Tested Version:
libextractor v1.6
Tested System:
Linux leon-virtual-machine 4.10.0-35-generic #39~16.04.1-Ubuntu SMP Wed Sep 13 09:02:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Details:
In function EXTRACTOR_nsfe_extract_method at nsfe_extractor.c
345 if (sizeof (struct header) >
346 ec->read (ec->cls,
347 &data,
348 sizeof (struct header)))
349 return;
350 head = data;
351 if (0 != memcmp (head->magicid, "NSFE", 4))
352 return;
353
354 if (0 != ec->proc (ec->cls,
355 "nsfe",
356 EXTRACTOR_METATYPE_MIMETYPE,
357 EXTRACTOR_METAFORMAT_UTF8,
358 "text/plain",
359 "audio/x-nsfe",
360 strlen ("audio/x-nsfe") + 1))
361 return; "nsfe",
ec->read function set data to NULL, so it crash when the code want to use magicid of pointer head in line 351.
Crash Information:
The output with address sanitizer enabled
./extract -i extract.EXTRACTOR_nsfe_extract_method.nsfe_extractor.351.crash
Keywords for file extract.EXTRACTOR_nsfe_extract_method.nsfe_extractor.351.crash:
ASAN:SIGSEGV
=================================================================
==19923==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff41c8bdfe4 bp 0x7fffd3ba7bd0 sp 0x7fffd3ba7358 T0)
#0 0x7ff41c8bdfe3 (/lib/x86_64-linux-gnu/libc.so.6+0x16efe3)
#1 0x7ff41cdec74e in memcmp (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x7774e)
#2 0x7ff416a919af in EXTRACTOR_nsfe_extract_method /root/libextractor-1.6/src/plugins/nsfe_extractor.c:351
#3 0x7ff41cb359a1 in do_extract /root/libextractor-1.6/src/main/extractor.c:583
#4 0x7ff41cb35db5 in EXTRACTOR_extract /root/libextractor-1.6/src/main/extractor.c:662
#5 0x4044f9 in main /root/libextractor-1.6/src/main/extract.c:983
#6 0x7ff41c76f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#7 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==19923==ABORTING
CREDIT
Zhao Liang, Huawei Weiran Labs
Attachment is POC file
extract.EXTRACTOR_nsfe_extract_method.nsfe_extractor.351.crash