Out-of-memory at sox/effects.cpp:109

[hkctkuy]

🐛 Describe the bug

Hi, I've been fuzzing torchaudio project with sydr-fuzz and found crash at sox/effects.cpp:109.

I think, out-of-memory occurs because we try to reserve memory for out_buffer without any size checks for sf->signal.length.

How to reproduce

1. Build docker from here and run the 1. container:

sudo docker build -t oss-sydr-fuzz-torchaudio .
sudo docker run --privileged --rm -v `pwd`:/fuzz -it oss-sydr-fuzz-torchaudio /bin/bash

2. Run the target on this input: crash-sydr_a2aea0533f0d7d5bc342347644558b14a1f942e8_out_of_bounds_0:

/load_audio_fuzz crash-sydr_a2aea0533f0d7d5bc342347644558b14a1f942e8_out_of_bounds_0

You will see the following output:

==132== ERROR: libFuzzer: out-of-memory (malloc(6498959700))
   To change the out-of-memory limit use -rss_limit_mb=<N>

    #0 0x87a991 in __sanitizer_print_stack_trace /llvm-project-llvmorg-14.0.6/compiler-rt/lib/asan/asan_stack.cpp:87:3
    #1 0x1404b237 in fuzzer::PrintStackTrace() /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerUtil.cpp:210:5
    #2 0x14030be5 in fuzzer::Fuzzer::HandleMalloc(unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:131:3
    #3 0x14030aca in fuzzer::MallocHook(void const volatile*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:100:6
    #4 0x881527 in __sanitizer::RunMallocHooks(void const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp:316:5
    #5 0x7f0352 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/asan/asan_allocator.cpp:600:5
    #6 0x7f0999 in __asan::asan_memalign(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/asan/asan_allocator.cpp:1013:16
    #7 0x8ab1c2 in operator new(unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/asan/asan_new_delete.cpp:95:3
    #8 0xa02c7b in __gnu_cxx::new_allocator<int>::allocate(unsigned long, void const*) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/ext/new_allocator.h:115:27
    #9 0xa02b03 in std::allocator_traits<std::allocator<int> >::allocate(std::allocator<int>&, unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/alloc_traits.h:460:20
    #10 0xa022e2 in std::_Vector_base<int, std::allocator<int> >::_M_allocate(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/stl_vector.h:346:20
    #11 0x9cc051 in std::vector<int, std::allocator<int> >::reserve(unsigned long) /usr/bin/../lib/gcc/x86_64-linux-gnu/10/../../../../include/c++/10/bits/vector.tcc:78:22
    #12 0x9d1200 in torchaudio::sox::apply_effects_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::vector<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >, std::allocator<std::vector<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > > > const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/effects.cpp:109:14
    #13 0x8cca22 in torchaudio::sox::load_audio_file(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, c10::optional<long> const&, c10::optional<long> const&, c10::optional<bool>, c10::optional<bool>, c10::optional<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > const&) /audio/torchaudio/csrc/sox/io.cpp:69:10
    #14 0x8aec6e in LLVMFuzzerTestOneInput /audio/load_audio.cc:35:9
    #15 0x14032ec1 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
    #16 0x1401d7ac in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:324:6
    #17 0x140238fb in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:860:9
    #18 0x1401d502 in main /llvm-project-llvmorg-14.0.6/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
    #19 0x7f14badc1082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
    #20 0x7ed8bd in _start (/load_audio_fuzz+0x7ed8bd)

SUMMARY: libFuzzer: out-of-memory

Versions

torchaudio version: 30afaa9
pytorch version: 0f1621df1a0a73956c7ce4e2f72f069e610e0137
sox version: 14.4.2
OS: Ubuntu 20.04

[mthrok]

#3497 has landed, and now torchaudio links to sox dynamically. We no longer compile the specified code by ourselves and therefore this issue is now irrelevant.

Feel free to fuzz the code under torchaudio/csrc, and report issues there. Thanks,