b4d)
    #7 0x55e89c1b98f2 in ffsox_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1c8f2)
    #8 0x55e89c1b19fd in bs1770gain_tree_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
    #9 0x55e89c1ae14e in main 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
    #10 0x7f24347f82e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #11 0x55e89c1aa4e9 in _start 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)

Address 0x7fffded69470 is located in stack of thread T0 at offset 96 in frame
    #0 0x55e89c1c81df in convert_fltp 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b1df)

  This frame has 1 object(s):
    [32, 96) 'rp' <== Memory access at offset 96 overflows this variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
 in convert_fltp
Shadow bytes around the buggy address:
  0x10007bda5230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007bda5280: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00[f3]f3
  0x10007bda5290: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007bda52a0: f1 f1 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00
  0x10007bda52b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda52c0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f3 f3
  0x10007bda52d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5034==ABORTING

-------------------------------------------

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bs1770gain depends on:
ii  libavcodec57    7:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55     7:3.3.4-2+b2
ii  libc6           2.24-17
ii  libsox2         14.4.1-5+b2
ii  libswresample2  7:3.3.4-2+b2

bs1770gain recommends no packages.

bs1770gain suggests no packages.

-- no debconf information

poc
Description: audio/hx-aac-adts

--- End Message ---

--- Begin Message ---

Version: 14.4.2+git20190427-5+rm

Dear submitter,

as the package sox has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1126295

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].

Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)

--- End Message ---

Bug#881132: marked as done (bs1770gain: stack buffer overflow while running bs1770gain)

Reply via email to