search

dhowden / tag

ID3, MP4 and OGG/FLAC metadata parsing in Go
BSD 2-Clause "Simplified" License
558 stars 73 forks source link

panic: runtime error: slice bounds out of range in readAtomData #32

Closed gy741 closed 6 years ago

gy741 commented 6 years ago

Hello.

I found a slice bounds out of range bug in tag.

Please confirm.

Thanks.

reproduce code:

package tag

import (
    "strings"
    "testing"
)

func TestFuzzCrashers(t *testing.T) {

    var crashers = []string{
        "\x00\x00\x00\bkeyw",

    }

    for _, f := range crashers {
        ReadAtoms(strings.NewReader(f))
    }
}

Crash Log

--- FAIL: TestFuzzCrashers (0.00s)
panic: runtime error: slice bounds out of range [recovered]
    panic: runtime error: slice bounds out of range

goroutine 5 [running]:
testing.tRunner.func1(0xc42004ea90)
    /usr/lib/go-1.8/src/testing/testing.go:622 +0x29d
panic(0x5379a0, 0x605120)
    /usr/lib/go-1.8/src/runtime/panic.go:489 +0x2cf
github.com/dhowden/tag.metadataMP4.readAtomData(0x0, 0x0, 0xc420014cf0, 0x5f5f20, 0xc42000ae00, 0xc42000ef64, 0x4, 0xc400000000, 0x20, 0x5449c0)
    /home/karas/go/src/github.com/dhowden/tag/mp4.go:137 +0xd87
github.com/dhowden/tag.metadataMP4.readAtoms(0x0, 0x0, 0xc420014cf0, 0x5f5f20, 0xc42000ae00, 0x0, 0x0)
    /home/karas/go/src/github.com/dhowden/tag/mp4.go:123 +0x1bf
github.com/dhowden/tag.ReadAtoms(0x5f5f20, 0xc42000ae00, 0xffffffee, 0x1000, 0xc420027f78, 0x4544c3)
    /home/karas/go/src/github.com/dhowden/tag/mp4.go:76 +0x88
github.com/dhowden/tag.TestFuzzCrashers(0xc42004ea90)
    /home/karas/go/src/github.com/dhowden/tag/fuzz_test.go:16 +0xbf
testing.tRunner(0xc42004ea90, 0x568cc8)
    /usr/lib/go-1.8/src/testing/testing.go:657 +0x96
created by testing.(*T).Run
    /usr/lib/go-1.8/src/testing/testing.go:697 +0x2ca
exit status 2
FAIL    github.com/dhowden/tag  0.006s

================= [Acknowledgement] This work was supported by ICT R&D program of MSIP/IITP. [R7518-16-1001, Innovation hub for high Performance Computing]

dhowden commented 6 years ago

Haha! Just as a I thought (re comment on #33)! I suspect there could be quite a few more.

gy741 commented 6 years ago

@dhowden

Hello,

I checked the patch.

However, I found a new bug.

Thanks.

reproduce code:

package tag

import (
    "strings"
    "testing"
)

func TestFuzzCrashers(t *testing.T) {

    var crashers = []string{
        "\x00\x00\x00\x10keyw00000000",

    }

    for _, f := range crashers {
        ReadAtoms(strings.NewReader(f))
    }
}

Crash Log:

--- FAIL: TestFuzzCrashers (0.00s)
panic: runtime error: slice bounds out of range [recovered]
    panic: runtime error: slice bounds out of range

goroutine 5 [running]:
testing.tRunner.func1(0xc42004e8f0)
    /usr/lib/go-1.8/src/testing/testing.go:622 +0x29d
panic(0x5379a0, 0x605120)
    /usr/lib/go-1.8/src/runtime/panic.go:489 +0x2cf
github.com/dhowden/tag.metadataMP4.readAtomData(0x0, 0x0, 0xc420014cf0, 0x5f5f20, 0xc42000ade0, 0xc42000ef64, 0x4, 0xc400000008, 0x20, 0x5449c0)
    /home/karas/go/src/github.com/dhowden/tag/mp4.go:143 +0xd80
github.com/dhowden/tag.metadataMP4.readAtoms(0x0, 0x0, 0xc420014cf0, 0x5f5f20, 0xc42000ade0, 0x0, 0x0)
    /home/karas/go/src/github.com/dhowden/tag/mp4.go:123 +0x1bf
github.com/dhowden/tag.ReadAtoms(0x5f5f20, 0xc42000ade0, 0xffffffee, 0x1040, 0xc420027f78, 0x4544c3)
    /home/karas/go/src/github.com/dhowden/tag/mp4.go:76 +0x88
github.com/dhowden/tag.TestFuzzCrashers(0xc42004e8f0)
    /home/karas/go/src/github.com/dhowden/tag/fuzz_test.go:16 +0xbf
testing.tRunner(0xc42004e8f0, 0x568d08)
    /usr/lib/go-1.8/src/testing/testing.go:657 +0x96
created by testing.(*T).Run
    /usr/lib/go-1.8/src/testing/testing.go:697 +0x2ca
exit status 2
FAIL    github.com/dhowden/tag  0.005s
dhowden commented 6 years ago

Great, thanks. I patched quite a few more spots where similar things could happen, this was added in d2206af.