flac icon indicating copy to clipboard operation
flac copied to clipboard
verified publisher icon xiph

SIGABRT in src/flac/encode.c:1011 when fuzzing with tool_flac

Open schsiung opened this issue 3 months ago • 0 comments

Expected behavior and actual behavior.

flac_sigabrt_poc.tar.gz

Expect running without SIGABRT, gdb info suggests the tool_flac fuzzer will crash with unexpected values:

(gdb) p options.skip_specification.value
$24 = {seconds = -0, samples = -9223372036854775808}

Steps to reproduce the problem.

LD_LIBRARY_PATH="/data/flac/build/ogg/obj/lib" ./configure  --prefix=`pwd`/obj --with-ogg="/data/flac/build/ogg/obj" --enable-debug --enable-static --disable-shared --disable-oggtest --disable-examples --disable-programs --disable-xmms-plugin --enable-oss-fuzzers

make -j

root@03b902a4e742:/data/flac/oss-fuzz# ./fuzzer_tool_flac crashes/id\:000000\,sig\:06\,src\:010569\,time\:166620414\,execs\:393066446\,op\:havoc\,rep\:2 
Reading 1086 bytes from crashes/id:000000,sig:06,src:010569,time:166620414,execs:393066446,op:havoc,rep:2
Aborted (core dumped)
root@03b902a4e742:/data/flac/oss-fuzz# 


Start it from the beginning? (y or n) y
Starting program: /data/flac/oss-fuzz/fuzzer_tool_flac /data/flac/oss-fuzz/crashes/id:000001,sig:06,src:010566,time:179522126,execs:425237064,op:havoc,rep:2
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Reading 1218 bytes from /data/flac/oss-fuzz/crashes/id:000001,sig:06,src:010566,time:179522126,execs:425237064,op:havoc,rep:2

Breakpoint 1, main_to_fuzz (argc=32767, argv=0x7ffff790a010) at ./../src/flac/main.c:317
317     {
(gdb) info break
Num     Type           Disp Enb Address            What
1       breakpoint     keep y   0x000055555558bde8 in main_to_fuzz at ./../src/flac/main.c:317
        breakpoint already hit 1 time
2       breakpoint     keep y   0x000055555558c358 in parse_options at ./../src/flac/main.c:675
3       breakpoint     keep y   0x000055555558c7a8 in do_it at ./../src/flac/main.c:391
4       breakpoint     keep y   <PENDING>          570
5       breakpoint     keep y   0x000055555559476b in encode_file at ./../src/flac/main.c:1459
6       breakpoint     keep y   0x000055555558e4fd in do_it at ./../src/flac/main.c:567
7       breakpoint     keep y   0x000055555559494a in encode_file at ./../src/flac/main.c:1486
8       breakpoint     keep y   0x000055555558c641 in parse_options at ./../src/flac/main.c:706
11      breakpoint     keep y   0x000055555556b93e in flac__encode_file at ../src/flac/encode.c:1011

Breakpoint 8, parse_options (argc=46, argv=0x7fffffffdbd0) at ./../src/flac/main.c:706
706                     if(0 == (option_values.filenames = malloc(sizeof(char*) * option_values.num_files)))
(gdb) c
Continuing.

Breakpoint 6, do_it () at ./../src/flac/main.c:567
567                             for(i = 0, retval = 0; i < option_values.num_files; i++) {
(gdb) disable 6
(gdb) c
Continuing.

Breakpoint 11, flac__encode_file (infile=0x555555b856e0, infilesize=12, infilename=0x555555b86420 "/tmp/fuzzSjgvje", 
    outfilename=0x555555955a80 <get_outfilename[buffer]> "/tmp/fuzzSjgvje.flac", 
    lookahead=0x7fffffffdab4 "c", '2' <repeats 11 times>, "\340V\270UUU", lookahead_length=12, options=...)
    at ../src/flac/encode.c:1011
1011                    FLAC__ASSERT(options.skip_specification.value.samples >= 0);
(gdb) bt
#0  flac__encode_file (infile=0x555555b856e0, infilesize=12, infilename=0x555555b86420 "/tmp/fuzzSjgvje", 
    outfilename=0x555555955a80 <get_outfilename[buffer]> "/tmp/fuzzSjgvje.flac", 
    lookahead=0x7fffffffdab4 "c", '2' <repeats 11 times>, "\340V\270UUU", lookahead_length=12, options=...)
    at ../src/flac/encode.c:1011
#1  0x0000555555596d62 in encode_file (infilename=0x555555b86420 "/tmp/fuzzSjgvje", is_first_file=1, is_last_file=1)
    at ./../src/flac/main.c:1736
#2  0x000055555558e65a in do_it () at ./../src/flac/main.c:570
#3  0x000055555558bfbb in main_to_fuzz (argc=46, argv=0x7fffffffdbd0) at ./../src/flac/main.c:382
#4  0x000055555558bd0d in LLVMFuzzerTestOneInput (data=0x7ffff790a010 "---bps=32\v@-a", size=1218) at tool_flac.c:108
#5  0x000055555555b12a in ExecuteFilesOnyByOne (argc=2, argv=0x7fffffffe048, 
    callback=callback@entry=0x55555558b7c0 <LLVMFuzzerTestOneInput>) at aflpp_driver.c:267
#6  0x000055555555af1a in LLVMFuzzerRunDriver (argcp=argcp@entry=0x7fffffffdf0c, argvp=argvp@entry=0x7fffffffdf10, 
    callback=0x55555558b7c0 <LLVMFuzzerTestOneInput>) at aflpp_driver.c:381
#7  0x000055555555aabc in main (argc=2, argv=0x7fffffffe048) at aflpp_driver.c:323
(gdb) p options.skip_specification.value
$24 = {seconds = -0, samples = -9223372036854775808}
(gdb) c
Continuing.

Program received signal SIGABRT, Aborted.
Download failed: Invalid argument.  Continuing without source file ./nptl/./nptl/pthread_kill.c.
__pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
warning: 44     ./nptl/pthread_kill.c: No such file or directory
(gdb)

Operating system:

root@03b902a4e742:/data/flac/oss-fuzz# uname -a
Linux 03b902a4e742 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
root@03b902a4e742:/data/flac/oss-fuzz# cc --version
cc (Ubuntu 11.5.0-1ubuntu1~24.04) 11.5.0
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

root@03b902a4e742:/data/flac/oss-fuzz# git log
commit 1507800de4b70e21be71f38caa0d9079d0bc6e45 (HEAD, tag: 1.5.0)
Author: Martijn van Beurden <[email protected]>
Date:   Tue Feb 11 13:46:28 2025 +0100

    Release FLAC 1.5.0 (#801)

commit 1d0683e90ec1dffc00090b2dd157e77598ccfbbd
Author: Martijn van Beurden <[email protected]>
Date:   Sat Feb 8 20:46:06 2025 +0100

    Update ABI dumps for 1.5.0

From: [email protected]

schsiung avatar Sep 23 '25 08:09 schsiung