mpruett / audiofile Goto Github PK
View Code? Open in Web Editor NEWAudio File Library
Home Page: https://audiofile.68k.org/
License: GNU Lesser General Public License v2.1
audiofile's People
Contributors
Stargazers
Watchers
Forkers
matthiasr teragonaudio distrotech lu-zero grafflinz lhc180 drwolf85 eriser innokentiy-alaytsev fabzzap eq4 mbahar94 mekayama m0vefaster mschwendt jameslinus nsane457 princeofdarkness76 robbie-cao megancairns antlarr happyday630 cjcliffe gogirogi jomael evpobr ericyao2013 wtay aurora-community rawr51919 nicolasfella gatedfuzz doomydwyer yyl-20020115 orbea koobin sbaldovi reckenrode assassin65170 noondieaudiofile's Issues
heap-based buffer overflow in FilePOSIX::read
https://github.com/jakkdu/poc/blob/master/000011-audiofile-heapovfl-FilePOSIX_read
./sfconvert $FILE out.mp3 format aiff
=================================================================
==9146==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ebf1 at pc 0x7f0d4c7d4e55 bp 0x7ffffdd041a0 sp 0x7ffffdd03948
WRITE of size 156 at 0x60200000ebf1 thread T0
#0 0x7f0d4c7d4e54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)
#1 0x43d865 in read /usr/include/x86_64-linux-gnu/bits/unistd.h:44
#2 0x43d865 in FilePOSIX::read(void*, unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/File.cpp:126
#3 0x40ef02 in FileModule::read(void*, unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/FileModule.cpp:42
#4 0x41e839 in PCM::runPull() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/PCM.cpp:166
#5 0x41475e in Module::pull(unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/Module.cpp:71
#6 0x4209a4 in SimpleModule::runPull() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/SimpleModule.cpp:28
#7 0x4074ef in afReadFrames /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/data.cpp:222
#8 0x402287 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:370
#9 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
#10 0x7f0d4bd5a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x401f48 in _start (/home/insu/projects/qsym-eval/apps/audiofile/out/build-asan/sfconvert+0x401f48)
0x60200000ebf1 is located 0 bytes to the right of 1-byte region [0x60200000ebf0,0x60200000ebf1)
allocated by thread T0 here:
#0 0x7f0d4c828532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x419243 in Chunk::allocate(unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/Module.h:59
#2 0x419243 in ModuleState::setup(_AFfilehandle*, Track*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/ModuleState.cpp:174
#3 0x407f74 in afGetFrameCount /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/format.cpp:205
#4 0x402252 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:359
#5 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
#6 0x7f0d4bd5a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c047fff9d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa
0x0c047fff9d80: fa fa 01 fa fa fa 00 00 fa fa fd fd fa fa fd fa
0x0c047fff9d90: fa fa fd fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
0x0c047fff9da0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
0x0c047fff9db0: fa fa 01 fa fa fa 00 01 fa fa fd fa fa fa fd fa
0x0c047fff9dc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==9146==ABORTING
out of bound heap access in SimpleModule.h
There exists one out of bound heap access in SwapModule::runSwap, in SimpleModule.h:82, which allows an attacker to cause a denial of service via a crafted file.
sfconvert $poc output format caf
poc.zip
asan output
root@ubuntu:~/fuzz/audiofile# /home/tim/audiofile-santi/sfcommands/sfconvert /home/tim/Downloads/poc output format caf
ASAN:DEADLYSIGNAL
=================================================================
==30065==ERROR: AddressSanitizer: SEGV on unknown address 0x625000010000 (pc 0x7ffff6becb40 bp 0x60c000000340 sp 0x7fffffffe200 T0)
==30065==The signal is caused by a READ memory access.
#0 0x7ffff6becb3f in void SwapModule::runSwap<8, long>(long const*, long*, int) /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:81
#1 0x7ffff6becb3f in void SwapModule::run<8, long>(Chunk&, Chunk&) /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:74
#2 0x7ffff6becb3f in SwapModule::run(Chunk&, Chunk&) /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:63
#3 0x7ffff6bdc218 in afReadFrames (/home/tim/audiofile-santi/libaudiofile/.libs/libaudiofile.so.1+0x32218)
#4 0x555555555fdd in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:340
#5 0x555555555620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
#6 0x7ffff67dab96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#7 0x555555555c79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/tim/audiofile-santi/libaudiofile/modules/SimpleModule.h:81 in void SwapModule::runSwap<8, long>(long const*, long*, int)
==30065==ABORTING
gdb output
gdb-peda$ r /home/tim/Downloads/poc output format caf
Starting program: /home/tim/fuzz/audiofile/sfconvert /home/tim/Downloads/poc output format caf
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0x0
RBX: 0x0
RCX: 0x7ffff7f5b010 --> 0x2e736e6400000000 ('')
RDX: 0x0
RSI: 0x55555587ac40 --> 0x646e732e ('.snd')
RDI: 0x0
RBP: 0x200000028
RSP: 0x7fffffffe320 --> 0x555555877f28 --> 0x3e9
RIP: 0x5555555c82b5 (<SwapModule::run(Chunk&, Chunk&)+1525>: mov rdx,QWORD PTR [rsi+r10*1+0x18])
R8 : 0x0
R9 : 0x0
R10: 0xc3a8
R11: 0x0
R12: 0x555555877f28 --> 0x3e9
R13: 0x555555878660 --> 0x5555558643f8 --> 0x5555555c72d0 (<SwapModule::~SwapModule()>: lea rsp,[rsp-0x98])
R14: 0x0
R15: 0x1
EFLAGS: 0x10283 (CARRY parity adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x5555555c82a8 <SwapModule::run(Chunk&, Chunk&)+1512>: mov r8,QWORD PTR [rsi+r10*1+0x10]
0x5555555c82ad <SwapModule::run(Chunk&, Chunk&)+1517>: bswap r8
0x5555555c82b0 <SwapModule::run(Chunk&, Chunk&)+1520>: mov QWORD PTR [rcx+r10*1+0x10],r8
=> 0x5555555c82b5 <SwapModule::run(Chunk&, Chunk&)+1525>: mov rdx,QWORD PTR [rsi+r10*1+0x18]
0x5555555c82ba <SwapModule::run(Chunk&, Chunk&)+1530>: bswap rdx
0x5555555c82bd <SwapModule::run(Chunk&, Chunk&)+1533>: mov QWORD PTR [rcx+r10*1+0x18],rdx
0x5555555c82c2 <SwapModule::run(Chunk&, Chunk&)+1538>: mov rax,QWORD PTR [rsi+r10*1+0x20]
0x5555555c82c7 <SwapModule::run(Chunk&, Chunk&)+1543>: bswap rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe320 --> 0x555555877f28 --> 0x3e9
0008| 0x7fffffffe328 --> 0x5
0016| 0x7fffffffe330 --> 0x555555878b70 --> 0x3
0024| 0x7fffffffe338 --> 0x55555556a266 (<afReadFrames(AFfilehandle, int, void*, int)+1702>: movzx r15d,BYTE PTR [r12+0x169])
0032| 0x7fffffffe340 --> 0x5
0040| 0x7fffffffe348 --> 0x855877f28
0048| 0x7fffffffe350 --> 0x7ffff7f5b010 --> 0x2e736e6400000000 ('')
0056| 0x7fffffffe358 --> 0xfffffffffffffc06
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00005555555c82b5 in SwapModule::runSwap<8, long> (this=<optimized out>, sampleCount=<optimized out>, output=0x7ffff7f5b010, input=0x55555587ac40) at SimpleModule.h:82
82 output[i] = byteswap(input[i]);
gdb-peda$ bt
#0 0x00005555555c82b5 in SwapModule::runSwap<8, long> (this=<optimized out>, sampleCount=<optimized out>, output=0x7ffff7f5b010, input=0x55555587ac40) at SimpleModule.h:82
#1 SwapModule::run<8, long> (this=<optimized out>, outChunk=..., inChunk=...) at SimpleModule.h:74
#2 SwapModule::run (this=<optimized out>, inChunk=..., outChunk=...) at SimpleModule.h:63
#3 0x000055555556a266 in afReadFrames (file=<optimized out>, trackid=<optimized out>, samples=0x7ffff7f5b010, nvframeswanted=<optimized out>) at data.cpp:222
#4 0x000055555555ab4d in copyaudiodata (infile=0x555555877e90, outfile=0x5555558786a0, trackid=0x3e9) at sfconvert.c:340
#5 0x0000555555559331 in main (argc=argc@entry=0x5, argv=argv@entry=0x7fffffffe548) at sfconvert.c:248
#6 0x00007ffff72deb97 in __libc_start_main (main=0x555555558b70 <main>, argc=0x5, argv=0x7fffffffe548, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe538) at ../csu/libc-start.c:310
#7 0x000055555555a62a in _start ()
gdb-peda$ vmmap
Start End Perm Name
0x0000555555554000 0x0000555555663000 r-xp /home/tim/fuzz/audiofile/sfconvert
0x0000555555863000 0x0000555555865000 r--p /home/tim/fuzz/audiofile/sfconvert
0x0000555555865000 0x0000555555866000 rw-p /home/tim/fuzz/audiofile/sfconvert
0x0000555555866000 0x0000555555887000 rw-p [heap]
0x00007ffff70a5000 0x00007ffff70bc000 r-xp /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff70bc000 0x00007ffff72bb000 ---p /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff72bb000 0x00007ffff72bc000 r--p /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff72bc000 0x00007ffff72bd000 rw-p /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007ffff72bd000 0x00007ffff74a4000 r-xp /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff74a4000 0x00007ffff76a4000 ---p /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff76a4000 0x00007ffff76a8000 r--p /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff76a8000 0x00007ffff76aa000 rw-p /lib/x86_64-linux-gnu/libc-2.27.so
0x00007ffff76aa000 0x00007ffff76ae000 rw-p mapped
0x00007ffff76ae000 0x00007ffff784b000 r-xp /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff784b000 0x00007ffff7a4a000 ---p /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff7a4a000 0x00007ffff7a4b000 r--p /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff7a4b000 0x00007ffff7a4c000 rw-p /lib/x86_64-linux-gnu/libm-2.27.so
0x00007ffff7a4c000 0x00007ffff7bc5000 r-xp /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7bc5000 0x00007ffff7dc5000 ---p /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7dc5000 0x00007ffff7dcf000 r--p /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7dcf000 0x00007ffff7dd1000 rw-p /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.25
0x00007ffff7dd1000 0x00007ffff7dd5000 rw-p mapped
0x00007ffff7dd5000 0x00007ffff7dfc000 r-xp /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7f5b000 0x00007ffff7fe2000 rw-p mapped
0x00007ffff7ff7000 0x00007ffff7ffa000 r--p [vvar]
0x00007ffff7ffa000 0x00007ffff7ffc000 r-xp [vdso]
0x00007ffff7ffc000 0x00007ffff7ffd000 r--p /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7ffd000 0x00007ffff7ffe000 rw-p /lib/x86_64-linux-gnu/ld-2.27.so
0x00007ffff7ffe000 0x00007ffff7fff000 rw-p mapped
0x00007ffffffde000 0x00007ffffffff000 rw-p [stack]
0xffffffffff600000 0xffffffffff601000 r-xp [vsyscall]
gdb-peda$
heap-based buffer overflow in ulaw2linear_buf
https://github.com/jakkdu/poc/blob/master/000008-audiofile-heapovfl-ulaw2linear_buf
./sfconvert $FILE out.mp3 format aiff
=================================================================
==46598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000ec31 at pc 0x00000040fe03 bp 0x7ffdd71ea8d0 sp 0x7ffdd71ea8c0
READ of size 1 at 0x60200000ec31 thread T0
#0 0x40fe02 in ulaw2linear_buf /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/G711.cpp:42
#1 0x40fe02 in G711::runPull() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/G711.cpp:207
#2 0x4074ef in afReadFrames /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/data.cpp:222
#3 0x402287 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:370
#4 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
#5 0x7f7f2d27282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#6 0x401f48 in _start (/home/insu/projects/qsym-eval/apps/audiofile/out/build-asan/sfconvert+0x401f48)
0x60200000ec31 is located 0 bytes to the right of 1-byte region [0x60200000ec30,0x60200000ec31)
allocated by thread T0 here:
#0 0x7f7f2dd40532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x419243 in Chunk::allocate(unsigned long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/Module.h:59
#2 0x419243 in ModuleState::setup(_AFfilehandle*, Track*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/ModuleState.cpp:174
#3 0x407f74 in afGetFrameCount /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/format.cpp:205
#4 0x402252 in copyaudiodata /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:359
#5 0x402f4d in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:275
#6 0x7f7f2d27282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/modules/G711.cpp:42 ulaw2linear_buf
Shadow bytes around the buggy address:
0x0c047fff9d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c047fff9d70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9d80: fa fa fa fa fa fa[01]fa fa fa 00 00 fa fa 00 fa
0x0c047fff9d90: fa fa fd fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
0x0c047fff9da0: fa fa 01 fa fa fa 01 fa fa fa 01 fa fa fa 01 fa
0x0c047fff9db0: fa fa 01 fa fa fa 00 01 fa fa fd fa fa fa fd fa
0x0c047fff9dc0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x0c047fff9dd0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==46598==ABORTING
NULL pointer dereference in ModuleState::setup, in ModuleState.cpp
There exists one NULL pointer dereference bug in ModuleState::setup, in ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file.
poc.zip
To reproduce with the attached poc file:
./sfconvert $poc output format aiff
ASan:
==98672==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff14364b98f bp 0x7ffd2fd4dd80 sp 0x7ffd2fd4d9c0 T0)
#0 0x7ff14364b98e in ModuleState::setup(_AFfilehandle*, Track*) /home/s2e/asan/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:143
#1 0x7ff143634abd in afGetFrameCount /home/s2e/asan/audiofile-0.3.6/libaudiofile/format.cpp:205
#2 0x4ec033 in copyaudiodata /home/s2e/asan/audiofile-0.3.6/sfcommands/sfconvert.c:329
#3 0x4ebbe4 in main /home/s2e/asan/audiofile-0.3.6/sfcommands/sfconvert.c:248
#4 0x7ff1426c382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x419068 in _start (/home/s2e/asan/audiofile-0.3.6/sfcommands/.libs/lt-sfconvert+0x419068)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/asan/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:143 in ModuleState::setup(_AFfilehandle*, Track*)
==98672==ABORTING
Incorrect file mode on Windows
Windows uses the silly default of opening files in text mode.
Audiofile 0.3.4 does not set the mode to binary, and this leads to creation of corrupted files.
To reproduce: create a new WAV file using libaudiofile-1.dll.
Division by zero in WAVEFile::readInit() when opening old WAV file
How to reproduce:
- Use latest sources or just standard ubuntu package.
./examples/alsaplay file.wav, where file.wav is http://ubuntuone.com/0jJI47rc5FY6dw1hOawPls- Or you can just add that file to MPD music folder and update song database, MPD will hang
Traceback(from nemiver, a gui for gdb):
#0 WAVEFile::readInit(this = 0x603030, setup = <optimized out>) at WAVE.cpp:802
#1 _afOpenFile(access = 1, f = 0x603010, filename = 0x7fffffffe4e4 "F-BO04.WAV", file = 0x7fffffffe058, filesetup = <optimized out>) at openclose.cpp:356
#2 afOpenFile(filename = 0x7fffffffe4e4 "F-BO04.WAV", mode = <optimized out>, setup = 0x0) at openclose.cpp:217
#3 main(argc = <optimized out>, argv = 0x7fffffffe1b8) at alsaplay.cpp:48
This file is easily playable by mplayer:
$ mplayer F-BO04.WAV
MPlayer svn r34540 (Ubuntu), built with gcc-4.6 (C) 2000-2012 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.
Playing F-BO04.WAV.
libavformat version 53.21.0 (external)
Mismatching header version 53.19.0
Audio only file format detected.
Load subtitles in ./
==========================================================================
Opening audio decoder: [ffmpeg] FFmpeg/libavcodec audio decoders
libavcodec version 53.35.0 (external)
Mismatching header version 53.32.2
AUDIO: 22050 Hz, 1 ch, s16le, 89.2 kbit/25.29% (ratio: 11155->44100)
Selected audio codec: [ffadpcmms] afm: ffmpeg (FFmpeg MS ADPCM audio)
==========================================================================
AO: [pulse] 22050Hz 1ch s16le (2 bytes per sample)
Video: no video
Starting playback...
A: 4.4 (04.3) of 4.0 (04.0) 0.1%
Exiting... (End of file)
P.S. This is an old file from some very old CD for kids.
Unable to configure /build under ubuntu 12
Having trouble to configure/build on Ubuntu 12
First pass just doing autoconf... reports missing files.
Ran autoconf --add-missng but still cant get configure to run.
config.status: error: cannot find input file: `sfcommands/Makefile.in'
configure.ac:19: required file ./config.guess' not found configure.ac:19:automake --add-missing' can install config.guess' configure.ac:19: required file./config.sub' not found
configure.ac:19: automake --add-missing' can installconfig.sub'
configure.ac:12: required file ./install-sh' not found configure.ac:12:automake --add-missing' can install install-sh' configure.ac:19: required file./ltmain.sh' not found
configure.ac:12: required file ./missing' not found configure.ac:12:automake --add-missing' can install missing' docs/Makefile.am:58:%'-style pattern rules are a GNU make extension
docs/Makefile.am:61: %'-style pattern rules are a GNU make extension docs/Makefile.am:64:%'-style pattern rules are a GNU make extension
examples/Makefile.am: required file ./depcomp' not found examples/Makefile.am:automake --add-missing' can install `depcomp'
piranha@awsome> ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... no
checking for mawk... mawk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking dependency style of gcc... gcc3
checking for gcc option to accept ISO C99... -std=gnu99
checking for g++... g++
checking whether we are using the GNU C++ compiler... yes
checking whether g++ accepts -g... yes
checking dependency style of g++... gcc3
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to print strings... printf
checking for a sed that does not truncate output... /bin/sed
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for fgrep... /bin/grep -F
checking for ld used by gcc -std=gnu99... /usr/bin/ld
checking if the linker (/usr/bin/ld) is GNU ld... yes
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm -B
checking the name lister (/usr/bin/nm -B) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 1572864
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-unknown-linux-gnu file names to x86_64-unknown-linux-gnu format... func_convert_file_noop
checking how to convert x86_64-unknown-linux-gnu file names to toolchain format... func_convert_file_noop
checking for /usr/bin/ld option to reload object files... -r
checking for objdump... objdump
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @file support... @
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm -B output from gcc -std=gnu99 object... ok
checking for sysroot... no
checking for mt... mt
checking if mt is a manifest tool... no
checking how to run the C preprocessor... gcc -std=gnu99 -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc -std=gnu99 supports -fno-rtti -fno-exceptions... no
checking for gcc -std=gnu99 option to produce PIC... -fPIC -DPIC
checking if gcc -std=gnu99 PIC flag -fPIC -DPIC works... yes
checking if gcc -std=gnu99 static flag -static works... yes
checking if gcc -std=gnu99 supports -c -o file.o... yes
checking if gcc -std=gnu99 supports -c -o file.o... (cached) yes
checking whether the gcc -std=gnu99 linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking whether -lc should be explicitly linked in... no
checking dynamic linker characteristics... GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking how to run the C++ preprocessor... g++ -E
checking for ld used by g++... /usr/bin/ld -m elf_x86_64
checking if the linker (/usr/bin/ld -m elf_x86_64) is GNU ld... yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking for g++ option to produce PIC... -fPIC -DPIC
checking if g++ PIC flag -fPIC -DPIC works... yes
checking if g++ static flag -static works... yes
checking if g++ supports -c -o file.o... yes
checking if g++ supports -c -o file.o... (cached) yes
checking whether the g++ linker (/usr/bin/ld -m elf_x86_64) supports shared libraries... yes
checking dynamic linker characteristics... (cached) GNU/Linux ld.so
checking how to hardcode library paths into programs... immediate
checking for ANSI C header files... (cached) yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking for unistd.h... (cached) yes
checking for an ANSI C-conforming const... yes
checking whether byte ordering is bigendian... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for off_t... yes
checking for size_t... yes
checking for platform specific tests to compile... linux
checking for a2x... :
checking for asciidoc... :
configure: WARNING: Could not find a2x.
configure: WARNING: Could not find asciidoc.
checking for pkg-config... /usr/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking for FLAC... yes
configure: creating ./config.status
config.status: creating audiofile.spec
config.status: creating audiofile.pc
config.status: creating audiofile-uninstalled.pc
config.status: error: cannot find input file: `sfcommands/Makefile.in'
bzero() in CAF.cpp
In the CAF.cpp, the non-standard, deprecated bzero() function is used, which causes compilation problems. memset() is a better alternative.
divide-by-zero in BlockCodec::runPull (BlockCodec.cpp)
audiofile 0.2.7 fails to build (on testsuite)
As you know, I'm working on the update of the Debian packaging of audiofile 0.2.7.
While I've been testbuilding the new package, I've encountered a build failure when running the testsuite:
testfloat: testing AIFF-C
testfloat: testing WAVE
testfloat: testing NeXT .snd
testfloat: testing IRCAM
testfloat passed
PASS: testfloat
testdouble: testing AIFF-C
testdouble: testing MS RIFF WAVE
testdouble: testing NeXT .snd/Sun .au
testdouble passed
PASS: testdouble
PASS: testmarkers
PASS: testchannelmatrix
PASS: seek
Testing AIFF
Testing AIFF-C
Testing NeXT .snd/Sun .au
Incorrect frame count in file opened for reading
FAIL: large
#1 of 25 tests failed
Here is the full buildlog:
http://paste.debian.net/126367/
Would you help me to fix that, please?
Autodetect format to save to from file name extension
A feature that would help GUI program would be: define a file format named AF_FILE_AUTODETECT or something like that. If that is used, afOpenFile(), if used to create a new file, would try and read the extension from the file name, and pick a format according to the extension. In case the extension is not detected, a default would be used.
What about MP3 support?
Hi Michael,
in the Debian's BTS I've found this old bug:
http://bugs.debian.org/101448
What do you think about adding the support for the MP3 format to the next release of audiofile?
How to build a libaudiofile.so? possible?
Hi I am trying to build audiofile so that I can use the now old Tao Physical Modelling synthesis library. Only problem is that Tao seems to want to find a libaudiofile.so in order to create a make file.
I am running osx 10.10.1. I can only seem to be able to build .dylib and .a files for audiofile. Do you know how to build a .so file? Thanks.
heap-based buffer overflow in alaw2linear_buf (G711.cpp)
audiofile 0.3.0: install docs issue on OSX 10.6.8
I'm hoping gnu-sed or some tinkering will help the man.1 pages get installed on OSX.
I've been working on building audiofile for Darwin x86_64 on 10.6.8 using gcc-4.2.1.
Below is the gist of when make install entered docs. Are there missing items? If
there are, I think it might be because sed is sed rather than $(SED) in the Makefiles.
ye ol geeist
And I've been working up the install over here on homebrew
okey thanks
global buffer overflow in decodeSample (IMA.cpp)
New Release
Can you please roll a new release with all these security fixes?
Unary_function is deprecated since c++11
Unary_function is deprecated since c++11 and is being removed from current compilers e.g. clang17, so that compilation falls.
0.3.6 + all up to b62c902d: test suite is failing when source code is configured with `--disable-static` and LTO is used
Looks like test suite is using some non-public symbols and it fails on linking when source code is configured with --disable-static and LTO is used.
/usr/bin/make UnitTests
make[3]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile'
/usr/bin/g++ -DHAVE_CONFIG_H -I. -I.. -I.. -fno-rtti -fno-exceptions -DGTEST_HAS_RTTI=0 -DGTEST_HAS_EXCEPTIONS=0 -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -c -o UnitTests-UT_RebufferModule.o `test -f 'modules/UT_RebufferModule.cpp' || echo './'`modules/UT_RebufferModule.cpp
make[3]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile'
make[3]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile'
/bin/sh ../libtool --tag=CXX --mode=link /usr/bin/g++ -fno-rtti -fno-exceptions -DGTEST_HAS_RTTI=0 -DGTEST_HAS_EXCEPTIONS=0 -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -static -Wl,-z,relro -Wl,--as-needed -Wl,--gc-sections -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -flto=auto -flto-partition=none -fuse-linker-plugin -Wl,--build-id=sha1 -o UnitTests UnitTests-UT_RebufferModule.o libaudiofile.la ../gtest/libgtest.la
libtool: link: /usr/bin/g++ -fno-rtti -fno-exceptions -DGTEST_HAS_RTTI=0 -DGTEST_HAS_EXCEPTIONS=0 -O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -fdata-sections -ffunction-sections -flto=auto -flto-partition=none -Wl,-z -Wl,relro -Wl,--as-needed -Wl,--gc-sections -Wl,-z -Wl,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -flto=auto -flto-partition=none -fuse-linker-plugin -Wl,--build-id=sha1 -o UnitTests UnitTests-UT_RebufferModule.o ./.libs/libaudiofile.so -lFLAC ../gtest/.libs/libgtest.a -lpthread -Wl,-rpath -Wl,/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/.libs
/usr/bin/ld: /tmp/cckKJAUP.lto.o: in function `TestSourceModule::~TestSourceModule()':
/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:52: undefined reference to `Module::~Module()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o: in function `TestSourceModule::~TestSourceModule()':
/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:52: undefined reference to `Module::~Module()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o: in function `TestSinkModule::~TestSinkModule()':
/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:87: undefined reference to `Module::~Module()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o: in function `TestSinkModule::~TestSinkModule()':
/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:87: undefined reference to `Module::~Module()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o: in function `testVariableToFixed(bool)':
/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:281: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:282: undefined reference to `RebufferModule::RebufferModule(RebufferModule::Direction, int, int, bool)'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:92: undefined reference to `Module::Module()'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:284: undefined reference to `Module::setSink(Module*)'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:291: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:294: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /tmp/cckKJAUP.lto.o: in function `testFixedToVariable(bool)':
/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:138: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:139: undefined reference to `RebufferModule::RebufferModule(RebufferModule::Direction, int, int, bool)'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:58: undefined reference to `Module::Module()'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:142: undefined reference to `Module::setSource(Module*)'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:149: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:152: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /tmp/cckKJAUP.lto.o: in function `testBufferingAfterShortChunk(bool)':
/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:220: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:221: undefined reference to `RebufferModule::RebufferModule(RebufferModule::Direction, int, int, bool)'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:58: undefined reference to `Module::Module()'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:224: undefined reference to `Module::setSource(Module*)'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:231: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/libaudiofile/modules/UT_RebufferModule.cpp:234: undefined reference to `AudioFormat::bytesPerFrame() const'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV14TestSinkModule+0x20): undefined reference to `Module::name() const'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV14TestSinkModule+0x28): undefined reference to `Module::describe()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV14TestSinkModule+0x30): undefined reference to `Module::maxPull()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV14TestSinkModule+0x38): undefined reference to `Module::maxPush()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV14TestSinkModule+0x40): undefined reference to `Module::runPull()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV16TestSourceModule+0x20): undefined reference to `Module::name() const'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV16TestSourceModule+0x28): undefined reference to `Module::describe()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV16TestSourceModule+0x30): undefined reference to `Module::maxPull()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV16TestSourceModule+0x38): undefined reference to `Module::maxPush()'
/usr/bin/ld: /tmp/cckKJAUP.lto.o:(.data.rel.ro._ZTV16TestSourceModule+0x58): undefined reference to `Module::runPush()'
collect2: error: ld returned 1 exit status
make[3]: *** [Makefile:816: UnitTests] Error 1A heap-buffer-overflow has occurred when running sfconvert
A heap-buffer-overflow has occurred when running sfconvert.
=================================================================
==16798==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f000fca7800 at pc 0x7f000e8f996c bp 0x7ffc39a7a360 sp 0x7ffc39a7a350
WRITE of size 4 at 0x7f000fca7800 thread T0
#0 0x7f000e8f996b in void Expand3To4Module::run<int>(unsigned char const*, int*, int) /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.h:269
#1 0x7f000e8f4692 in Expand3To4Module::run(Chunk&, Chunk&) /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.h:244
#2 0x7f000e91810e in SimpleModule::runPull() /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.cpp:29
#3 0x7f000e8ba550 in afReadFrames /home/sandy/swt_fuzz/audiofile/libaudiofile/data.cpp:222
#4 0x403c7e in copyaudiodata /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:340
#5 0x403793 in main /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:248
#6 0x7f000e47a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x4017a8 in _start (/home/sandy/swt_fuzz/audiofile/sfcommands/.libs/sfconvert+0x4017a8)
0x7f000fca7800 is located 0 bytes to the right of 524288-byte region [0x7f000fc27800,0x7f000fca7800)
allocated by thread T0 here:
#0 0x7f000ec09602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x403c1b in copyaudiodata /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:327
#2 0x403793 in main /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:248
#3 0x7f000e47a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.h:269 void Expand3To4Module::run<int>(unsigned char const*, int*, int)
Shadow bytes around the buggy address:
0x0fe081f8ceb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe081f8cec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe081f8ced0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe081f8cee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe081f8cef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe081f8cf00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe081f8cf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe081f8cf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe081f8cf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe081f8cf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0fe081f8cf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==16798==ABORTING
And the input file has been put at:
https://github.com/fCorleone/fuzz_programs/blob/master/audiofile/test1
heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h)
make check in 0.3.5 fails if the static library is not build
I didn't even tried to understand it. I just tried to update the openSUSE package and found that make check failed with
libaudiofile/modules/UT_RebufferModule.cpp:281: undefined reference to `AudioFormat::bytesPerFrame() const'
This is normal since we don't build static libraries and audiofile.exports doesn't export the AudioFormat class.
Is this expected? Could the test be done through public interfaces?
Memory leak in AUpvnew
https://github.com/jakkdu/poc/blob/master/000010-audiofile-leak-AUpvnew
./sfconvert $FILE out.mp3 format aiff
Audio File Library: invalid chunk length -9008290176433921 for chunk type
[error 62]
Audio File Library: invalid chunk length -1095221091282 for chunk type
[error 62]
Audio File Library: invalid chunk length -9008290176433921 for chunk type
[error 62]
Audio File Library: invalid chunk length -1095221091282 for chunk type
[error 62]
=================================================================
==27449==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f1fae647602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4574ce in AUpvnew /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/aupv.c:45
#2 0x43b94f in CAFFile::initIMACompressionParams() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:694
#3 0x43c7be in CAFFile::parseDescription(Tag const&, long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:339
#4 0x43cdb0 in CAFFile::readInit(_AFfilesetup*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:129
#5 0x408f28 in _afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:356
#6 0x409cb7 in afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:217
#7 0x403240 in printfileinfo /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/printinfo.c:45
#8 0x402f84 in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:286
#9 0x7f1fadb7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f1fae647602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x4574ce in AUpvnew /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/aupv.c:45
#2 0x43b94f in CAFFile::initIMACompressionParams() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:694
#3 0x43c7be in CAFFile::parseDescription(Tag const&, long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:339
#4 0x43cdb0 in CAFFile::readInit(_AFfilesetup*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:129
#5 0x408f28 in _afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:356
#6 0x409cb7 in afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:217
#7 0x402d96 in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:222
#8 0x7f1fadb7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f1fae64779a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x4574ea in AUpvnew /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/aupv.c:50
#2 0x43b94f in CAFFile::initIMACompressionParams() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:694
#3 0x43c7be in CAFFile::parseDescription(Tag const&, long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:339
#4 0x43cdb0 in CAFFile::readInit(_AFfilesetup*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:129
#5 0x408f28 in _afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:356
#6 0x409cb7 in afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:217
#7 0x402d96 in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:222
#8 0x7f1fadb7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
Indirect leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f1fae64779a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a)
#1 0x4574ea in AUpvnew /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/aupv.c:50
#2 0x43b94f in CAFFile::initIMACompressionParams() /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:694
#3 0x43c7be in CAFFile::parseDescription(Tag const&, long) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:339
#4 0x43cdb0 in CAFFile::readInit(_AFfilesetup*) /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/CAF.cpp:129
#5 0x408f28 in _afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:356
#6 0x409cb7 in afOpenFile /home/insu/projects/qsym-eval/apps/audiofile/audiofile/libaudiofile/openclose.cpp:217
#7 0x403240 in printfileinfo /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/printinfo.c:45
#8 0x402f84 in main /home/insu/projects/qsym-eval/apps/audiofile/audiofile/sfcommands/sfconvert.c:286
#9 0x7f1fadb7a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: 96 byte(s) leaked in 4 allocation(s).
0.3.1 test failure on powerpc
Hello! I was looking into audiofile build failures in Ubuntu 12.04 on powerpc.
The first issue (with 0.2.7) was a problem with AIFF. Since reading that 0.3.1 had better support for AIFF, I tried it. It failed on a different test now.
This one was VOC.Int16. Seems that it's not handling the byte swapping correctly. But all other tests passed OK.
It's writing out the sample data badly (big endian instead of little endian). The header data is fine. Just the sample data is bad. I don't see in the code where in the push/pull sequence it is supposed to be getting byte swapped, which might be the problem right there (or I couldn't grok the code sufficiently).
Fails to build with gcc-6
The new gcc errors out on undefined behavior.
heap-based buffer overflow in ulaw2linear_buf (G711.cpp)
Memory-leak bug in printfileinfo, in printinfo.c
There exists one Memory-leak bug in printfileinfo, in printinfo.c, which allows an attacker to leak the address of heap or libc via a crafted file.
To reproduce with the attached poc file:
poc.zip
Heap address leak:
./sfinfo ./heapleak_poc.aiff
Result(See the output of Copyright):
$ ./sfinfo ./heapleak_poc.aiff
File Name ./heapleak_poc.aiff
File Format Audio Interchange File Format (aiff)
Data Format unknown
Audio Data 0 bytes begins at offset 0 (0 hex)
0 channel, -1 frames
Sampling Rate 0.00 Hz
Duration -inf seconds
Copyright C๏ฟฝ๏ฟฝU
Libc address leak:
./sfinfo ./libleak_poc.aiff
Result(See the output of Copyright):
$ ./sfinfo ./libleak_poc.aiff
File Name ./libleak_poc.aiff
File Format Audio Interchange File Format (aiff)
Data Format unknown
Audio Data 0 bytes begins at offset 0 (0 hex)
0 channel, -1 frames
Sampling Rate 0.00 Hz
Duration -inf seconds
Copyright Copyright 1991, (d๏ฟฝ๏ฟฝi
This vulnerability can be triggered anywhere the printfileinfo function is called, for example, sfconvert.
The poc.py will help you to calculate the address, which is test on Ubuntu 20.04, python2.
Usage of poc.py:
$ python2 poc.py heap
[+] Starting local process './sfinfo': pid 17868
[*] Process './sfinfo' stopped with exit code 0 (pid 17868)
[+] heap_leak:0x55b2425d4243
[+] heap_base:0x55b2425c2000
$ python2 poc.py lib
[+] Starting local process './sfinfo': pid 17920
[*] Process './sfinfo' stopped with exit code 0 (pid 17920)
[+] lib_leak:0x7f3d0cbf5428
[+] libaudiofile_base:0x7f3d0cbc9000
[+] libc_base:0x7f3d0c9bf000
The audiofile project is built with:
$ ./autogen.sh --disable-docs --prefix=OUTPUT_DIR
$ make
$ make install
Descrtption of the Vulnerability:
First, the printfileinfo function calls the copyrightstring function to get data:
//printfileinfo function, printinfo.c
bool printfileinfo (const char *filename){
...
char *copyright = copyrightstring(file);
if (copyright)
{
printf("Copyright %s\n", copyright);
free(copyright);
}
...
}
Second, the copyrightstring function obtains copyright information from the file and returns a string pointer:
//copyrightstring function, printinfo.c
static char *copyrightstring (AFfilehandle file){
...
int datasize = afGetMiscSize(file, miscids[i]);
char *data = (char *) malloc(datasize);
afReadMisc(file, miscids[i], data, datasize);
copyright = data;
break;
...
}
However, it forgets to use memset or zero bytes to prevent the Memory-Leak Vulnerability.
Most importantly, the attacker can control the length of the memcpy when copying the copyright string, in the afReadMisc function, in Miscellaneous.cpp:
//afWriteMisc function, Miscellaneous.cpp
int afWriteMisc (AFfilehandle file, int miscellaneousid, const void *buf, int bytes)
{
...
int localsize = std::min(bytes,
miscellaneous->size - miscellaneous->position);
memcpy((char *) miscellaneous->buffer + miscellaneous->position,
buf, localsize);
miscellaneous->position += localsize;
return localsize;
...
}
one heap buffer overflow in FilePOSIX::read in File.cpp
one heap buffer overflow in FilePOSIX::read in File.cpp in master branch.
poc.zip
$uname -a
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86_64 GNU/Linux
$./sfconvert poc.wav output format wave
asan:
==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38
WRITE of size 2 at 0x61a00001f708 thread T0
#0 0x7f64fd42ee54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)
#1 0x7f64fd14b8cb in FilePOSIX::read(void*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126
#2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353
#3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375
#4 0x7f64fd14ee93 in _AFfilehandle::readS16(short*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289
#6 0x7f64fd171751 in WAVEFile::readInit(_AFfilesetup*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733
#7 0x7f64fd18067e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195
#10 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x401568 in _start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)
0x61a00001f708 is located 0 bytes to the right of 1160-byte region [0x61a00001f280,0x61a00001f708)
allocated by thread T0 here:
#0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x7f64fd14c4f1 in _AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80
#2 0x7f64fd18042e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195
#5 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==90086==ABORTING
heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp)
multiple ubsan crashes
Can't build libaudiofile documentation
When doing a full build of libaudiofile 0.3.4, I get the following compiler error:
make[2]: [afWriteFrames.3] Error 127 (ignored)
make[2]: *** No rule to make target `afGetDataOffset.3', needed by `all-am'. Stop.
NULL pointer dereference bug in ulaw2linear_buf, in G711.cpp
There exists one NULL pointer dereference bug in ulaw2linear_buf, in G711.cpp, which allows an attacker to cause a denial of service via a crafted file.
To reproduce with the attached poc file:
./sfconvert poc output format voc
poc.zip
gdb output
[----------------------------------registers-----------------------------------]
RAX: 0xffff8284
RBX: 0x0
RCX: 0x7
RDX: 0x7e00 ('')
RSI: 0x7d7c ('|}')
RDI: 0xffffffff
RBP: 0x7fffebce2010 --> 0x0
RSP: 0x7fffffffe2a0 --> 0x7ffff7b20ef6 (<afGetFrameCount(AFfilehandle, int)+390>: mov rax,QWORD PTR [rsp+0x10])
RIP: 0x7ffff7b388bf (<G711::runPull()+3199>: mov WORD PTR [rbx+r12*2],ax)
R8 : 0x0
R9 : 0x55555576b648 --> 0x0
R10: 0x55555576af48 --> 0x3e9
R11: 0x246
R12: 0x0
R13: 0x0
R14: 0x1
R15: 0x55555576b120 --> 0x7ffff7dd3568 --> 0x7ffff7b39440 (<G711::~G711()>: lea rsp,[rsp-0x98])
EFLAGS: 0x10286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x7ffff7b388ac <G711::runPull()+3180>: lea rsp,[rsp+0x98]
0x7ffff7b388b4 <G711::runPull()+3188>: movzx edi,BYTE PTR [rbp+r12*1+0x0]
0x7ffff7b388ba <G711::runPull()+3194>: call 0x7ffff7b23370 <_af_ulaw2linear>
=> 0x7ffff7b388bf <G711::runPull()+3199>: mov WORD PTR [rbx+r12*2],ax
0x7ffff7b388c4 <G711::runPull()+3204>: add r12,0x1
0x7ffff7b388c8 <G711::runPull()+3208>: cmp QWORD PTR [rsp+0x10],r12
0x7ffff7b388cd <G711::runPull()+3213>: je 0x7ffff7b38348 <G711::runPull()+1800>
0x7ffff7b388d3 <G711::runPull()+3219>: nop
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe2a0 --> 0x7ffff7b20ef6 (<afGetFrameCount(AFfilehandle, int)+390>: mov rax,QWORD PTR [rsp+0x10])
0008| 0x7fffffffe2a8 --> 0x0
0016| 0x7fffffffe2b0 --> 0x61616161 ('aaaa')
0024| 0x7fffffffe2b8 --> 0x7ffff7b1ae32 (<afReadFrames(AFfilehandle, int, void*, int)+34>: mov rax,QWORD PTR [rsp+0x10])
0032| 0x7fffffffe2c0 --> 0x0
0040| 0x7fffffffe2c8 --> 0x1
0048| 0x7fffffffe2d0 --> 0x55555576b360 --> 0x7fff00000003
0056| 0x7fffffffe2d8 --> 0x55555576af48 --> 0x3e9
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff7b388bf in ulaw2linear_buf (nsamples=<optimized out>, linear=<optimized out>, ulaw=<optimized out>) at G711.cpp:42
42 linear[i] = _af_ulaw2linear(ulaw[i]);
gdb-peda$ bt
#0 0x00007ffff7b388bf in ulaw2linear_buf (nsamples=<optimized out>, linear=<optimized out>, ulaw=<optimized out>) at G711.cpp:42
#1 G711::runPull (this=0x55555576b120) at G711.cpp:206
#2 0x00007ffff7b1b4b6 in afReadFrames (file=<optimized out>, trackid=<optimized out>, samples=0x0, nvframeswanted=<optimized out>) at data.cpp:222
#3 0x0000555555555f9e in copyaudiodata (infile=0x55555576ae90, outfile=0x55555576b6c0, trackid=0x3e9) at sfconvert.c:340
#4 0x00005555555555e1 in main (argc=argc@entry=0x5, argv=argv@entry=0x7fffffffe508) at sfconvert.c:248
#5 0x00007ffff76f3b97 in __libc_start_main (main=0x555555555370 <main>, argc=0x5, argv=0x7fffffffe508, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe4f8) at ../csu/libc-start.c:310
#6 0x0000555555555c3a in _start ()
A heap-buffer-overflow has occurred when running sfconvert
A heap-buffer-overflow has occurred when running sfconvert
=================================================================
==31737==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fa66d3a5800 at pc 0x7fa66bff796c bp 0x7ffcdde77720 sp 0x7ffcdde77710
WRITE of size 4 at 0x7fa66d3a5800 thread T0
#0 0x7fa66bff796b in void Expand3To4Module::run<int>(unsigned char const*, int*, int) /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.h:269
#1 0x7fa66bff2692 in Expand3To4Module::run(Chunk&, Chunk&) /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.h:244
#2 0x7fa66c01610e in SimpleModule::runPull() /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.cpp:29
#3 0x7fa66bfb8550 in afReadFrames /home/sandy/swt_fuzz/audiofile/libaudiofile/data.cpp:222
#4 0x403c7e in copyaudiodata /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:340
#5 0x403793 in main /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:248
#6 0x7fa66bb7882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x4017a8 in _start (/home/sandy/swt_fuzz/audiofile/sfcommands/.libs/sfconvert+0x4017a8)
0x7fa66d3a5800 is located 0 bytes to the right of 524288-byte region [0x7fa66d325800,0x7fa66d3a5800)
allocated by thread T0 here:
#0 0x7fa66c307602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x403c1b in copyaudiodata /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:327
#2 0x403793 in main /home/sandy/swt_fuzz/audiofile/sfcommands/sfconvert.c:248
#3 0x7fa66bb7882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sandy/swt_fuzz/audiofile/libaudiofile/modules/SimpleModule.h:269 void Expand3To4Module::run<int>(unsigned char const*, int*, int)
Shadow bytes around the buggy address:
0x0ff54da6cab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff54da6cac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff54da6cad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff54da6cae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff54da6caf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff54da6cb00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff54da6cb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff54da6cb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff54da6cb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff54da6cb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff54da6cb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==31737==ABORTING
And the input file has been put at:
https://github.com/fCorleone/fuzz_programs/blob/master/audiofile/test2
heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp)
heap overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp)
Please consider the following already reported as private:
audio artifacts when decoding AIFF-C
decoding the attached audio file results in audio artifacts (noisy). i assume a bug in the decoding, any hints?
feedback_positive.aifc.zip
heap overflow in readValue (FileHandle.cpp)
Please consider the following already reported as private:
divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp)
CVE-2008-5824
Hi,
I'm happy to see this project alive.
On Debian, we've applied this patch [1] to fix a buffer overflow in libaudiofile 0.2.6 [2], knows as CVE-2008-5824 [3].
Now I'm working to make the latest release 0.2.7 join Debian and I'd ask you some help to ensure the patch is applied with that release.
Thanks in advance for any reply!
[1] http://paste.debian.net/126075/
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5824
Getting error "file missing data -- read 49 frames, should be 0 [error 5]"
A user reported that my application which uses audiofile sometimes throws this message when writing WAVE files to disk:
Audio File Library: file missing data -- read 49 frames, should be 0 [error 5]
Is this an error in audiofile, or my program's misuse of the library? My reading/writing functions which use audiofile can be found here:
https://github.com/teragonaudio/MrsWatson/blob/develop/source/SampleSourceAudiofile.c
audiofile returns wav/aiff "ID3 " RIFF subchunks as PCM data
Hi, I use audiofile with MPD and have one minor issue, really appreciate your help and the work you've done.
WAV and AIFF both allow arbitrary chunks to be created as long as they're defined in a specific way, and a lot of applications will write ID3 tags by creating an ID3 subchunk and populating this chunk with an ID3 tag.
When audiofile enounters one of these "ID3 " chunks it returns it as PCM data, causing audio players to play static when they encounter embedded ID3 tags.
An AIFF file with ID3 data for testing:
http://www.datafilehost.com/download-407db461.html
I can get a wav file if required as well.
Here is a link describing the WAV format:
http://ccrma.stanford.edu/courses/422/projects/WaveFormat/
The relevant text is under the notes header:
*** Quote ***
There may be additional subchunks in a Wave data stream. If so, each will have a char[4] SubChunkID, and unsigned long SubChunkSize, and SubChunkSize amount of data.
*** EndQuote ***
Essentially what's been done in all these implementations is a new RIFF subchunk has been added with the header ID3, an an additional character for padding to meet the spec of char[4] spec. The subchunk then conforms to the ID3V2 specification. iTunes AIFF is basically the same as WAV in this respect.
Here are some other useful threads on the subject I've found:
http://www.anytag.de/forums/lofiversion/index.php/t8328.html
http://bugs.kde.org/show_bug.cgi?id=131130
http://www.hydrogenaudio.org/forums/lofiversion/index.php/t43021.html
http://forum.dbpoweramp.com/showthread.php?p=81230&highlight=wave+list+id3v2#post81230
0.3.6 + all up to b62c902d: parallel documentation build fails
When make -j1 -C docs is used everything is fine
Making all in docs
make[2]: *** No rule to make target 'afIdentifyNamedFD.3', needed by 'all-am'. Stop.
make[2]: *** Waiting for unfinished jobs....
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afNewFileSetup.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afGetFrameSize.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitAESChannelDataTo.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afCloseFile.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afReadFrames.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afSeekFrame.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afSetErrorHandler.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afGetFrameCount.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afWriteFrames.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afIdentifyFD.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afOpenFile.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afSetVirtualSampleFormat.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afReadMisc.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitCompression.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitFileFormat.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" sfinfo.1.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitSampleFormat.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" sfconvert.1.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[2]: Entering directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
/usr/bin/a2x -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afQuery.3.txt
make[2]: Leaving directory '/home/tkloczko/rpmbuild/BUILD/audiofile-audiofile-0.3.6/docs'
make[1]: *** [Makefile:487: all-recursive] Error 1
make: *** [Makefile:392: all] Error 2make[2]: *** No rule to make target 'afIdentifyNamedFD.3', needed by 'all-am'. Stop.
Getting this on Fedora 34 when building as follows:
git clone [email protected]:mpruett/audiofile.git
cd audiofile
./autogen.sh
make
Installed the following packages to get this far:
dnf install alsa-lib-devel libtool autoconf automake
That list of packages might not be exhaustive, as I had quite a lot of development packages installed already.
It looks like the problem happens when creating man pages:
make[2]: Leaving directory '/home/pmoore/git/audiofile/examples'
Making all in docs
make[2]: Entering directory '/home/pmoore/git/audiofile/docs'
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" sfconvert.1.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" sfinfo.1.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afCloseFile.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afGetFrameCount.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afGetFrameSize.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afIdentifyFD.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitAESChannelDataTo.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitCompression.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitFileFormat.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afInitSampleFormat.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afNewFileSetup.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afOpenFile.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afQuery.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afReadFrames.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afReadMisc.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afSeekFrame.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afSetErrorHandler.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afSetVirtualSampleFormat.3.txt
: -arevnumber=0.3.6 -amansource="Audio File Library" -d manpage -f manpage --asciidoc-opts="-f asciidoc.conf" afWriteFrames.3.txt
make[2]: *** No rule to make target 'afIdentifyNamedFD.3', needed by 'all-am'. Stop.
make[2]: Leaving directory '/home/pmoore/git/audiofile/docs'
make[1]: *** [Makefile:486: all-recursive] Error 1
make[1]: Leaving directory '/home/pmoore/git/audiofile'
make: *** [Makefile:391: all] Error 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.