search

sezero / mikmod

Mikmod Sound System (mirror of git repo at https://sf.net/projects/mikmod/)
http://mikmod.sourceforge.net/
69 stars 21 forks source link

[IT] [XM] OOB reads in envelope code #70

Closed sezero closed 1 year ago

sezero commented 1 year ago

From a fuzz archive from Aug.2019: Files attached with valgrind outputs. Valgrind runs were made on an i686-linux using examples/test/test.c. An example output is inlined below from the 1st file, the rest of them are similar. @AliceLR: Need help with these.

Playing  (1 chn)
==29020== Invalid read of size 2
==29020==    at 0x804C888: ProcessEnvelope (mplayer.c:440)
==29020==    by 0x8051805: pt_UpdateVoices (mplayer.c:2831)
==29020==    by 0x805339A: Player_HandleTick (mplayer.c:3410)
==29020==    by 0x8077F3E: VC1_WriteSamples (virtch.c:1161)
==29020==    by 0x80776D8: VC1_WriteBytes (virtch_common.c:278)
==29020==    by 0x8055F8E: VC_WriteBytes (virtch_common.c:161)
==29020==    by 0x8048D87: NS_Update (drv_nos.c:70)
==29020==    by 0x804966D: MikMod_Update (mdriver.c:311)
==29020==    by 0x8048CB6: main (test.c:84)
==29020==  Address 0x404aea0 is 12 bytes after a block of size 4 alloc'd
==29020==    at 0x4006041: calloc (vg_replace_malloc.c:593)
==29020==    by 0x8048E18: MikMod_calloc (mmalloc.c:118)
==29020==    by 0x804B006: AllocTracks (mloader.c:219)
==29020==    by 0x806188D: IT_Load (load_it.c:1008)
==29020==    by 0x804BB73: Player_LoadGeneric_internal (mloader.c:570)
==29020==    by 0x804BE8D: Player_LoadGeneric (mloader.c:647)
==29020==    by 0x804BF54: Player_LoadFP (mloader.c:675)
==29020==    by 0x804BFA9: Player_Load (mloader.c:689)
==29020==    by 0x8048C64: main (test.c:74)
==29020== 
==29020== Invalid read of size 2
==29020==    at 0x804C89E: ProcessEnvelope (mplayer.c:441)
==29020==    by 0x8051805: pt_UpdateVoices (mplayer.c:2831)
==29020==    by 0x805339A: Player_HandleTick (mplayer.c:3410)
==29020==    by 0x8077F3E: VC1_WriteSamples (virtch.c:1161)
==29020==    by 0x80776D8: VC1_WriteBytes (virtch_common.c:278)
==29020==    by 0x8055F8E: VC_WriteBytes (virtch_common.c:161)
==29020==    by 0x8048D87: NS_Update (drv_nos.c:70)
==29020==    by 0x804966D: MikMod_Update (mdriver.c:311)
==29020==    by 0x8048CB6: main (test.c:84)
==29020==  Address 0x404aea2 is 14 bytes after a block of size 4 alloc'd
==29020==    at 0x4006041: calloc (vg_replace_malloc.c:593)
==29020==    by 0x8048E18: MikMod_calloc (mmalloc.c:118)
==29020==    by 0x804B006: AllocTracks (mloader.c:219)
==29020==    by 0x806188D: IT_Load (load_it.c:1008)
==29020==    by 0x804BB73: Player_LoadGeneric_internal (mloader.c:570)
==29020==    by 0x804BE8D: Player_LoadGeneric (mloader.c:647)
==29020==    by 0x804BF54: Player_LoadFP (mloader.c:675)
==29020==    by 0x804BFA9: Player_Load (mloader.c:689)
==29020==    by 0x8048C64: main (test.c:74)

101-it.tar.gz 103-xm.tar.gz

AliceLR commented 1 year ago

Haven't looked into this yet, but it might be affected by #63.

sezero commented 1 year ago

Just tested, #63 doesn't fix any of the errors from broken IT files from 101-it.zip. Curiously though, it does make the errors from broken XM files from 103-xm.zip go away.