Date: Sun, 29 Jan 2017 17:51:29 +0100 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: mp3splt: invalid free in free_options (options_manager.c) Description: mp3splt is a command line utility to split mp3 and ogg files without decoding. A fuzz on it discovered an invalid free. The complete ASan output: # mp3splt -P -f -t 0.1 -a $FILE ==2631==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x000000d3ef65 in thread T0 #0 0x4d3770 in free /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47 #1 0x50dbaa in free_options /tmp/portage/media- sound/mp3splt-2.6.2/work/mp3splt-2.6.2/src/options_manager.c:67:9 #2 0x515623 in free_main_struct /tmp/portage/media- sound/mp3splt-2.6.2/work/mp3splt-2.6.2/src/data_manager.c:74:7 #3 0x50ffa5 in process_confirmation_error /tmp/portage/media- sound/mp3splt-2.6.2/work/mp3splt-2.6.2/src/print_utils.c:266:7 #4 0x51df29 in main /tmp/portage/media- sound/mp3splt-2.6.2/work/mp3splt-2.6.2/src/mp3splt.c:873:9 #5 0x7f783aba361f in __libc_start_main /var/tmp/portage/sys- libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289 #6 0x41ad08 in _init (/usr/bin/mp3splt+0x41ad08) AddressSanitizer can not describe address in more detail (wild memory access suspected). SUMMARY: AddressSanitizer: bad-free /tmp/portage/sys-devel/llvm-3.9.0- r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47 in free ==2631==ABORTING Affected version: 0.9.2 Fixed version: N/A Commit fix: N/A Credit: This bug was discovered by Agostino Sarubbo of Gentoo. CVE: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00130-mp3splt-badfree-free_options Timeline: 2017-01-01: private report to upstream via mail 2017-01-29: public upstream report on sourceforge 2017-01-29: blog post about the issue Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/01/29/mp3splt-invalid-free-in-free_options-options_manager-c -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ