teddycloud
teddycloud copied to clipboard
toniebox-reverse-engineering
Encoding tafs with backend not working any more (encoding in gui filebrowser)
Describe the bug Upload some mp3 in your library. Select them and Click encode. It will fail immediately.
To Reproduce Steps to reproduce the behavior:
- Go to 'tonies . Library'
- Click on 'upload files', upload some mp3s
- Select the now uploaded files and click on encoder
- an error is shown that the encoding failed (no further Details shown)
Expected behavior The selected files are encoded as taf.
Technical Details:
- Version: release version TeddyCloud v0.6.4 (f13703a) - 2025-03-05 08:01:37 +0000 ubuntu linux-x86_64(64), same on Debian version
- Docker
- running on an vps
Attach logs of teddyCloud There is only the following error output, nothing else. `================================================================= ==8==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fc47d8f2ac0 at pc 0x55fd136e9ef2 bp 0x7fc47d88e6e0 sp 0x7fc47d88de88 WRITE of size 32768 at 0x7fc47d8f2ac0 thread T2 #0 0x55fd136e9ef1 in memset (/usr/local/bin/teddycloud+0x642ef1) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59) #1 0x55fd13825968 in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:59 #2 0x55fd13825968 in parsePostData src/handler_api.c:31 #3 0x55fd1383fb91 in handleApiEncodeFile src/handler_api.c:1942 #4 0x55fd1389c936 in httpServerRequestCallback src/server.c:483 #5 0x55fd13a2533d in httpConnectionTask src/cyclone/cyclone_tcp/http/http_server.c:541 #6 0x7fc481a92a93 (/lib/x86_64-linux-gnu/libc.so.6+0x9ca93) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6) #7 0x7fc481b1fa33 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x129a33) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
Address 0x7fc47d8f2ac0 is located in stack of thread T2 at offset 410304 in frame #0 0x55fd1383f93f in handleApiEncodeFile src/handler_api.c:1932
This frame has 8 object(s): [32, 40) 'rootPath' (line 1934) [64, 72) 'current_source' (line 1996) [96, 405600) 'multisource' (line 1949) [405856, 405872) 'overlay' (line 1933) [405888, 406144) 'message' (line 1963) [406208, 410304) 'post_data' (line 1941) [410432, 414528) 'source' (line 1951) <== Memory access at offset 410304 partially underflows this variable [414656, 418752) 'target' (line 1952) <== Memory access at offset 410304 partially underflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions are supported) Thread T2 created by T0 here: #0 0x55fd136d7b85 in pthread_create (/usr/local/bin/teddycloud+0x630b85) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59) #1 0x55fd13cb60d8 in osCreateTask src/cyclone/common/os_port_posix.c:87 #2 0x55fd13a2159b in httpServerStart src/cyclone/cyclone_tcp/http/http_server.c:233 #3 0x55fd138a3f1f in server_init src/server.c:862 #4 0x55fd136af12b in main src/main.c:610 #5 0x7fc481a201c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6) #6 0x7fc481a2028a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6) #7 0x55fd136b4944 in _start (/usr/local/bin/teddycloud+0x60d944) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/local/bin/teddycloud+0x642ef1) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59) in memset Shadow bytes around the buggy address: 0x7fc47d8f2800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fc47d8f2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fc47d8f2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fc47d8f2980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fc47d8f2a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7fc47d8f2a80: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 0x7fc47d8f2b00: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 0x7fc47d8f2b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fc47d8f2c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fc47d8f2c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7fc47d8f2d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==8==ABORTING `
I can confirm this. Also official docker image on x64 platform. Same stacktrace. It also doesn't matter if I want to encode mp3 or flac. Browser is Chromium 136.0.7103.59
Relevant code:
https://github.com/toniebox-reverse-engineering/teddycloud/blob/f13703ad110b6c42f693d35b7ac211e487d37c83/src/handler_api.c#L31
https://github.com/toniebox-reverse-engineering/teddycloud/blob/f13703ad110b6c42f693d35b7ac211e487d37c83/src/handler_api.c#L1941
https://github.com/toniebox-reverse-engineering/teddycloud/blob/f13703ad110b6c42f693d35b7ac211e487d37c83/src/handler_api.c#L1942
Problem is that the buffer size of the post data is different to the body buffer size. Solution - align the buffer sizes or allocate it dynamicly
I have a similar issue.
When i try to upload and convert big mp3 files with the audio encoder i get an "net::ERR_CONNECTION_ABORTED" on the client and the server outputs the warning "platform_linux.c:0293:socketReceive| buffer does not contain null terminator".
I also tried to uploading the mp3 files first into the library and then convert them with the gui. It instantly gives an error "net::ERR_EMPTY_RESPONSE" and the docker log shows following:
==8==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7bee579f2ac0 at pc 0x59333db7bef2 bp 0x7bee5798e6e0 sp 0x7bee5798de88
WRITE of size 32768 at 0x7bee579f2ac0 thread T2
#0 0x59333db7bef1 in memset (/usr/local/bin/teddycloud+0x642ef1) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59)
#1 0x59333dcb7968 in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:59
#2 0x59333dcb7968 in parsePostData src/handler_api.c:31
#3 0x59333dcd1b91 in handleApiEncodeFile src/handler_api.c:1942
#4 0x59333dd2e936 in httpServerRequestCallback src/server.c:483
#5 0x59333deb733d in httpConnectionTask src/cyclone/cyclone_tcp/http/http_server.c:541
#6 0x7bee5bb3ba93 (/lib/x86_64-linux-gnu/libc.so.6+0x9ca93) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
#7 0x7bee5bbc8a33 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x129a33) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
Address 0x7bee579f2ac0 is located in stack of thread T2 at offset 410304 in frame
#0 0x59333dcd193f in handleApiEncodeFile src/handler_api.c:1932
This frame has 8 object(s):
[32, 40) 'rootPath' (line 1934)
[64, 72) 'current_source' (line 1996)
[96, 405600) 'multisource' (line 1949)
[405856, 405872) 'overlay' (line 1933)
[405888, 406144) 'message' (line 1963)
[406208, 410304) 'post_data' (line 1941)
[410432, 414528) 'source' (line 1951) <== Memory access at offset 410304 partially underflows this variable
[414656, 418752) 'target' (line 1952) <== Memory access at offset 410304 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
Thread T2 created by T0 here:
#0 0x59333db69b85 in pthread_create (/usr/local/bin/teddycloud+0x630b85) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59)
#1 0x59333e1480d8 in osCreateTask src/cyclone/common/os_port_posix.c:87
#2 0x59333deb359b in httpServerStart src/cyclone/cyclone_tcp/http/http_server.c:233
#3 0x59333dd35f1f in server_init src/server.c:862
#4 0x59333db4112b in main src/main.c:610
#5 0x7bee5bac91c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
#6 0x7bee5bac928a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 6d64b17fbac799e68da7ebd9985ddf9b5cb375e6)
#7 0x59333db46944 in _start (/usr/local/bin/teddycloud+0x60d944) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/usr/local/bin/teddycloud+0x642ef1) (BuildId: 9f39ebc7e506b3c08ab959e464e2c1162fa43b59) in memset
Shadow bytes around the buggy address:
0x7bee579f2800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bee579f2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bee579f2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bee579f2980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bee579f2a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7bee579f2a80: 00 00 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2
0x7bee579f2b00: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x7bee579f2b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bee579f2c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bee579f2c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7bee579f2d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8==ABORTING
I dont think so. I used the docker-compose.yaml to set it up in my docker desktop and as far as i know it uses the latest image from master.