Heap-buffer-overflow at sox/src/adpcm.c:135

[hkctkuy]

🐛 Describe the bug

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at sox/src/adpcm.c:135.

I think that heap-buffer-overflow may occur because we have wrong indexing in for loop: with a single iteration and an array of length 1 we start from index 1 not 0.

How to reproduce

1. Build docker from here and run the container:

 sudo docker build -t oss-sydr-fuzz-torchaudio .
 sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash

2. Run the target on this input: crash-07987338c9f37fc28348196f6d60745c273f518c

/load_audio_afl crash-0c7c5e2a18636697f83844619356032421619416

3. You will see the following output:

=================================================================
==354==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61900008d842 at pc 0x000019333fe1 bp 0x7ffda5b816f0 sp 0x7ffda5b816e8
WRITE of size 2 at 0x61900008d842 thread T0
    #0 0x19333fe0 in lsx_ms_adpcm_block_expand_i /audio/build/third_party/sox/src/sox/src/adpcm.c:157:13
    #1 0x191836bb in AdpcmReadBlock /audio/build/third_party/sox/src/sox/src/wav.c:178:14
    #2 0x191836bb in read_samples /audio/build/third_party/sox/src/sox/src/wav.c:1133:54
    #3 0x18ea334e in sox_read /audio/build/third_party/sox/src/sox/src/formats.c:978:30
    #4 0x18f6d829 in drain /audio/build/third_party/sox/src/sox/src/input.c:40:12
    #5 0x18edb1e6 in drain_effect /audio/build/third_party/sox/src/sox/src/effects.c:352:17
    #6 0x18edb1e6 in sox_flow_effects /audio/build/third_party/sox/src/sox/src/effects.c:445:11
    #7 0x937815 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:121:9
    #8 0x8f8b33 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #9 0x8f440b in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #10 0x18e92e7d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #11 0x18e92c88 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #12 0x18e92848 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #13 0x7fa9832c9082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #14 0x833cbd in _start (/load_audio_afl+0x833cbd)

0x61900008d842 is located 0 bytes to the right of 962-byte region [0x61900008d480,0x61900008d842)
allocated by thread T0 here:
    #0 0x8b6fe6 in __interceptor_realloc /llvm-project-llvmorg-14.0.6/compiler-rt/lib/asan/asan_malloc_linux.cpp:85:3
    #1 0x18ec72f4 in lsx_realloc /audio/build/third_party/sox/src/sox/src/xmalloc.c:37:14
    #2 0x18e96c57 in open_read /audio/build/third_party/sox/src/sox/src/formats.c:545:32

SUMMARY: AddressSanitizer: heap-buffer-overflow /audio/build/third_party/sox/src/sox/src/adpcm.c:157:13 in lsx_ms_adpcm_block_expand_i
Shadow bytes around the buggy address:
  0x0c3280009ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280009ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280009ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280009ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3280009af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280009b00: 00 00 00 00 00 00 00 00[02]fa fa fa fa fa fa fa
  0x0c3280009b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280009b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280009b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280009b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3280009b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==354==ABORTING

Versions

torchaudio version: 30afaa9
pytorch version: 0f1621df1a0a73956c7ce4e2f72f069e610e0137
sox version: 14.4.2
OS: Ubuntu 20.04

[mthrok]

#3497 has landed, and now torchaudio links to sox dynamically. We no longer compile the specified code by ourselves and therefore this issue is now irrelevant.

Feel free to fuzz the code under torchaudio/csrc, and report issues there. Thanks,