[rub.de/15] Assertion failure in `vlc_meta_SetWithPriority` (multiple code paths)
Related OSS-Fuzz issues:
- https://oss-fuzz.com/testcase-detail/4775236330455040
- https://oss-fuzz.com/testcase-detail/4532464335847424
- https://oss-fuzz.com/testcase-detail/5241832720695296
Issue from rub.de: bug may be publicly disclosed on Tuesday, April 29, 2025.
Bad Vorbis metadata can trigger an assertion in src/input/meta.c
vlc_meta_SetWithPriority by putting invalid UTF-8 in a metadata
field (e.g., TOTALTRACKS via IF_EXTRACT_ONCE / vlc_meta_Set).
I assume it should be fine to fix this by adding EnsureUTF8 to the
IF_EXTRACT_ONCE and IF_EXTRACT macros.
The same assertion is also reachable from AVI code when handling
frames with a QNAP header and invalid UTF-8 in the title (in
AVI_SendFrame in modules/demux/avi/avi.c). For the AVI reproducer,
the same note as for bug #13 (closed) applies: either use the dummy interface,
or set --avi-index to some non-zero value.
xeon ~/work/git/vlc/build-asan $ gdb --args ./test/vlc-demux-dec-run /home/tom/Downloads/reproducer-vorbis.flac
GNU gdb (Debian 15.2-1) 15.2
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./test/vlc-demux-dec-run...
(gdb) r
Starting program: /home/tom/work/git/vlc/build-asan/test/vlc-demux-dec-run /home/tom/Downloads/reproducer-vorbis.flac
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
vlc-demux-dec-run: ../../src/input/meta.c:156: vlc_meta_SetWithPriority: Assertion `psz_val == NULL || IsUTF8( psz_val )' failed.
Program received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6,
no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0 __pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6,
no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
#1 0x00007ffff709dcef in __pthread_kill_internal (threadid=<optimized out>, signo=6)
at ./nptl/pthread_kill.c:78
#2 0x00007ffff7049c42 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff70324f0 in __GI_abort () at ./stdlib/abort.c:79
#4 0x00007ffff7032418 in __assert_fail_base (
fmt=0x7ffff71b6ca0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=assertion@entry=0x7ffff7487860 "psz_val == NULL || IsUTF8( psz_val )",
file=file@entry=0x7ffff7487760 "../../src/input/meta.c", line=line@entry=156,
function=function@entry=0x7ffff7487e40 <__PRETTY_FUNCTION__.3> "vlc_meta_SetWithPriority") at ./assert/assert.c:94
#5 0x00007ffff7042552 in __assert_fail (
assertion=assertion@entry=0x7ffff7487860 "psz_val == NULL || IsUTF8( psz_val )",
file=file@entry=0x7ffff7487760 "../../src/input/meta.c", line=line@entry=156,
function=function@entry=0x7ffff7487e40 <__PRETTY_FUNCTION__.3> "vlc_meta_SetWithPriority") at ./assert/assert.c:103
#6 0x00007ffff7359d1c in vlc_meta_SetWithPriority (p_meta=p_meta@entry=0x515000006200,
meta_type=meta_type@entry=vlc_meta_TrackTotal,
psz_val=psz_val@entry=0x50300004dcbb "N=ž\377",
priority=priority@entry=VLC_META_PRIORITY_BASIC) at ../../src/input/meta.c:156
#7 0x00007ffff6124dd0 in vorbis_ParseComment (p_fmt=p_fmt@entry=0x0,
pp_meta=<optimized out>, p_data=0x512000002821 "TRACKTOTAL=N=ž\377", i_data=27,
i_attachments=<optimized out>, attachments=<optimized out>,
i_cover_score=<optimized out>, i_cover_idx=<optimized out>,
i_seekpoint=<optimized out>, ppp_seekpoint=<optimized out>,
ppf_replay_gain=<optimized out>, ppf_replay_peak=<optimized out>)
at ../../modules/demux/xiph_metadata.c:434
#8 0x00007ffff61207bf in ParseComment (p_demux=p_demux@entry=0x511000007480,
p_data=<optimized out>, i_data=<optimized out>) at ../../modules/demux/flac.c:818
#9 0x00007ffff6121313 in ParseHeaders (p_demux=p_demux@entry=0x511000007480,
p_fmt=p_fmt@entry=0x7ffff51000f0) at ../../modules/demux/flac.c:746
#10 0x00007ffff61219d7 in Open (p_this=0x511000007480) at ../../modules/demux/flac.c:162
#11 0x00007ffff7318aed in demux_Probe (func=0x7ffff61214ac <Open>, forced=false,
ap=ap@entry=0x7ffff4f838c0) at ../../src/input/demux.c:112
#12 0x00007ffff72d7532 in vlc_module_load (log=<optimized out>,
capability=capability@entry=0x7ffff747e120 "demux", name=<optimized out>,
name@entry=0x55555555a200 "any", strict=strict@entry=false,
probe=probe@entry=0x7ffff7318a79 <demux_Probe>) at ../../src/modules/modules.c:230
#13 0x00007ffff731989c in demux_NewAdvanced (p_obj=p_obj@entry=0x511000006bc0,
p_input=p_input@entry=0x0, module=module@entry=0x55555555a200 "any",
url=url@entry=0x55555555a240 "vlc://nop", s=s@entry=0x511000006bc0,
out=out@entry=0x50300004da40, b_preparsing=<optimized out>)
at ../../src/input/demux.c:196
#14 0x00007ffff7319bab in demux_New (p_obj=p_obj@entry=0x511000006bc0,
module=module@entry=0x55555555a200 "any", url=url@entry=0x55555555a240 "vlc://nop",
s=s@entry=0x511000006bc0, out=out@entry=0x50300004da40) at ../../src/input/demux.c:77
#15 0x00005555555582fc in demux_process_stream (args=args@entry=0x7ffff4d00020,
s=s@entry=0x511000006bc0) at ../../test/src/input/demux-run.c:294
--Type <RET> for more, q to quit, c to continue without paging--
#16 0x0000555555558669 in vlc_demux_process_url (args=args@entry=0x7ffff4d00020,
url=url@entry=0x506000000020 "file:///home/tom/Downloads/reproducer-vorbis.flac")
at ../../test/src/input/demux-run.c:348
#17 0x0000555555558708 in vlc_demux_process_path (args=args@entry=0x7ffff4d00020,
path=0x7fffffffde6b "/home/tom/Downloads/reproducer-vorbis.flac")
at ../../test/src/input/demux-run.c:362
#18 0x000055555555755a in main (argc=2, argv=0x7fffffffda08)
at ../../test/vlc-demux-run.c:50xeon ~/work/git/vlc/build-asan $ gdb --args ./test/vlc-demux-dec-run /home/tom/Downloads/reproducer-avi.avi
GNU gdb (Debian 15.2-1) 15.2
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./test/vlc-demux-dec-run...
(gdb) r
Starting program: /home/tom/work/git/vlc/build-asan/test/vlc-demux-dec-run /home/tom/Downloads/reproducer-avi.avi
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[h264 @ 0x519000007880] [IMGUTILS @ 0x7fffffffcd20] Picture size 3707765056x909273584 is invalid
[h264 @ 0x519000007880] [IMGUTILS @ 0x7fffffffcd00] Picture size 0x0 is invalid
[New Thread 0x7fffed4426c0 (LWP 2883300)]
[New Thread 0x7fffecb866c0 (LWP 2883301)]
[New Thread 0x7fffeacb86c0 (LWP 2883302)]
[New Thread 0x7fffe98f36c0 (LWP 2883303)]
[New Thread 0x7fffe85116c0 (LWP 2883304)]
[New Thread 0x7fffe712f6c0 (LWP 2883305)]
vlc-demux-dec-run: ../../src/input/meta.c:156: vlc_meta_SetWithPriority: Assertion `psz_val == NULL || IsUTF8( psz_val )' failed.
Thread 1 "vlc-demux-dec-r" received signal SIGABRT, Aborted.
__pthread_kill_implementation (threadid=<optimized out>, signo=signo@entry=6,
no_tid=no_tid@entry=0) at ./nptl/pthread_kill.c:44
warning: 44 ./nptl/pthread_kill.c: No such file or directory
(gdb) bt
#0 __pthread_kill_implementation
(threadid=<optimized out>, signo=signo@entry=6, no_tid=no_tid@entry=0)
at ./nptl/pthread_kill.c:44
#1 0x00007ffff709dcef in __pthread_kill_internal (threadid=<optimized out>, signo=6)
at ./nptl/pthread_kill.c:78
#2 0x00007ffff7049c42 in __GI_raise (sig=sig@entry=6) at ../sysdeps/posix/raise.c:26
#3 0x00007ffff70324f0 in __GI_abort () at ./stdlib/abort.c:79
#4 0x00007ffff7032418 in __assert_fail_base
(fmt=0x7ffff71b6ca0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n", assertion=assertion@entry=0x7ffff7487860 "psz_val == NULL || IsUTF8( psz_val )", file=file@entry=0x7ffff7487760 "../../src/input/meta.c", line=line@entry=156, function=function@entry=0x7ffff7487e40 <__PRETTY_FUNCTION__.3> "vlc_meta_SetWithPriority") at ./assert/assert.c:94
#5 0x00007ffff7042552 in __assert_fail
(assertion=assertion@entry=0x7ffff7487860 "psz_val == NULL || IsUTF8( psz_val )", file=file@entry=0x7ffff7487760 "../../src/input/meta.c", line=line@entry=156, function=function@entry=0x7ffff7487e40 <__PRETTY_FUNCTION__.3> "vlc_meta_SetWithPriority")
at ./assert/assert.c:103
#6 0x00007ffff7359d1c in vlc_meta_SetWithPriority
(p_meta=0x515000006200, meta_type=meta_type@entry=vlc_meta_Title, psz_val=psz_val@entry=0x51f000001cb8 "ry:alpha\376\377\377\377\032infe\002`", priority=priority@entry=VLC_META_PRIORITY_BASIC) at ../../src/input/meta.c:156
#7 0x00007ffff616e604 in AVI_SendFrame
(p_demux=p_demux@entry=0x511000007480, tk=tk@entry=0x513000007740, p_frame=p_frame@entry=0x508000039e20) at ../../modules/demux/avi/avi.c:1051
#8 0x00007ffff617a47b in Demux_Seekable (p_demux=0x511000007480)
at ../../modules/demux/avi/avi.c:1424
#9 0x00007ffff7319c46 in demux_Demux (demux=demux@entry=0x511000007480)
at ../../src/input/demux.c:223
#10 0x00005555555583aa in demux_process_stream
(args=args@entry=0x7ffff4d00020, s=s@entry=0x511000006bc0)
at ../../test/src/input/demux-run.c:306
#11 0x0000555555558669 in vlc_demux_process_url
(args=args@entry=0x7ffff4d00020, url=url@entry=0x504000000010 "file:///home/tom/Downloads/reproducer-avi.avi") at ../../test/src/input/demux-run.c:348
#12 0x0000555555558708 in vlc_demux_process_path
(args=args@entry=0x7ffff4d00020, path=0x7fffffffde6f "/home/tom/Downloads/reproducer-avi.avi") at ../../test/src/input/demux-run.c:362
#13 0x000055555555755a in main (argc=2, argv=0x7fffffffda08)
at ../../test/vlc-demux-run.c:50
Edited by Thomas Guillem