Your message dated Mon, 30 Nov 2009 18:08:12 +0000
with message-id <e1nfafu-0007qu...@ries.debian.org>
and subject line Bug#558399: fixed in normalize-audio 0.7.7-6
has caused the Debian Bug report #558399,
regarding normalize-audio: buffer overflow with ADPCM .wav files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
558399: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558399
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libaudiofile0
Version: 0.2.6-6
Severity: critical
Today, the Music Player Daemon project received a bug report from
Anton Khirnov: MPD crashed when attempting to play a WAV file. "file"
says:
RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
Hz
The MPD bug report: http://musicpd.org/mantis/view.php?id=1915
The test file: http://filebin.ca/meqmyu/max_theme.wav
Turns out that this is a bug in libaudiofile. When attempting to
decode the file, libaudiofile writes past the buffer in msadpcm.c:194
code = *encoded >> 4;
newSample = ms_adpcm_decode_sample(state[0], code,
coefficient[0]);
*decoded++ = newSample;
Valgrind output:
==4680== Invalid write of size 2
==4680== at 0x8CF0478: ms_adpcm_run_pull (msadpcm.c:194)
==4680== by 0x8CEAF75: _AFpull (modules.c:111)
==4680== by 0x8CF11A3: int2rebufferf2vrun_pull (rebuffer.template:409)
==4680== by 0x8CDE4ED: afReadFrames (data.c:228)
==4680== by 0x435EBA: audiofile_streamdecode (audiofile_plugin.c:159)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
==4680== Address 0x15a66de8 is 0 bytes after a block of size 4,096 alloc'd
==4680== at 0x4C2260E: malloc (vg_replace_malloc.c:207)
==4680== by 0x8CDF96A: _af_malloc (util.c:122)
==4680== by 0x8CEEEBA: _AFsetupmodules (modules.c:2539)
==4680== by 0x8CDE151: afGetFrameCount (format.c:218)
==4680== by 0x435CDD: audiofile_streamdecode (audiofile_plugin.c:141)
==4680== by 0x4145A2: decoder_stream_decode (decoder_thread.c:49)
==4680== by 0x414A5C: decoder_run (decoder_thread.c:189)
==4680== by 0x414B7B: decoder_task (decoder_thread.c:214)
==4680== by 0x72E0453: g_thread_create_proxy (gthread.c:635)
==4680== by 0x62CBFC6: start_thread (pthread_create.c:297)
==4680== by 0xAA595AC: clone (in /usr/lib/debug/libc-2.7.so)
A quick look at the code revealed that the allocated buffer size
depended on the following formula:
bufsize = outc->nframes * _af_format_frame_size(&outc->f, AF_TRUE);
outc->nframes basically comes from _AF_ATOMIC_NVFRAMES (1024), because
the msadpcm module does not implement the max_pull callback. This
results in a 4096 byte allocation in modules.c:2539 (frame size is 4).
In ms_adpcm_decode_block(), msadpcm->samplesPerBlock is set to 2036
(unverified value from the input file header). outputLength is 8144,
which obviously does not fit into the allocated 4096 byte buffer.
I could reproduce the same crash with "normalize-audio max_theme.wav".
The real crash happens after closing the file, probably due to heap
corruption. valgrind notices the problem before the crash actually
occurs.
Severity "critical" because this is may be used for a remote DoS
attack on software like MPD. I did not investigate whether it is
possible to inject code this way. Chances are good, since arbitrary
amounts of heap can be overwritten.
Both Debian Etch and Lenny are affected.
Solution: don't use libaudiofile. Change libaudiofile to allocate the
correct buffer size. Add buffer size checks to libaudiofile.
Regards,
Max Kellermann
--- End Message ---
--- Begin Message ---
Source: normalize-audio
Source-Version: 0.7.7-6
We believe that the bug you reported is fixed in the latest version of
normalize-audio, which is due to be installed in the Debian FTP archive:
normalize-audio_0.7.7-6.diff.gz
to main/n/normalize-audio/normalize-audio_0.7.7-6.diff.gz
normalize-audio_0.7.7-6.dsc
to main/n/normalize-audio/normalize-audio_0.7.7-6.dsc
normalize-audio_0.7.7-6_amd64.deb
to main/n/normalize-audio/normalize-audio_0.7.7-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 558...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Joachim Reichel <reic...@debian.org> (supplier of updated normalize-audio
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 28 Nov 2009 17:27:42 +0100
Source: normalize-audio
Binary: normalize-audio
Architecture: source amd64
Version: 0.7.7-6
Distribution: unstable
Urgency: low
Maintainer: Joachim Reichel <reic...@debian.org>
Changed-By: Joachim Reichel <reic...@debian.org>
Description:
normalize-audio - adjusts the volume of WAV, MP3 and OGG files to a standard
volume
Closes: 558399
Changes:
normalize-audio (0.7.7-6) unstable; urgency=low
.
* Add patch compressed-wav-files.dpatch to fix buffer overflows in case of
compressed WAV files (Closes: 558399), thanks to Stefan Fritsch for the
patch.
Checksums-Sha1:
9cfe9dfc996a27a6374c732dcbfb33d616ad5ce7 1090 normalize-audio_0.7.7-6.dsc
fcd4c94d7288b64507a3b19ac32bdfe841a83ce9 6926 normalize-audio_0.7.7-6.diff.gz
06e1007a649f442f6f8498916e2e0b49e91c9009 58836
normalize-audio_0.7.7-6_amd64.deb
Checksums-Sha256:
b61d35ebcaebd11575ca9121d28ff343e72c29fd5653b7c829a7e888a93d1755 1090
normalize-audio_0.7.7-6.dsc
983055d65038952af6a9c431d70ceb4dbf876ce82c93b6a9844cd7c2081d5fcb 6926
normalize-audio_0.7.7-6.diff.gz
b83682029e037ccb3c057d48c9c4734ad7cfdd4dca8b7eefc3ca6658f7b0d0d9 58836
normalize-audio_0.7.7-6_amd64.deb
Files:
d9ee0d4d5750143006e9eb14d9800bff 1090 sound extra normalize-audio_0.7.7-6.dsc
9bbda57af55038e29a30ed68748a3a6b 6926 sound extra
normalize-audio_0.7.7-6.diff.gz
a581816e6dbc19e7eb506545e7108b5f 58836 sound extra
normalize-audio_0.7.7-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksUCCUACgkQt2NXKBU/+UA6UwCfbulxFE1H28gftuQGo23nOpir
IMAAoIupDzSppXRSiCkjM/uCGOW+v7TA
=F+r/
-----END PGP SIGNATURE-----
--- End Message ---
