Hi again!
I thought this might enjoy you, as they say here.
It's a regression testsuite for SoX that uses the test files in
various bug reports to see if SoX is vulnerable to CVEs and other bugs,
and how.
Two scripts: check.sh runs all the tests against "sox" or a supplied
binary using
sox=~/sox-14.4.2/src/soc sh check.sh
and checkall.sh, which you will have to edit, which runs them against
many different versions of SoX.
You can get it by
git clone https://codeberg.org/martinwguy/sox_test
An example of checkall.sh run against 14.4.2, Debian bookworm and 42b355
plus each compiled with the Address Sanitizer on i386 is:
BUG 14.4.2 14.4.2A bullseye bullseyeAtrixie trixieA
42b355 42b355A
BUG-298 ABRT ASAN OK OK OK OK
OK ASAN
BUG-334 SEGV ASAN SEGV ASAN 2 ASAN
OK OK
CVE-2004-0557 OK OK OK OK ASAN OK
OK OK
CVE-2017-11332 FPE ASAN OK OK OK OK
OK OK
CVE-2017-11333 OK ASAN OK ASAN OK ASAN
OK OK
CVE-2017-11358 SEGV ASAN OK OK OK OK
OK ASAN
CVE-2017-11359 FPE ASAN OK OK OK OK
OK ASAN
CVE-2017-15370 SEGV ASAN SUCC SUCC SUCC SUCC
OK OK
CVE-2017-15371 ABRT ABRT OK ASAN OK ASAN
OK ASAN
CVE-2017-15372 SEGV ASAN SUCC SUCC SUCC SUCC
OK OK
CVE-2017-15642 OK ASAN OK OK OK OK
OK ASAN
CVE-2017-18189 SEGV ASAN OK OK OK OK
OK OK
CVE-2019-1010004 ASAN ASAN OK OK OK OK
OK OK
CVE-2019-13590 LOOP LOOP OK OK OK OK
OK OK
CVE-2019-8354 ABRT ABRT ABRT ABRT ABRT ABRT
ABRT ABRT
CVE-2019-8355 OK ASAN OK OK OK OK
OK ASAN
CVE-2019-8356 SEGV ASAN SUCC LOOP SUCC LOOP
SUCC LOOP
CVE-2019-8357 LOOP LOOP LOOP LOOP LOOP LOOP
LOOP LOOP
CVE-2021-23159 ABRT ASAN OK OK OK OK
ABRT ASAN
CVE-2021-23172 SEGV ASAN OK OK OK OK
SEGV ASAN
CVE-2021-23210 SUCC ASAN SUCC ASAN SUCC ASAN
FPE ASAN
CVE-2021-33844 OK OK OK OK OK OK
FPE ASAN
CVE-2021-3643 OK ASAN OK ASAN OK ASAN
FPE ASAN
CVE-2021-40426 OK OK OK OK OK OK
OK OK
CVE-2022-31650 FPE ASAN OK OK OK OK
FPE ASAN
CVE-2022-31651 ABRT ABRT OK OK OK OK
ABRT ABRT
CVE-2023-26590 OK OK OK OK OK OK
OK OK
CVE-2023-32627 SUCC ASAN SUCC SUCC SUCC SUCC
FPE ASAN
CVE-2023-34318 SEGV ASAN OK OK OK OK
SEGV ASAN
CVE-2023-34432 ABRT ASAN OK OK OK OK
OK ASAN
Fedora-1226675 OK OK OK OK ASAN OK
OK OK
wavpack-errors SEGV ASAN OK OK ASAN OK
OK OK
where
OK The test succeeded (or failed as it should have failed)
ASAN The Address sanitizer reported problems.
These could just be memory leaks, but correspond to exit(1)
which sox gives only when the command-line parameters are bad.
ABRT SoX aborted
FPE SoX got a Floating Point Exception
LOOP The test ran for more that 10 seconds CPU. THe worst case is 6.5
seconds.
SEGV SoX got a FSegmentation fault
OUT SoX generated an output file when it shouldn't have
SUCC SoX gave exit 0 when it should have failed
I'd be interested to hear of checj.sh's output on systems other than
Debian bookworm
Blessings
M
_______________________________________________
SoX-devel mailing list
SoX-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/sox-devel
