libextractor: CVE-2017-17440: various null pointer dereferences in GIF, IT, NSFE, S3M, SID and XM plugins

Debian Bug report logs - #883528
libextractor: CVE-2017-17440: various null pointer dereferences in GIF, IT, NSFE, S3M, SID and XM plugins

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 04 Dec 2017 20:13:38 +0100

[Message part 1 (text/plain, inline)]

Package: src:libextractor
Version: 1:1.6-1
Severity: important
Tags: security

Hi,

while I was working on the security update for Wheezy I discovered
that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
and CVE-2017-15602. I could reproduce two segmentation faults with the
provided POCs. They are attached to the upstream bug report:

http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html

Just run "extract -i $POC"

I'm attaching my gdb log files to this bug report.

Regards,

Markus


-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.13.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

[CVE-2017-15600_gdb.txt (text/plain, attachment)]

[CVE-2017-15602_gdb.txt (text/plain, attachment)]

Message #10 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>, 883528@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 20:27:13 +0100

Hi Markus,

On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
> Package: src:libextractor
> Version: 1:1.6-1
> Severity: important
> Tags: security
> 
> Hi,
> 
> while I was working on the security update for Wheezy I discovered
> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
> and CVE-2017-15602. I could reproduce two segmentation faults with the
> provided POCs. They are attached to the upstream bug report:
> 
> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
> 
> Just run "extract -i $POC"
> 
> I'm attaching my gdb log files to this bug report.

Since the issues happen in different places from the original reports,
can you request two new CVEs for those issues?

So for tracking purposes these are two new raised issues, different
from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
new ones. Can you as well report it to upstream in case Bertrand
cannot cime in?

In case not let me know, and I can take care of it tomorrow.

Regards,
Salvatore

Message #15 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 883528@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 20:53:01 +0100

Hi

On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote:
> Hi Markus,
> 
> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
> > Package: src:libextractor
> > Version: 1:1.6-1
> > Severity: important
> > Tags: security
> > 
> > Hi,
> > 
> > while I was working on the security update for Wheezy I discovered
> > that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
> > and CVE-2017-15602. I could reproduce two segmentation faults with the
> > provided POCs. They are attached to the upstream bug report:
> > 
> > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
> > http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
> > 
> > Just run "extract -i $POC"
> > 
> > I'm attaching my gdb log files to this bug report.
> 
> Since the issues happen in different places from the original reports,
> can you request two new CVEs for those issues?
> 
> So for tracking purposes these are two new raised issues, different
> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
> new ones. Can you as well report it to upstream in case Bertrand
> cannot cime in?
> 
> In case not let me know, and I can take care of it tomorrow.

Interestignly the issues you describe does not seem triggerable with a
fresh build of 1.6 in sid (with --enable-shared=no,
--enable-static=yes with -O0).

sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044
Keywords for file /root/1338044:
sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin
Keywords for file /root/bin_6iRW3tXve.bin:
sid:~/libextractor-1.6#

and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129).

It is though with the Debian package (re)build. What is different?

Regards,
Salvatore

Message #20 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 883528@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 21:05:46 +0100

And additionally the results from an ASAN build:

For the one related to the CVE-2017-15000 reproducer:

root@sid:~# extract -i extract-nsf_extract_method-nsf_extractor-164.crash
Keywords for file extract-nsf_extract_method-nsf_extractor-164.crash:
xm_extractor.c:80:7: runtime error: null pointer passed as argument 1, which is declared to never be null
ASAN:DEADLYSIGNAL
=================================================================
==22442==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x7f916bdf6d06 bp 0x7ffd356d46c0 sp 0x7ffd356d4520 T0)
==22442==The signal is caused by a READ memory access.
==22442==Hint: address points to the zero page.
    #0 0x7f916bdf6d05 in EXTRACTOR_xm_extract_method (/usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so+0x1d05)
    #1 0x7f917a6d709c  (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x3209c)
    #2 0x7f917a6d85d3 in EXTRACTOR_extract (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x335d3)
    #3 0x403892  (/usr/bin/extract+0x403892)
    #4 0x7f91793fa560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #5 0x404ce9  (/usr/bin/extract+0x404ce9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/libextractor/libextractor_xm.so+0x1d05) in EXTRACTOR_xm_extract_method
==22442==ABORTING
root@sid:~#

for the one related to the CVE-2017-15602 reproducer:

root@sid:~# extract -i bin_6iRW3tXve.bin 
Keywords for file bin_6iRW3tXve.bin:
=================================================================
==22470==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7fb94e64279b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
    #1 0x7fb93ba7be6c  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8e6c)
    #2 0x7fb93ba7bc89  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8c89)
    #3 0x7fb93ba9f231  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c231)
    #4 0x7fb93ba9f5f2  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c5f2)
    #5 0x7fb93ba7f94d  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xc94d)
    #6 0x7fb93ba7eb7b in gme_load_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbb7b)
    #7 0x7fb93ba7ec33 in gme_open_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbc33)
    #8 0x7fb93f2be581  (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0xbc581)
    #9 0x7fb93f3ad16f in avformat_open_input (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0x1ab16f)
    #10 0x7fb93f8ece71 in EXTRACTOR_previewopus_extract_method (/usr/lib/x86_64-linux-gnu/libextractor/libextractor_previewopus.so+0x4e71)
    #11 0x7fb94e39b09c  (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x3209c)
    #12 0x7fb94e39c5d3 in EXTRACTOR_extract (/usr/lib/x86_64-linux-gnu/libextractor.so.3+0x335d3)
    #13 0x403892  (/usr/bin/extract+0x403892)
    #14 0x7fb94d0be560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #15 0x404ce9  (/usr/bin/extract+0x404ce9)

0x61600000789e is located 30 bytes inside of 482-byte region [0x616000007880,0x616000007a62)
allocated by thread T0 here:
    #0 0x7fb94e6a6758 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
    #1 0x7fb93f68c782 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31782)

SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b) 
==22470==ABORTING
root@sid:~#

Regards,
Salvatore

Message #25 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 883528@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 21:56:27 +0100

[Message part 1 (text/plain, inline)]

Am 04.12.2017 um 20:53 schrieb Salvatore Bonaccorso:
> Hi
> 
> On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote:
>> Hi Markus,
>>
>> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
>>> Package: src:libextractor
>>> Version: 1:1.6-1
>>> Severity: important
>>> Tags: security
>>>
>>> Hi,
>>>
>>> while I was working on the security update for Wheezy I discovered
>>> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
>>> and CVE-2017-15602. I could reproduce two segmentation faults with the
>>> provided POCs. They are attached to the upstream bug report:
>>>
>>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
>>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
>>>
>>> Just run "extract -i $POC"
>>>
>>> I'm attaching my gdb log files to this bug report.
>>
>> Since the issues happen in different places from the original reports,
>> can you request two new CVEs for those issues?
>>
>> So for tracking purposes these are two new raised issues, different
>> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
>> new ones. Can you as well report it to upstream in case Bertrand
>> cannot cime in?
>>
>> In case not let me know, and I can take care of it tomorrow.
> 
> Interestignly the issues you describe does not seem triggerable with a
> fresh build of 1.6 in sid (with --enable-shared=no,
> --enable-static=yes with -O0).
> 
> sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044
> Keywords for file /root/1338044:
> sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin
> Keywords for file /root/bin_6iRW3tXve.bin:
> sid:~/libextractor-1.6#
> 
> and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129).
> 
> It is though with the Debian package (re)build. What is different?

I can still reproduce it when I rebuild the package. If you disable
optimization with -O0 some compiler behaviors will change. I don't know
the details but what is undefined behavior with -O2 is somehow OK with
-O0. I just wanted to forward this upstream but if you say that it is
not reproducible with upstream HEAD, it's probably pointless.

Maybe we should wait for the next release which will also fix
CVE-2017-15922 or Bertrand could package the latest Git snapshot? Shall
I remove the fixed versions for both CVE in the security tracker?

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #30 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>, 883528@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Mon, 4 Dec 2017 22:17:09 +0100

Hi Markus,

On Mon, Dec 04, 2017 at 09:56:27PM +0100, Markus Koschany wrote:
> Am 04.12.2017 um 20:53 schrieb Salvatore Bonaccorso:
> > Hi
> > 
> > On Mon, Dec 04, 2017 at 08:27:13PM +0100, Salvatore Bonaccorso wrote:
> >> Hi Markus,
> >>
> >> On Mon, Dec 04, 2017 at 08:13:38PM +0100, Markus Koschany wrote:
> >>> Package: src:libextractor
> >>> Version: 1:1.6-1
> >>> Severity: important
> >>> Tags: security
> >>>
> >>> Hi,
> >>>
> >>> while I was working on the security update for Wheezy I discovered
> >>> that libextractor in Buster/Sid is still vulnerable to CVE-2017-15600
> >>> and CVE-2017-15602. I could reproduce two segmentation faults with the
> >>> provided POCs. They are attached to the upstream bug report:
> >>>
> >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00004.html
> >>> http://lists.gnu.org/archive/html/bug-libextractor/2017-10/msg00005.html
> >>>
> >>> Just run "extract -i $POC"
> >>>
> >>> I'm attaching my gdb log files to this bug report.
> >>
> >> Since the issues happen in different places from the original reports,
> >> can you request two new CVEs for those issues?
> >>
> >> So for tracking purposes these are two new raised issues, different
> >> from CVE-2017-15600 and CVE-2017-15602 and would possibly require two
> >> new ones. Can you as well report it to upstream in case Bertrand
> >> cannot cime in?
> >>
> >> In case not let me know, and I can take care of it tomorrow.
> > 
> > Interestignly the issues you describe does not seem triggerable with a
> > fresh build of 1.6 in sid (with --enable-shared=no,
> > --enable-static=yes with -O0).
> > 
> > sid:~/libextractor-1.6# ./src/main/extract -i ~/1338044
> > Keywords for file /root/1338044:
> > sid:~/libextractor-1.6# ./src/main/extract -i ~/bin_6iRW3tXve.bin
> > Keywords for file /root/bin_6iRW3tXve.bin:
> > sid:~/libextractor-1.6#
> > 
> > and neither with current HEAD (6c70420641fc1d081bcecf323671ca169b13a129).
> > 
> > It is though with the Debian package (re)build. What is different?
> 
> I can still reproduce it when I rebuild the package. If you disable
> optimization with -O0 some compiler behaviors will change. I don't know
> the details but what is undefined behavior with -O2 is somehow OK with
> -O0. I just wanted to forward this upstream but if you say that it is
> not reproducible with upstream HEAD, it's probably pointless.

Well, need to further properly investigate that. It was just a quick
ASAN build of the current head. From my reply in
https://bugs.debian.org/883528#20 it might actually be that the second
issue is not an upstream one but. Please note that I misstyped the
CVEs.

> Maybe we should wait for the next release which will also fix
> CVE-2017-15922 or Bertrand could package the latest Git snapshot?

Yes, for CVE-2017-15922 either works, cherry-pick the commit, wait for
the new upstream release or package the latest git snapshot.

> Shall
> I remove the fixed versions for both CVE in the security tracker?

Please not. The first issue is actually a different one (happening
with same reproducer for CVE-2017-15600, but in a different place,
unless I'm completely mistaken. So CVE-2017-15600 should be kept
associated with the 38e8933539ee9d044057b18a971c2eae3c21aba7 commit
and track your finding as separate issue.

For the issue reproduced with the CVE-2017-15602-reproducing file,
after beeing fixed with ffab889c1710c7646af9ed360c796a2a0a619efc
triggers a new issue, which is possibly in libgm or
libavformat.so/ffmpeg. So still not sure if the uncovered issue is in
src:libextractor.

See the ASAN traces from https://bugs.debian.org/883528#20

Thanks for your work on the libextractor update and triaging.

Salvatore

Message #35 received at 883528@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 883528@bugs.debian.org

Cc: Markus Koschany <apo@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#883528: libextractor: CVE-2017-15600 and CVE-2017-15602 are not completely fixed

Date: Wed, 6 Dec 2017 15:52:57 +0100

[Message part 1 (text/plain, inline)]

Control: clone -1 -2
Control: retitle -1 libextractor: various null pointer dereferences in GIF, IT, NSFE, S3M, SID and XM plugins
Control: tags -1 + upstream fixed-upstream
Control: retitle -2 libextractor: extractor segfault (AddressSanitizer: negative-size-param: (size=-8)), issue in game-music-emu?

Hello Markus

So here are the results

The first issue is fixed in HEAD already, different from
CVE-2017-15600 and the fixing commit is

https://gnunet.org/git/libextractor.git/commit/?id=7cc63b001ceaf81143795321379c835486d0c92e

The issue this time lies in EXTRACTOR_xm_extract_method with the reproducer
file, but the commit fixes several similar issues in other plugins.

# ./src/main/extract -i ~/poc-1.crash
Keywords for file /root/poc-1.crash:
ASAN:DEADLYSIGNAL
=================================================================
==31921==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f91b5d1c761 bp 0x7ffca14b9fb0 sp 0x7ffca14b9708 T0)
==31921==The signal is caused by a READ memory access.
==31921==Hint: address points to the zero page.
    #0 0x7f91b5d1c760  (/lib/x86_64-linux-gnu/libc.so.6+0x14b760)
    #1 0x7f91b645865b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xab65b)
    #2 0x7f91a8da2d80 in EXTRACTOR_xm_extract_method /root/libextractor/src/plugins/xm_extractor.c:80
    #3 0x7f91b61983e7 in do_extract /root/libextractor/src/main/extractor.c:583
    #4 0x7f91b6198824 in EXTRACTOR_extract /root/libextractor/src/main/extractor.c:662
    #5 0x55edee351d69 in main /root/libextractor/src/main/extract.c:983
    #6 0x7f91b5bf1560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #7 0x55edee34ebe9 in _start (/root/libextractor/src/main/.libs/extract+0x3be9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0x14b760)
==31921==ABORTING

here is the bisect log:

# broken: [bc2a59d25b35b0e88dab8895cf70b4d18d2844fc] release v1.6
git bisect broken bc2a59d25b35b0e88dab8895cf70b4d18d2844fc
# fixed: [6c70420641fc1d081bcecf323671ca169b13a129] fix misc NULL pointer exceptions
git bisect fixed 6c70420641fc1d081bcecf323671ca169b13a129
# broken: [d4d488b0e5ab13dda241d688d87a07816368f117] detect integer overflow in DVI extractor
git bisect broken d4d488b0e5ab13dda241d688d87a07816368f117
# fixed: [7cc63b001ceaf81143795321379c835486d0c92e] fix misc NULL pointer exceptions
git bisect fixed 7cc63b001ceaf81143795321379c835486d0c92e
# first fixed commit: [7cc63b001ceaf81143795321379c835486d0c92e] fix misc NULL pointer exceptions

The commit fixes several NULL pointer issues in plugins, one of those
is the XM plugin causing the issue. MITRE might want to assing here
individual CVEs or only one for the whole commit. I will ask.

But there are basically the reported ones in

https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00004.html
https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00002.html
https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00001.html
https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00000.html

and as well reported as fixed in

https://lists.gnu.org/archive/html/bug-libextractor/2017-11/msg00005.html

The second issue is still present in master
(6c70420641fc1d081bcecf323671ca169b13a129) but I'm again not sure this is
actually an issue in libextractor. This might need to be clarified with
upstream which have more insigts. Issue in game-music-emu? The ASAN trace:

# ./src/main/extract -i ~/poc-2.crash
Keywords for file /root/poc-2.crash:
=================================================================
==10520==ERROR: AddressSanitizer: negative-size-param: (size=-8)
    #0 0x7f658a1e879b  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
    #1 0x7f6578af2e6c  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8e6c)
    #2 0x7f6578af2c89  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x8c89)
    #3 0x7f6578b16231  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c231)
    #4 0x7f6578b165f2  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0x2c5f2)
    #5 0x7f6578af694d  (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xc94d)
    #6 0x7f6578af5b7b in gme_load_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbb7b)
    #7 0x7f6578af5c33 in gme_open_data (/usr/lib/x86_64-linux-gnu/libgme.so.0+0xbc33)
    #8 0x7f657c335581  (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0xbc581)
    #9 0x7f657c42416f in avformat_open_input (/usr/lib/x86_64-linux-gnu/libavformat.so.57+0x1ab16f)
    #10 0x7f657c963420 in extract_audio /root/libextractor/src/plugins/previewopus_extractor.c:893
    #11 0x7f657c964441 in EXTRACTOR_previewopus_extract_method /root/libextractor/src/plugins/previewopus_extractor.c:1159
    #12 0x7f6589f5d3e7 in do_extract /root/libextractor/src/main/extractor.c:583
    #13 0x7f6589f5d824 in EXTRACTOR_extract /root/libextractor/src/main/extractor.c:662
    #14 0x55c628ff7d69 in main /root/libextractor/src/main/extract.c:983
    #15 0x7f65899b6560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
    #16 0x55c628ff4be9 in _start (/root/libextractor/src/main/.libs/extract+0x3be9)

0x616000007b9e is located 30 bytes inside of 482-byte region [0x616000007b80,0x616000007d62)
allocated by thread T0 here:
    #0 0x7f658a24c758 in __interceptor_posix_memalign (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
    #1 0x7f657c703782 in av_malloc (/usr/lib/x86_64-linux-gnu/libavutil.so.55+0x31782)

SUMMARY: AddressSanitizer: negative-size-param (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7679b)
==10520==ABORTING

When building you need to specify --with-plugindirname, if not installed,
otherwise the plugins cannot be loaded when running the test.

Attaching the two reproducing files.

Regards,
Salvatore

[poc-1.crash (application/octet-stream, attachment)]

[poc-2.crash (application/octet-stream, attachment)]

Message #48 received at 883528-close@bugs.debian.org (full text, mbox, reply):

From: Bertrand Marc <bmarc@debian.org>

To: 883528-close@bugs.debian.org

Subject: Bug#883528: fixed in libextractor 1:1.6-2

Date: Thu, 28 Dec 2017 17:34:40 +0000

Source: libextractor
Source-Version: 1:1.6-2

We believe that the bug you reported is fixed in the latest version of
libextractor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 883528@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bertrand Marc <bmarc@debian.org> (supplier of updated libextractor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 28 Dec 2017 18:10:52 +0100
Source: libextractor
Binary: libextractor3 libextractor-dev extract
Architecture: source amd64
Version: 1:1.6-2
Distribution: unstable
Urgency: medium
Maintainer: Bertrand Marc <bmarc@debian.org>
Changed-By: Bertrand Marc <bmarc@debian.org>
Description:
 extract    - displays meta-data from files of arbitrary type
 libextractor-dev - extracts meta-data from files of arbitrary type (development)
 libextractor3 - extracts meta-data from files of arbitrary type (library)
Closes: 880016 883528
Changes:
 libextractor (1:1.6-2) unstable; urgency=medium
 .
   * Add patches from upstream to fix CVE-2017-15922 (Closes: #880016) and
     CVE-2017-17440 (Closes: #883528).
   * Standards-version: 4.1.3.
Checksums-Sha1:
 75d2b2c0b263e92ba2d06e1070a059e63b814833 2477 libextractor_1.6-2.dsc
 64a705f36d568ba72471fdd06f78e5b68d703544 17632 libextractor_1.6-2.debian.tar.xz
 0aa5775c7c9d85c86f9044df30546a50bc8bd11d 23720 extract-dbgsym_1.6-2_amd64.deb
 5effe57533221ad2bc4e3e48b80465fd118024c3 105120 extract_1.6-2_amd64.deb
 c7b0dc72bdd48cd049368c9871a460926e71dd1b 26792 libextractor-dev_1.6-2_amd64.deb
 535c70e978d13be87bd44bdd89c23fbed93f42c7 519632 libextractor3-dbgsym_1.6-2_amd64.deb
 9faf60d74a21ce428bfa59339fca4a488a70c7ba 112804 libextractor3_1.6-2_amd64.deb
 d55b22934388dc11ea05e6d09733360d9f0429d2 18366 libextractor_1.6-2_amd64.buildinfo
Checksums-Sha256:
 c540bb7b59f5f9785a5d22363715f13e454a5fe991bf5cd38f9107b078ed26fa 2477 libextractor_1.6-2.dsc
 57c4c6b29962f006114182e5d8c9c12a25534c286781117216a0cbb0e8e19649 17632 libextractor_1.6-2.debian.tar.xz
 b35286b42ed91660a8d1c6321ccfa5cae5ceaebb113f02078c11a6b3b29c3fa3 23720 extract-dbgsym_1.6-2_amd64.deb
 ad008edd97dbacb656e6d7f0b542e6d43bb57e338ffdcc20ed186601b5b263e9 105120 extract_1.6-2_amd64.deb
 94ef20994ebaefe381427a7711adbefc9939f7a412178b9e71cf01a8385a868c 26792 libextractor-dev_1.6-2_amd64.deb
 9050bfdea5ce8588abca6d730340c8d2d97550b6578b23aab918d62281efd99d 519632 libextractor3-dbgsym_1.6-2_amd64.deb
 93f1f90b6cffe4ec8a75b2e7534b24d9e0ba148c16a3390acbd662c1cd7ef9c2 112804 libextractor3_1.6-2_amd64.deb
 1dbafc3228bb7f245c41d876a107a05bcf64ea35f9ae501b69ca109dbd416078 18366 libextractor_1.6-2_amd64.buildinfo
Files:
 10dbf42d18bdb3f437b44b22b858b38c 2477 libs optional libextractor_1.6-2.dsc
 275097e35933afceeb30f7893685f8d2 17632 libs optional libextractor_1.6-2.debian.tar.xz
 332de9a904dd170b204aeade1468a8b9 23720 debug optional extract-dbgsym_1.6-2_amd64.deb
 19647747868070987e317f42242f346d 105120 utils optional extract_1.6-2_amd64.deb
 5abc9d7048ec3cca8bb3fe226af244a6 26792 libdevel optional libextractor-dev_1.6-2_amd64.deb
 f2a644c04714458193885371996a3808 519632 debug optional libextractor3-dbgsym_1.6-2_amd64.deb
 b007f5b1d1a4ed2c1e39bfa518c77d2d 112804 libs optional libextractor3_1.6-2_amd64.deb
 c0134ba759b4e6cecc04e4514b839a68 18366 libs optional libextractor_1.6-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJFBAEBCAAvFiEEKUUr1GPOZwMj0JuIoEqzutviY+4FAlpFJx0RHGJtYXJjQGRl
Ymlhbi5vcmcACgkQoEqzutviY+7b7BAAhPbgZt6ysW3mLme0569hrv+I/8e0B6lj
9/7j2sImKS0ziJidctuNf2uWiRDiC/YfrhEQuCPp+K8faj7pedbbbm9BH1axu4rC
fWHXFDrcA8kxDceKN8r2sPI5oy8tuY5Bh0AYTmv9AiYYJMDs39uCtau6UrUYYRBy
yaEKlSncpd8iJF6hMqDCrhcNswTW24u7r4b4cwdPebFTlpgdfOS6pFUa9/6BSMIi
CjD1Jmib6JF6hyiWCDDTAy1SFfaKapLmHB9IgJl9KxOjBo7z+Fdll7EhAtrDuIzO
2LRiVvzpo6WwsBe+QhWsUaLGwZLd02/nQB21nsQ1O0zYOSwD2PPkRcHYOj+P4NC+
DhjsiGDMkdyuvzOdHeZHggGLRTVxUblLybNpVzcm8uD/4cOjhxtfZl71aYvVyMv9
u8q2zwDGBS9Hyq0jkzDSSoh+8bqnKLZxhrKbODFI1hh4wN1AM4YJPiKam6Z/uQeB
UES/TsykwgTlMNPJnhUSLS0yS8KQbfUeOEt49DWb52Rk4rlevKcI17sjCjACnyIw
eXYmVbgSFe8WslnphCm2Yzt7BkFf2avCfH20jl+sBraXUPjr5b7du9ZdvJvbZLrB
SH8DB1MtYTBTJ1i/piNHkCwKckdIcpWzKkw4urTCWMyxh4cn03OygX56lkA6TVAx
eB1oq/gEUiM=
=Po1K
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.