Public bug reported: environment $ uname -a Linux 6176901723ae 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
build setting $ git clone https://git.launchpad.net/ubuntu/+source/timidity $ CC="clang -g -fsanitize=address" ./configure $ make When I input the poc file as follows, ASAN errors related to FPE are output. $ ./timidity/timidity /tmp/poc/poc -Ow -s 4000 -o /tmp/ss Playing /tmp/poc/poc MIDI file: /tmp/poc/poc Format: 1 Tracks: 13 Divisions: 384 /tmp/poc/poc: Can't read track header. AddressSanitizer:DEADLYSIGNAL ================================================================= ==6722==ERROR: AddressSanitizer: FPE on unknown address 0x0000005e9e5b (pc 0x0000005e9e5b bp 0x7fff7ce58c10 sp 0x7fff7ce57f80 T0) #0 0x5e9e5b in insert_note_steps /tmp/timidity/timidity/readmidi.c:4594:42 #1 0x5e9e5b in read_midi_file /tmp/timidity/timidity/readmidi.c:4755:5 #2 0x591ade in play_midi_load_file /tmp/timidity/timidity/playmidi.c:8453:14 #3 0x591ade in play_midi_file /tmp/timidity/timidity/playmidi.c:8563:10 #4 0x594887 in dumb_pass_playing_list /tmp/timidity/timidity/playmidi.c:8624:9 #5 0x651de1 in timidity_play_main /tmp/timidity/timidity/timidity.c:5655:9 #6 0x651de1 in main /tmp/timidity/timidity/timidity.c:5935:13 error: failed to decompress '.debug_aranges', zlib is not available error: failed to decompress '.debug_info', zlib is not available error: failed to decompress '.debug_abbrev', zlib is not available error: failed to decompress '.debug_line', zlib is not available error: failed to decompress '.debug_str', zlib is not available error: failed to decompress '.debug_loc', zlib is not available error: failed to decompress '.debug_ranges', zlib is not available #7 0x7f7e09b25082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) #8 0x41c54d in _start (/tmp/timidity/timidity/timidity+0x41c54d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: FPE /tmp/timidity/timidity/readmidi.c:4594:42 in insert_note_steps The sink point of the error is: at += current_file_info->divisions * 4 / denom; At this time, denom can be 0 in poc, so a division-by-zero error occurs. I have confirmed that this vulnerability can be triggered not only with the -Ow option, but also with -Or, -Oa. I think it can be triggered with other options as well, during the process of reading midi files. ** Affects: timidity (Ubuntu) Importance: Undecided Status: New ** Attachment added: "poc" https://bugs.launchpad.net/bugs/2087792/+attachment/5836188/+files/poc -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2087792 Title: division by zero bug in insert_note_steps() To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/timidity/+bug/2087792/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
