unpack_samples crash on unicode branch
mark4o opened this issue · comments
With the fix for #8 there is a new crash in unpack_samples on some invalid files:
Invalid write of size 4
at 0x10004593C: unpack_samples (unpack.c:111)
by 0x10004BEEC: WavpackUnpackSamples (unpack_utils.c:246)
by 0x10000363A: unpack_file (wvunpack.c:1652)
by 0x1000023DE: main (wvunpack.c:523)
Address 0x100a670e0 is 0 bytes after a block of size 21,392 alloc'd
at 0x100015EBB: malloc (vg_replace_malloc.c:303)
by 0x10004BBF0: WavpackUnpackSamples (unpack_utils.c:172)
by 0x10000363A: unpack_file (wvunpack.c:1652)
by 0x1000023DE: main (wvunpack.c:523)
Invalid read of size 2
at 0x1000375F7: get_word (read_words.c:123)
by 0x100045926: unpack_samples (unpack.c:111)
by 0x10004BEEC: WavpackUnpackSamples (unpack_utils.c:246)
by 0x10000363A: unpack_file (wvunpack.c:1652)
by 0x1000023DE: main (wvunpack.c:523)
Address 0x10179dcc07ffffff is not stack'd, malloc'd or (recently) free'd
The crash can be reproduced on the unicode branch (b258e05) with the command wvunpack in.wv -o out.wav using the following test case (1496 bytes, base64-encoded):
d3Zwa+QCAAAQBDAwMDAwMDDqAAAwMAAABQ8wBTAwMDACAVdWMAEwMDACMDAwMA0DMDAAMDAwijABADAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMHd2cGvkAgAAEAQwMDAwMAAwnwAAMIAAAD4wMDAwMDAwAgFXVjABMAAwAjAwMDAFAzD6MAcwMIowAQAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA=
Also the unpacking may now produce uninitialized data. For example, uninitialized data is written to stdout when unpacking the test case from #8 with wvunpack in.wv -o -:
Syscall param write(buf) points to uninitialised byte(s)
at 0x10042E97A: write$NOCANCEL (in /usr/lib/system/libsystem_kernel.dylib)
by 0x100328844: _swrite (in /usr/lib/system/libsystem_c.dylib)
by 0x1003212FE: __sflush (in /usr/lib/system/libsystem_c.dylib)
by 0x100323BC7: __sfvwrite (in /usr/lib/system/libsystem_c.dylib)
by 0x100323F02: fwrite (in /usr/lib/system/libsystem_c.dylib)
by 0x100007F19: DoWriteFile (utils.c:637)
by 0x100003707: unpack_file (wvunpack.c:1021)
by 0x1000023DE: main (wvunpack.c:523)
Address 0x10099c6ba is 74 bytes inside a block of size 4,096 alloc'd
at 0x100015EBB: malloc (vg_replace_malloc.c:303)
by 0x10032468E: __smakebuf (in /usr/lib/system/libsystem_c.dylib)
by 0x1003391DF: __swsetup (in /usr/lib/system/libsystem_c.dylib)
by 0x100323928: __sfvwrite (in /usr/lib/system/libsystem_c.dylib)
by 0x100323F02: fwrite (in /usr/lib/system/libsystem_c.dylib)
by 0x100007F19: DoWriteFile (utils.c:637)
by 0x100006EC2: write_riff_header (wvunpack.c:1616)
by 0x10000351A: unpack_file (wvunpack.c:1907)
by 0x1000023DE: main (wvunpack.c:523)
Uninitialised value was created by a heap allocation
at 0x100015EBB: malloc (vg_replace_malloc.c:303)
by 0x100003574: unpack_file (wvunpack.c:1908)
by 0x1000023DE: main (wvunpack.c:523)
When repacking, the uninitialized data is consumed and processed by the packing code.
Thanks for reporting! Both issues should now be fixed in unicode branch.