Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Division by zero at sox/src/wav.c:950 #3503

Closed
hkctkuy opened this issue Jul 27, 2023 · 1 comment
Closed

Division by zero at sox/src/wav.c:950 #3503

hkctkuy opened this issue Jul 27, 2023 · 1 comment

Comments

@hkctkuy
Copy link

hkctkuy commented Jul 27, 2023

🐛 Describe the bug

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at sox/src/wav.c:950.

I think, that division by zero occurs because ft->signal.channels in sox/src/wav.c:584 it reads 0 to wChannels from ft and it sets to ft->signal.channels in sox/src/wav.c:711, after which there is a division by this in the crashline.

How to reproduce

  1. Build docker from here and run the container:
 sudo docker build -t oss-sydr-fuzz-torchaudio .
 sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash
  1. Run the target on this input: crash-7d0b3a440914dc56e17a0e5a48fc8ae6b1186d07
UBSAN_OPTIONS=print_stacktrace=1,report_error_type=1 /load_audio_fuzz crash-7d0b3a440914dc56e17a0e5a48fc8ae6b1186d07
  1. You will see the following output:
/audio/build/third_party/sox/src/sox/src/wav.c:950:80: runtime error: division by zero
    #0 0x144e5278 in startread /audio/build/third_party/sox/src/sox/src/wav.c:950:80
    #1 0x14059fa7 in open_read /audio/build/third_party/sox/src/sox/src/formats.c:545:32
    #2 0x1405444b in sox_open_read /audio/build/third_party/sox/src/sox/src/formats.c:585:10
    #3 0x9d0746 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:94:16
    #4 0x8cca22 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #5 0x8aec6e in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #6 0x14032ec1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x1401d7ac in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x140238fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x1401d502 in main /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7f8a7f79f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #11 0x7ed8bd in _start (/load_audio_fuzz+0x7ed8bd)

SUMMARY: UndefinedBehaviorSanitizer: integer-divide-by-zero /audio/build/third_party/sox/src/sox/src/wav.c:950:80 in 
AddressSanitizer:DEADLYSIGNAL
=================================================================
==124==ERROR: AddressSanitizer: FPE on unknown address 0x0000144e5289 (pc 0x0000144e5289 bp 0x7ffd6cbcf070 sp 0x7ffd6cbcb860 T0)
    #0 0x144e5289 in startread /audio/build/third_party/sox/src/sox/src/wav.c:950:80
    #1 0x14059fa7 in open_read /audio/build/third_party/sox/src/sox/src/formats.c:545:32
    #2 0x1405444b in sox_open_read /audio/build/third_party/sox/src/sox/src/formats.c:585:10
    #3 0x9d0746 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:94:16
    #4 0x8cca22 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #5 0x8aec6e in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #6 0x14032ec1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #7 0x1401d7ac in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #8 0x140238fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #9 0x1401d502 in main /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #10 0x7f8a7f79f082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #11 0x7ed8bd in _start (/load_audio_fuzz+0x7ed8bd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE /audio/build/third_party/sox/src/sox/src/wav.c:950:80 in startread
==124==ABORTING

Versions

torchaudio version: 30afaa9
pytorch version: 0f1621df1a0a73956c7ce4e2f72f069e610e0137
sox version: 14.4.2
OS: Ubuntu 20.04
@mthrok
Copy link
Collaborator

mthrok commented Jul 28, 2023

#3497 has landed, and now torchaudio links to sox dynamically. We no longer compile the specified code by ourselves and therefore this issue is now irrelevant.

Feel free to fuzz the code under torchaudio/csrc, and report issues there. Thanks,

@mthrok mthrok closed this as completed Jul 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mthrok @hkctkuy