| Summary: | ASTERISK-20482: Certain mp3 file will cause crash in format_mp3.c | ||||
| Reporter: | Martin Vit (festr) | Labels: | |||
| Date Opened: | 2012-09-26 08:40:20 | Date Closed: | 2012-09-26 09:06:34 | ||
| Priority: | Critical | Regression? | |||
| Status: | Closed/Complete | Components: | Addons/format_mp3 | ||
| Versions: | 1.8.11.1 | Frequency of Occurrence | Constant | ||
| Related Issues: |
| ||||
| Environment: | Attachments: | ( 0) paycomtest.mp3 | |||
| Description: | CLI> file convert /tmp/1.mp3 /tmp/1.wav (the file is attached here in tracker) Valgrind output: ==18890== Invalid read of size 1 ==18890== at 0x217867E8: mp3_read (format_mp3.c:215) ==18890== by 0x4CDED4: read_frame (file.c:719) ==18890== by 0x4CDF64: ast_readframe (file.c:740) ==18890== by 0x139FC251: handle_cli_file_convert (res_convert.c:122) ==18890== by 0x48FB2B: ast_cli_command_full (cli.c:2502) ==18890== by 0x43F9BE: consolehandler (asterisk.c:1862) ==18890== by 0x446632: main (asterisk.c:3980) ==18890== Address 0x8792540 is 0 bytes after a block of size 63,024 alloc'd ==18890== at 0x4C2380C: calloc (vg_replace_malloc.c:467) ==18890== by 0x569A13: _ast_calloc (utils.h:480) ==18890== by 0x446CFE: internal_ao2_alloc (astobj2.c:300) ==18890== by 0x446E77: __ao2_alloc (astobj2.c:344) ==18890== by 0x4CD00C: get_filestream (file.c:360) ==18890== by 0x4CEC13: ast_readfile (file.c:1018) ==18890== by 0x139FC093: handle_cli_file_convert (res_convert.c:106) ==18890== by 0x48FB2B: ast_cli_command_full (cli.c:2502) ==18890== by 0x43F9BE: consolehandler (asterisk.c:1862) ==18890== by 0x446632: main (asterisk.c:3980) GDB output: #0 0x00007f1be0a467e8 in mp3_read (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at format_mp3.c:215 p = 0x7f1bf80c6588 delay = 0 save = 0 #1 0x00000000004cded5 in read_frame (s=0x7f1bf80c6318, whennext=0x7fffb9d367ec) at file.c:719 fr = 0x2913e80 new_fr = 0x2906690 #2 0x00000000004cdf65 in ast_readframe (s=0x7f1bf80c6318) at file.c:740 whennext = 0 #3 0x00007f1bee7fa252 in handle_cli_file_convert (e=0x7f1bee9fad20, cmd=-4, a=0x7fffb9d36980) at res_convert.c:122 ret = 0x2 <Address 0x2 out of bounds> fs_in = 0x7f1bf80c6318 fs_out = 0x7f1bf8097ba8 f = 0x2913e80 start = {tv_sec = 1348666762, tv_usec = 541456} cost = 32767 file_in = 0x7fffb9d36830 "/tmp/1" file_out = 0x7fffb9d36810 "/tmp/1" name_in = 0x7fffb9d36830 "/tmp/1" ext_in = 0x7fffb9d36837 "mp3" name_out = 0x7fffb9d36810 "/tmp/1" ext_out = 0x7fffb9d36817 "wav" | ||||
| Comments: | By: Martin Vit (festr) 2012-09-26 08:41:10.328-0500 this file reproduces crash when file convert paycomtest.mp3 test.alaw By: Matt Jordan (mjordan) 2012-09-26 09:06:35.011-0500 This is a duplicate of ASTERISK-19761, which was fixed in r366296. Asterisk 1.8.14.0 and later should contain this fix. | ||||