Crash report

Affects libsndfile 1.0.28

source code

#include <stdio.h>
#include <string.h>
#include <sndfile.h>

#define BUFFER_LEN 1024
#define MAX_CHANNELS 6

int main(int argc, char *argv[])
{
        SNDFILE	*infile;
        SF_INFO sfinfo ;  
        int readcount ;
    
        memset (&sfinfo, 0, sizeof (sfinfo)) ;

        if (! (infile = sf_open (argv[1], SFM_READ, &sfinfo)))
                return 1 ;

        if (sfinfo.channels > MAX_CHANNELS)
                return 1 ;

        sf_close (infile) ;

        return 0;
}

system info

dist: Ubuntu 16.04 xenial
linux_distribution: Ubuntu 16.04 xenial
system: Linux
machine: x86_64
platform: Linux-4.4.0-93-generic-x86_64-with-Ubuntu-16.04-xenial
uname: Linux libsndfile-fuzzer 4.4.0-93-generic #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017 x86_64 x86_64
version: #116-Ubuntu SMP Fri Aug 11 21:17:51 UTC 2017

summary

unique signals

Program received signal SIGFPE, Arithmetic exception.

unique line crashes

#0  0x000000000045d1b6 in double64_init (psf=0x6de010) at double64.c:252

unique exploitability classifications

Exploitability Classification: PROBABLY_NOT_EXPLOITABLE

/crashes/id00000

crash reproduction

echo "TUFUTEFCIDUwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwSU0OAAAAMDAwMAYAAAAwMDAwMDAwMDAwMDAFAAAAMDAwMAEAAAABAAAAAQAAAAoAAAAwMDAwMDAwMDAwMDAwMDAwBAACADAwMDAOAAAAMDAwMAYAAAAwMDAwMDAwMDAwMDAFAAAAMDAwMAAAACAwMDAwAQAAAAgAAAAwMDAwMDAwMAkAAAA=" | base64 -d > testfile
/opt/test_libsndfile testfile

file content

0000  4D 41 54 4C 41 42 20 35 30 30 30 30 30 30 30 30  |MATLAB 500000000|
0010  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  |0000000000000000|
0020  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  |0000000000000000|
0030  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  |0000000000000000|
0040  30 30 30 30 30 30 30 30 30 30 00 30 30 30 30 30  |0000000000.00000|
0050  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  |0000000000000000|
0060  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  |0000000000000000|
0070  30 30 30 30 30 30 30 30 30 30 30 30 30 30 49 4D  |00000000000000IM|
0080  0E 00 00 00 30 30 30 30 06 00 00 00 30 30 30 30  |....0000....0000|
0090  30 30 30 30 30 30 30 30 05 00 00 00 30 30 30 30  |00000000....0000|
00A0  01 00 00 00 01 00 00 00 01 00 00 00 0A 00 00 00  |................|
00B0  30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30  |0000000000000000|
00C0  04 00 02 00 30 30 30 30 0E 00 00 00 30 30 30 30  |....0000....0000|
00D0  06 00 00 00 30 30 30 30 30 30 30 30 30 30 30 30  |....000000000000|
00E0  05 00 00 00 30 30 30 30 00 00 00 20 30 30 30 30  |....0000... 0000|
00F0  01 00 00 00 08 00 00 00 30 30 30 30 30 30 30 30  |........00000000|
0100  09 00 00 00 -- -- -- -- -- -- -- -- -- -- -- --  |....            |


Program received signal SIGFPE, Arithmetic exception.
0x000000000045d1b6 in double64_init (psf=0x6de010) at double64.c:252
252		psf->sf.frames = psf->datalength / psf->blockwidth ;


Description: Floating point exception signal
Short description: FloatingPointException (17/22)
Hash: 2f81936c1111d53deda7826579b8ddbc.2f81936c1111d53deda7826579b8ddbc
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on a floating point exception. This may indicate a division by zero or a number of other floating point errors. It is generally difficult to leverage these types of errors to gain control of the processor.


backtrace:
#0  0x000000000045d1b6 in double64_init (psf=0x6de010) at double64.c:252
        double64_caps = 35
#1  0x00000000004215c7 in mat5_open (psf=0x6de010) at mat5.c:131
        error = 0
#2  0x0000000000402e7c in psf_open_file (psf=0x6de010, sfinfo=0x7fffffffe4f0) at sndfile.c:3137
        error = 3
        format = <optimized out>
#3  0x0000000000401bef in sf_open (path=0x7fffffffe852 "libsndfile/crashes/id00000", mode=16, sfinfo=0x7fffffffe4f0) at sndfile.c:350
        psf = 0x6de010
#4  0x000000000040190a in main (argc=<optimized out>, argv=0x7fffffffe618) at test.c:18
        _B = 0x4adce4 "##SIG_AFL_PERSISTENT##"
        sfinfo = {frames = 140737488348400, samplerate = 4578336, channels = 0, format = 0, sections = 0, seekable = 4576992}
        infile = <optimized out>

Thread 1 (process 17897):
#0  0x000000000045d1b6 in double64_init (psf=0x6de010) at double64.c:252
#1  0x00000000004215c7 in mat5_open (psf=0x6de010) at mat5.c:131
#2  0x0000000000402e7c in psf_open_file (psf=0x6de010, sfinfo=0x7fffffffe4f0) at sndfile.c:3137
#3  0x0000000000401bef in sf_open (path=0x7fffffffe852 "libsndfile/crashes/id00000", mode=16, sfinfo=0x7fffffffe4f0) at sndfile.c:350
#4  0x000000000040190a in main (argc=<optimized out>, argv=0x7fffffffe618) at test.c:18


registers:
rax            0x0	0
rbx            0x0	0
rcx            0x0	0
rdx            0x0	0
rsi            0x0	0
rdi            0x6cd610	7132688
rbp            0xfffffffffffffffc	0xfffffffffffffffc
rsp            0x7fffffffe4f0	0x7fffffffe4f0
r8             0x45dc20	4578336
r9             0x0	0
r10            0x45d6e0	4576992
r11            0x45d460	4576352
r12            0x7fffffffe4f0	140737488348400
r13            0x7fffffffe610	140737488348688
r14            0x0	0
r15            0x7fffffffe618	140737488348696
rip            0x40190a	0x40190a <main+186>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0