Null pointer dereference at sox/src/xa.c:219

[hkctkuy]

🐛 Describe the bug

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at sox/src/xa.c:219.

I think that load of null pointer occurs because we get xa struct as (priv_t *) ft->priv and then use xa->buf without any nullptr checks.

How to reproduce

1. Build docker from here and run the container:

 sudo docker build -t oss-sydr-fuzz-torchaudio .
 sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash

2. Run the target on this input: crash-05a2a5f34ec299b51b6a31d193b75dea187cfb9f

UBSAN_OPTIONS=print_stacktrace=1,report_error_type=1 /load_audio_afl crash-05a2a5f34ec299b51b6a31d193b75dea187cfb9f

You will see the following output:

/audio/build/third_party/sox/src/sox/src/xa.c:219:26: runtime error: load of null pointer of type 'unsigned char'
    #0 0x191a59a5 in read_samples /audio/build/third_party/sox/src/sox/src/xa.c:219:26
    #1 0x18ea334e in sox_read /audio/build/third_party/sox/src/sox/src/formats.c:978:30
    #2 0x18f6d829 in drain /audio/build/third_party/sox/src/sox/src/input.c:40:12
    #3 0x18edb1e6 in drain_effect /audio/build/third_party/sox/src/sox/src/effects.c:352:17
    #4 0x18edb1e6 in sox_flow_effects /audio/build/third_party/sox/src/sox/src/effects.c:445:11
    #5 0x937815 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:121:9
    #6 0x8f8b33 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #7 0x8f440b in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #8 0x18e92e7d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #9 0x18e92c88 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #10 0x18e92848 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #11 0x7fdebf30f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #12 0x833cbd in _start (/load_audio_afl+0x833cbd)

SUMMARY: UndefinedBehaviorSanitizer: null-pointer-use /audio/build/third_party/sox/src/sox/src/xa.c:219:26 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==368==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000191a548e bp 0x000000000000 sp 0x7ffe4f4fe050 T0)
==368==The signal is caused by a READ memory access.
==368==Hint: address points to the zero page.
    #0 0x191a548e in read_samples /audio/build/third_party/sox/src/sox/src/xa.c:219:26
    #1 0x18ea334e in sox_read /audio/build/third_party/sox/src/sox/src/formats.c:978:30
    #2 0x18f6d829 in drain /audio/build/third_party/sox/src/sox/src/input.c:40:12
    #3 0x18edb1e6 in drain_effect /audio/build/third_party/sox/src/sox/src/effects.c:352:17
    #4 0x18edb1e6 in sox_flow_effects /audio/build/third_party/sox/src/sox/src/effects.c:445:11
    #5 0x937815 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:121:9
    #6 0x8f8b33 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #7 0x8f440b in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #8 0x18e92e7d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #9 0x18e92c88 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #10 0x18e92848 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #11 0x7fdebf30f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #12 0x833cbd in _start (/load_audio_afl+0x833cbd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /audio/build/third_party/sox/src/sox/src/xa.c:219:26 in read_samples
==368==ABORTING

Versions

torchaudio version: 30afaa9
pytorch version: 0f1621df1a0a73956c7ce4e2f72f069e610e0137
sox version: 14.4.2
OS: Ubuntu 20.04

[mthrok]

#3497 has landed, and now torchaudio links to sox dynamically. We no longer compile the specified code by ourselves and therefore this issue is now irrelevant.

Feel free to fuzz the code under torchaudio/csrc, and report issues there. Thanks,