* Martin Steghöfer <mar...@steghoefer.eu>, 2015-01-04, 17:26:
#0 0xf7f925a8 in vorbis_packet_blocksize (vi=0x804d2f0, op=0xffff910c) at
synthesis.c:168
#1 0xf7fb6b4d in _initial_pcmoffset (vf=0xffff92cc, vi=0x804d2f0) at
vorbisfile.c:440
#2 0xf7fb8ec0 in _open_seekable2 (vf=0xffff92cc) at vorbisfile.c:625
#3 0xf7fb9117 in _ov_open2 (vf=0xffff92cc) at vorbisfile.c:941
#4 ov_open_callbacks (f=0x804d020, vf=0xffff92cc, initial=0x0, ibytes=0,
callbacks=...) at vorbisfile.c:997
#5 0x0804977a in decode_file (in=0x804d020, out=0xffff9098, out@entry=0x804d188, infile=0xffffd88d
"crash.ogg", outfile=0x804d008 "crash.wav") at oggdec.c:265
#6 0x08048d5f in main (argc=2, argv=0xffffd6b4) at oggdec.c:455
Judging from this stacktrace and from the fact that your file crashes
audacity, too, I'd say we're dealing with a problem in the decoder
library. Reassigning to package libvorbis.
Yeah, I suspected the bug might be in libvorbis. But then, mpv(1) didn't
crash on the fuzzed file, which raised my doubts. Thanks for reassigning
to the correct package.
I am going to look into this and/or forward it to upstream.
This bug was found using American fuzzy lop:
https://packages.debian.org/experimental/afl
Huh! Didn't know about this tool (although I've heard about the
general concept of fuzzing to discover bugs). I will have to give it a
spin...
Cool! AFL comes with comprehensive documentation, but if you had trouble
setting it up, please let me know. :-)
You will almost certainly need to disable checksumming in libogg:
https://bitbucket.org/jwilk/security-research/raw/default/fuzzing-patches/libogg.diff
With checksumming enabled, AFL (or any other fuzzer, really) won't get
ahead very far...
BTW, AFL also runs into SIGFPE (probably #772978).
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
