[asterisk-bugs] [JIRA] Updated: (ASTERISK-20482) Certain mp3 file will cause crash in format_mp3.c

Martin Vit (JIRA) noreply at issues.asterisk.org
Wed Sep 26 08:42:28 CDT 2012 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-20482?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Vit updated ASTERISK-20482:
----------------------------------

    Description: 
CLI> file convert /tmp/1.mp3 /tmp/1.wav (the file is attached here in tracker) 

Valgrind output: 

==18890== Invalid read of size 1
==18890==    at 0x217867E8: mp3_read (format_mp3.c:215)
==18890==    by 0x4CDED4: read_frame (file.c:719)
==18890==    by 0x4CDF64: ast_readframe (file.c:740)
==18890==    by 0x139FC251: handle_cli_file_convert (res_convert.c:122)
==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
==18890==    by 0x446632: main (asterisk.c:3980)
==18890==  Address 0x8792540 is 0 bytes after a block of size 63,024 alloc'd
==18890==    at 0x4C2380C: calloc (vg_replace_malloc.c:467)
==18890==    by 0x569A13: _ast_calloc (utils.h:480)
==18890==    by 0x446CFE: internal_ao2_alloc (astobj2.c:300)
==18890==    by 0x446E77: __ao2_alloc (astobj2.c:344)
==18890==    by 0x4CD00C: get_filestream (file.c:360)
==18890==    by 0x4CEC13: ast_readfile (file.c:1018)
==18890==    by 0x139FC093: handle_cli_file_convert (res_convert.c:106)
==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
==18890==    by 0x446632: main (asterisk.c:3980)

GDB output: 

#0  0x00007f1be0a467e8 in mp3_read (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at format_mp3.c:215
        p = 0x7f1bf80c6588
        delay = 0
        save = 0
#1  0x00000000004cded5 in read_frame (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at file.c:719
        fr = 0x2913e80
        new_fr = 0x2906690
#2  0x00000000004cdf65 in ast_readframe (s=0x7f1bf80c6318) at file.c:740
        whennext = 0
#3  0x00007f1bee7fa252 in handle_cli_file_convert (e=0x7f1bee9fad20, cmd=-4, a=0x7fffb9d36980) at res_convert.c:122
        ret = 0x2 <Address 0x2 out of bounds>
        fs_in = 0x7f1bf80c6318
        fs_out = 0x7f1bf8097ba8
        f = 0x2913e80
        start = {tv_sec = 1348666762, tv_usec = 541456}
        cost = 32767
        file_in = 0x7fffb9d36830 "/tmp/1"
        file_out = 0x7fffb9d36810 "/tmp/1"
        name_in = 0x7fffb9d36830 "/tmp/1"
        ext_in = 0x7fffb9d36837 "mp3"
        name_out = 0x7fffb9d36810 "/tmp/1"
        ext_out = 0x7fffb9d36817 "wav"


  was:
CLI> file convert /tmp/1.mp3 /tmp/1.wav

Valgrind output: 

==18890== Invalid read of size 1
==18890==    at 0x217867E8: mp3_read (format_mp3.c:215)
==18890==    by 0x4CDED4: read_frame (file.c:719)
==18890==    by 0x4CDF64: ast_readframe (file.c:740)
==18890==    by 0x139FC251: handle_cli_file_convert (res_convert.c:122)
==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
==18890==    by 0x446632: main (asterisk.c:3980)
==18890==  Address 0x8792540 is 0 bytes after a block of size 63,024 alloc'd
==18890==    at 0x4C2380C: calloc (vg_replace_malloc.c:467)
==18890==    by 0x569A13: _ast_calloc (utils.h:480)
==18890==    by 0x446CFE: internal_ao2_alloc (astobj2.c:300)
==18890==    by 0x446E77: __ao2_alloc (astobj2.c:344)
==18890==    by 0x4CD00C: get_filestream (file.c:360)
==18890==    by 0x4CEC13: ast_readfile (file.c:1018)
==18890==    by 0x139FC093: handle_cli_file_convert (res_convert.c:106)
==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
==18890==    by 0x446632: main (asterisk.c:3980)

GDB output: 

#0  0x00007f1be0a467e8 in mp3_read (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at format_mp3.c:215
        p = 0x7f1bf80c6588
        delay = 0
        save = 0
#1  0x00000000004cded5 in read_frame (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at file.c:719
        fr = 0x2913e80
        new_fr = 0x2906690
#2  0x00000000004cdf65 in ast_readframe (s=0x7f1bf80c6318) at file.c:740
        whennext = 0
#3  0x00007f1bee7fa252 in handle_cli_file_convert (e=0x7f1bee9fad20, cmd=-4, a=0x7fffb9d36980) at res_convert.c:122
        ret = 0x2 <Address 0x2 out of bounds>
        fs_in = 0x7f1bf80c6318
        fs_out = 0x7f1bf8097ba8
        f = 0x2913e80
        start = {tv_sec = 1348666762, tv_usec = 541456}
        cost = 32767
        file_in = 0x7fffb9d36830 "/tmp/1"
        file_out = 0x7fffb9d36810 "/tmp/1"
        name_in = 0x7fffb9d36830 "/tmp/1"
        ext_in = 0x7fffb9d36837 "mp3"
        name_out = 0x7fffb9d36810 "/tmp/1"
        ext_out = 0x7fffb9d36817 "wav"



> Certain mp3 file will cause crash in format_mp3.c
> -------------------------------------------------
>
>                 Key: ASTERISK-20482
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20482
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Addons/format_mp3
>    Affects Versions: 1.8.11.1
>            Reporter: Martin Vit
>            Severity: Critical
>         Attachments: paycomtest.mp3
>
>
> CLI> file convert /tmp/1.mp3 /tmp/1.wav (the file is attached here in tracker) 
> Valgrind output: 
> ==18890== Invalid read of size 1
> ==18890==    at 0x217867E8: mp3_read (format_mp3.c:215)
> ==18890==    by 0x4CDED4: read_frame (file.c:719)
> ==18890==    by 0x4CDF64: ast_readframe (file.c:740)
> ==18890==    by 0x139FC251: handle_cli_file_convert (res_convert.c:122)
> ==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
> ==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
> ==18890==    by 0x446632: main (asterisk.c:3980)
> ==18890==  Address 0x8792540 is 0 bytes after a block of size 63,024 alloc'd
> ==18890==    at 0x4C2380C: calloc (vg_replace_malloc.c:467)
> ==18890==    by 0x569A13: _ast_calloc (utils.h:480)
> ==18890==    by 0x446CFE: internal_ao2_alloc (astobj2.c:300)
> ==18890==    by 0x446E77: __ao2_alloc (astobj2.c:344)
> ==18890==    by 0x4CD00C: get_filestream (file.c:360)
> ==18890==    by 0x4CEC13: ast_readfile (file.c:1018)
> ==18890==    by 0x139FC093: handle_cli_file_convert (res_convert.c:106)
> ==18890==    by 0x48FB2B: ast_cli_command_full (cli.c:2502)
> ==18890==    by 0x43F9BE: consolehandler (asterisk.c:1862)
> ==18890==    by 0x446632: main (asterisk.c:3980)
> GDB output: 
> #0  0x00007f1be0a467e8 in mp3_read (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at format_mp3.c:215
>         p = 0x7f1bf80c6588
>         delay = 0
>         save = 0
> #1  0x00000000004cded5 in read_frame (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at file.c:719
>         fr = 0x2913e80
>         new_fr = 0x2906690
> #2  0x00000000004cdf65 in ast_readframe (s=0x7f1bf80c6318) at file.c:740
>         whennext = 0
> #3  0x00007f1bee7fa252 in handle_cli_file_convert (e=0x7f1bee9fad20, cmd=-4, a=0x7fffb9d36980) at res_convert.c:122
>         ret = 0x2 <Address 0x2 out of bounds>
>         fs_in = 0x7f1bf80c6318
>         fs_out = 0x7f1bf8097ba8
>         f = 0x2913e80
>         start = {tv_sec = 1348666762, tv_usec = 541456}
>         cost = 32767
>         file_in = 0x7fffb9d36830 "/tmp/1"
>         file_out = 0x7fffb9d36810 "/tmp/1"
>         name_in = 0x7fffb9d36830 "/tmp/1"
>         ext_in = 0x7fffb9d36837 "mp3"
>         name_out = 0x7fffb9d36810 "/tmp/1"
>         ext_out = 0x7fffb9d36817 "wav"

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list