[asterisk-bugs] [JIRA] Created: (ASTERISK-20482) Certain mp3 file will cause crash in format_mp3.c

Martin Vit (JIRA) noreply at issues.asterisk.org
Wed Sep 26 08:40:27 CDT 2012 

Certain mp3 file will cause crash in format_mp3.c
-------------------------------------------------

                 Key: ASTERISK-20482
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20482
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Addons/format_mp3
    Affects Versions: 1.8.11.1
            Reporter: Martin Vit
            Severity: Critical


CLI> file convert /tmp/1.mp3 /tmp/1.wav

Valgrind output: 

==18890== Invalid read of size 1
==18890==    at 0x217867E8: mp3_read (format_mp3.c:215)
==18890==    by 0x4CDED4: read_frame (file.c:719)
==18890==    by 0x4CDF64: ast_readframe (file.c:740)
==18890==    by 0x139FC251: handle_cli_file_convert (res_convert.c:122)
==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
==18890==    by 0x446632: main (asterisk.c:3980)
==18890==  Address 0x8792540 is 0 bytes after a block of size 63,024 alloc'd
==18890==    at 0x4C2380C: calloc (vg_replace_malloc.c:467)
==18890==    by 0x569A13: _ast_calloc (utils.h:480)
==18890==    by 0x446CFE: internal_ao2_alloc (astobj2.c:300)
==18890==    by 0x446E77: __ao2_alloc (astobj2.c:344)
==18890==    by 0x4CD00C: get_filestream (file.c:360)
==18890==    by 0x4CEC13: ast_readfile (file.c:1018)
==18890==    by 0x139FC093: handle_cli_file_convert (res_convert.c:106)
==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
==18890==    by 0x446632: main (asterisk.c:3980)

GDB output: 

#0  0x00007f1be0a467e8 in mp3_read (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at format_mp3.c:215
        p = 0x7f1bf80c6588
        delay = 0
        save = 0
#1  0x00000000004cded5 in read_frame (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at file.c:719
        fr = 0x2913e80
        new_fr = 0x2906690
#2  0x00000000004cdf65 in ast_readframe (s=0x7f1bf80c6318) at file.c:740
        whennext = 0
#3  0x00007f1bee7fa252 in handle_cli_file_convert (e=0x7f1bee9fad20, cmd=-4, a=0x7fffb9d36980) at res_convert.c:122
        ret = 0x2 <Address 0x2 out of bounds>
        fs_in = 0x7f1bf80c6318
        fs_out = 0x7f1bf8097ba8
        f = 0x2913e80
        start = {tv_sec = 1348666762, tv_usec = 541456}
        cost = 32767
        file_in = 0x7fffb9d36830 "/tmp/1"
        file_out = 0x7fffb9d36810 "/tmp/1"
        name_in = 0x7fffb9d36830 "/tmp/1"
        ext_in = 0x7fffb9d36837 "mp3"
        name_out = 0x7fffb9d36810 "/tmp/1"
        ext_out = 0x7fffb9d36817 "wav"


--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list