search

sahaRatul / sela

SimplE Lossless Audio
https://seladoc.netlify.com/
MIT License
209 stars 23 forks source link

when Channels is negative number,sela crashed #13

Closed EnchantedJohn closed 4 years ago

EnchantedJohn commented 6 years ago

Hello,when I use AFL to fuzz test sela,sela created two unique crashes. the first one is in main core/encode.c:210.it is due to channel is negative number, In malloc(size),size is big number.there is first crash information:

SimplE Lossless Audio Encoder
Copyright (c) 2015-2016. Ratul Saha
Released under MIT license

Input : /home/lx/5_29/SELA/AFL/sela-latest/fuzz/fuzzing_output/crashes/id:000001,sig:06,src:000000,op:flip1,pos:23
Output : output.sela
WAV file detected

Stream Information
------------------
Sampling Rate : 44100 Hz
Bits per sample : 16
Channels : -32767 

Metadata
--------
No metadata found.
==53275==WARNING: AddressSanitizer failed to allocate 0xfffffffff8001000 bytes
==53275==AddressSanitizer's allocator is terminating the process instead of returning 0
==53275==If you don't like this behavior set allocator_may_return_null=1
==53275==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:147 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f00f3440d93 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x59d93)
    #1 0x7f00f3444cd3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5dcd3)
    #2 0x7f00f3400831 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x19831)
    #3 0x7f00f3443531 (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5c531)
    #4 0x7f00f343b82e in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5482e)
    #5 0x4024ac in main core/encode.c:210
    #6 0x7f00f2d39f44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
    #7 0x401248 (/home/lx/5_29/SELA/ASAN/sela-latest/selaenc+0x401248)

sela:encode.c:

201                 //Write metadata info to output
202                 written = fwrite(&metadata_sync,sizeof(int32_t),1,outfile);//Metadata syncwd
203                 metadata_size = header.tag_size + 32;
204                 fwrite(&metadata_size,sizeof(int32_t),1,outfile);
205                 write_apev2_tags(&state,outfile,ftell(outfile),&header,&ape_list);
206         }
207 
208         //Define read size
209         read_size = channels * BLOCK_SIZE;
210         int16_t *buffer = (int16_t *)malloc(sizeof(int16_t) * read_size); //the reason of crash.
211 
212         //Main loop
213         while(feof(infile) == 0)
214         {
215                 //Read Samples from input
216                 size_t read = fread(buffer,sizeof(int16_t),read_size,infile);
217 
218                 samples_per_channel = read/channels;
219 
220                 //Write frame syncword
221                 written = fwrite(&frame_sync,sizeof(int32_t),1,outfile);
222 
223                 frame_sync_count++;
224 
225                 for(i = 0; i < channels; i++)
sahaRatul commented 4 years ago

Please check now as the code has been rewritten