lame: divide-by-zero in parse_wave_header (get_audio.c)

Description:
lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL.

Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub Wilk which posted the results on the debian bugtracker. In cases like this, when upstream is not active and people do not post on the upstream bugzilla is easy discover duplicates, so I downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate of an existing issue. Upstream seems a bit dead, latest release was into 2011, so this blog post will probably forwarded on the upstream bugtracker just for the record.

EDIT:
This bug was already discovered by Brian Carpenter. There wasn’t mentioned because it is in the frontend, but I guess that many webapplications which offer audio conversion, may run the lame command-line tool directly.

The complete ASan output of the issue:

# lame -f -V 9 $FILE out.wav
==26565==ERROR: AddressSanitizer: FPE on unknown address 0x000000519c13 (pc 0x000000519c13 bp 0x7ffd4d07a0d0 sp 0x7ffd4d079e20 T0)                   
    #0 0x519c12 in parse_wave_header /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:1454:54                       
    #1 0x519c12 in parse_file_header /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:1683                          
    #2 0x519c12 in open_wave_file /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:1754                             
    #3 0x519c12 in init_infile /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:620                                 
    #4 0x50f273 in init_files /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:151:9                                
    #5 0x50befc in lame_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:674:16                                
    #6 0x510793 in c_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:470:15                                        
    #7 0x510793 in main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:438                                             
    #8 0x7f14a792b680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                           
    #9 0x41c998 in _init (/usr/bin/lame+0x41c998)                                                                                                    
                                                                                                                                                     
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:1454:54 in parse_wave_header
==26565==ABORTING

Affected version:
3.99.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was initially discovered by Brian Carpenter.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00289-lame-fpe-get_audio.c.wav

Timeline:
2017-06-01: bug discovered
2017-06-17: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

lame: divide-by-zero in parse_wave_header (get_audio.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.