Unsigned integer overflow at sox/src/xa.c:164

[hkctkuy]

🐛 Describe the bug

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found error at sox/src/xa.c:164.

I think that unsigned integer overflow occurs because we get xa struct as (priv_t *) ft->priv and then use xa->header.align and xa->header.sampleRate without any checks.

How to reproduce

1. Build docker from here and run the container:

 sudo docker build -t oss-sydr-fuzz-torchaudio .
 sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash

2. Run the target on this input: sydr_afl_s02-id_001452_sync_afl_main-worker_src_001495_int_overflow_2

UBSAN_OPTIONS=print_stacktrace=1,report_error_type=1 /load_audio_afl sydr_afl_s02-id_001452_sync_afl_main-worker_src_001495_int_overflow_2

3. You will see the following output:

/audio/build/third_party/sox/src/sox/src/xa.c:164:53: runtime error: unsigned integer overflow: 65534 * 3221258241 cannot be represented in type 'unsigned int'
    #0 0x191a0b77 in startread /audio/build/third_party/sox/src/sox/src/xa.c:164:53
    #1 0x18e96c57 in open_read /audio/build/third_party/sox/src/sox/src/formats.c:545:32
    #2 0x9374d6 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:94:16
    #3 0x8f8b33 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #4 0x8f440b in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #5 0x18e92e7d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #6 0x18e92c88 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #7 0x18e92848 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #8 0x7f72bfffe082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #9 0x833cbd in _start (/load_audio_afl+0x833cbd)

SUMMARY: UndefinedBehaviorSanitizer: unsigned-integer-overflow /audio/build/third_party/sox/src/sox/src/xa.c:164:53 in 
/audio/build/third_party/sox/src/sox/src/remix.c:261:20: runtime error: implicit conversion from type 'int' of value -129 (32-bit, signed) to type 'unsigned int' changed the value to 4294967167 (32-bit, unsigned)
    #0 0x1903816a in lsx_channels_effect_fn /audio/build/third_party/sox/src/sox/src/remix.c:261:20
    #1 0x18eec5cc in sox_find_effect /audio/build/third_party/sox/src/sox/src/effects.c:605:38
    #2 0x94598a in torchaudio::sox::SoxEffectsChain::addInputFile(sox_format_t*) /audio/torchaudio/csrc/sox/effects_chain.cpp:243:33
    #3 0x93774e in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:116:9
    #4 0x8f8b33 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #5 0x8f440b in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #6 0x18e92e7d in ExecuteFilesOnyByOne /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:255:7
    #7 0x18e92c88 in LLVMFuzzerRunDriver /AFLplusplus/utils/aflpp_driver/aflpp_driver.c
    #8 0x18e92848 in main /AFLplusplus/utils/aflpp_driver/aflpp_driver.c:300:10
    #9 0x7f72bfffe082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #10 0x833cbd in _start (/load_audio_afl+0x833cbd)

SUMMARY: UndefinedBehaviorSanitizer: implicit-integer-sign-change /audio/build/third_party/sox/src/sox/src/remix.c:261:20 in 
Execution successful.

Versions

torchaudio version: 30afaa9
pytorch version: 0f1621df1a0a73956c7ce4e2f72f069e610e0137
sox version: 14.4.2
OS: Ubuntu 20.04

[mthrok]

Hi @hkctkuy

Thanks for the interesting report.

The thing is, I am about to land #3497, which switchs libsox integration to runtime linking, and these source code will not be used. Therefore unfortunately these reports become irrelevant to torchaudio soon. They need to be addressed at upstream. (and upstream project has made a lot of changes since 14.4.2, so these might not be relevant.)

Do you find anything needs fix in torchaudio codebase, instead of third party directory? I am aware couple of cases where signed integer and unsigned integer are compared, but did not have time to fix them. It would be nice if you could make PR to fix them.

[mthrok]

#3497 has landed, and now torchaudio links to sox dynamically. We no longer compile the specified code by ourselves and therefore this issue is now irrelevant.

Feel free to fuzz the code under torchaudio/csrc, and report issues there. Thanks,