== The January 2010 media player debacle == [[Image(fail2.png,right,border=0,margin=5px)]] Yes, it’s a debacle again. While some players such as MPlayer had their stability improved, zzuf could again find bugs with most files, especially video codecs. All programs are the latest version in '''Debian amd64 sid''' as of 2010/01/14. Each of these bugs was found in '''less than 2 minutes''' of zzuf action, meaning that the “robust” cells are even less trustworthy than last time. * “?” means zzuf could not properly fuzz the application * “robust” means zzuf could not find a crash in reasonable time === Audio codecs === || || '''VLC''' || '''MPlayer''' || '''xine''' || '''FFmpeg''' || '''GStreamer''' || '''mpg321''' || '''ogg123''' || || '''MP3''' || robust || '''SIGSEGV''' || '''SIGFPE''' || ? || ? || robust || N/A || || '''Ogg Vorbis''' || ? || robust || '''SIGSEGV''' || ? || robust || N/A || robust || || '''FLAC''' || robust || '''SIGABRT''' || '''SIGFPE''' || ? || robust || N/A || '''SIGSEGV''' || || '''AAC''' || robust || robust || robust || ? || robust || N/A || N/A || || '''AC-3/A52''' || robust || robust || ? || ? || robust || N/A || N/A || || '''Speex''' || ? || '''SIGSEGV''' || robust || ? || robust || N/A || ? || || '''EAC3''' || ? || robust || robust || ? || robust || N/A || N/A || === Video codecs === || || '''VLC''' || '''MPlayer''' || '''xine''' || '''FFmpeg''' || '''GStreamer''' || || '''MPEG-1''' || '''SIGSEGV''' || robust || '''SIGSEGV''' || ? || robust || || '''MPEG-2''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || ? || ? || || '''MPEG-4 AVI''' || '''SIGSEGV''' || '''SIGSEGV''' || '''SIGSEGV''' || ? || ? || || '''MPEG-4''' || ? || '''SIGSEGV''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || || '''Ogg Theora''' || robust || robust || '''SIGSEGV''' || ? || ? || || '''WMV''' || '''SIGSEGV''' || '''SIGSEGV''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || || '''FLV''' || '''SIGSEGV''' || '''SIGSEGV''' || '''SIGSEGV''' || ? || '''SIGSEGV''' || === Testing protocol === The zzuf commands used to find bugs were rather straightforward. A few flags are recurrent: * `-r0.0001:0.02` to try several fuzzing ratios * `-s0:10000` to stop after 10000 tries * `-b8` to skip the first 8 bytes and ensure that the file format is not misinterpreted MPlayer is very easy to test, thanks to its `-benchmark` flag: {{{ #!sh % zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j8 -T5 -S mplayer -benchmark \ -ao pcm:file=/dev/null -vo md5sum:outfile=/dev/null filename }}} VLC doesn’t provide a benchmark flag, forcing us to spawn a lot more parallel processes using `-j`, so that the test goes a bit faster: {{{ #!sh % zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j80 vlc -I dummy \ -A dummy -V dummy filename vlc://quit }}} GStreamer is as easy to test as MPlayer: {{{ #!sh % zzuf -vq -I'orig.*' -r0.0001:0.02 -s0:10000 -b8- -j5 -S gst-launch-0.10 \ filesrc location=filename '!' decodebin '!' fakesink }}} I could not find a benchmark mode for xine, so I tested it using the libcaca output: {{{ #!sh % CACA_DRIVER=raw zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j15 -S cacaxine -A none -q filename }}} Finally, mpg321 and ogg123 don’t have a benchmark mode either. We increase the `-j` value as well: {{{ #!sh % zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j10 mpg321 filename % zzuf -vq -c -r0.0001:0.02 -s0:10000 -b8- -j10 ogg123 -d null filename }}} == The January 2007 media player debacle == [[Image(u-fail.png,right,width=240px,border=0,margin=5px)]] Media players are especially sensitive to stream corruption. In fact, zzuf started its life as a tool to find bugs in the VLC media player software. The following table gives a few examples of crashes (all programs were the latest version in '''Debian i386 sid''' as of 2007/01/14). Click on each link to download the file that caused the crash: '''Disclaimer 1''': “robust” does not mean that there is no bug, it just means that zzuf could not find one in reasonable time. '''Disclaimer 2''': segmentation faults reported below are not necessarily bugs in the program itself; for instance, the MPEG-2 crashes are more likely due to a bug in the libmpeg2 library. || || '''VLC''' || '''MPlayer''' || '''xine''' || '''FFmpeg (ffplay)''' || '''GStreamer (gst-launch)''' || '''mpg321''' || '''ogg123''' || || '''MP3''' || robust || '''[/files/zzuf/bugs/lol-mplayer.mp3 SIGSEGV]''' || robust || robust || robust || robust || N/A || || '''Ogg Vorbis''' || robust || '''[/files/zzuf/bugs/lol-mplayer.ogg SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.ogg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.ogg SIGSEGV]''' || N/A || robust || || '''MPEG-1''' || '''[/files/zzuf/bugs/lol-vlc.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.mpg SIGSEGV]''' || '''[/files/zzuf/bugs/lol-ffplay.mpg SIGSEGV]''' || robust || N/A || N/A || || '''MPEG-2''' || '''[/files/zzuf/bugs/lol-vlc.m2v SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.m2v SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.m2v SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.m2v SIGSEGV]''' || N/A || N/A || || '''MPEG-4 AVI''' || '''[/files/zzuf/bugs/lol-vlc.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-ffplay.avi SIGSEGV]''' || '''[/files/zzuf/bugs/lol-gstreamer.avi deadlock?]''' || N/A || N/A || || '''FLAC''' || robust || '''[/files/zzuf/bugs/lol-mplayer.flac SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.flac heap corruption]''' || robust || N/A || '''[/files/zzuf/bugs/lol-ogg123.flac SIGFPE]''' || || '''Ogg Theora''' || robust || '''[/files/zzuf/bugs/lol-mplayer.ogm SIGSEGV]''' || robust || '''[/files/zzuf/bugs/lol-ffplay.ogm SIGSEGV]''' || robust || N/A || N/A || || '''WMV''' || '''[/files/zzuf/bugs/lol-vlc.wmv SIGSEGV]''' || '''[/files/zzuf/bugs/lol-mplayer.wmv SIGSEGV]''' || N/A || '''[/files/zzuf/bugs/lol-ffplay.wmv SIGSEGV]''' || robust || N/A || N/A || || '''AAC''' || '''[/files/zzuf/bugs/lol-vlc.aac heap corruption]''' || '''[/files/zzuf/bugs/lol-mplayer.aac SIGSEGV]''' || '''[/files/zzuf/bugs/lol-xine.aac SIGSEGV]''' || N/A || N/A || N/A || N/A || || '''AC-3/A52''' || '''[/files/zzuf/bugs/lol-vlc.ac3 SIGSEGV]''' || ROBUST!!! || robust || '''[/files/zzuf/bugs/lol-ffplay.ac3 SIGSEGV]''' || N/A || N/A || N/A || || '''Speex''' || robust || robust || robust || N/A || robust || N/A || robust || == Other bugs == [[Image(roflmao.png,right,border=0,margin=5px)]] Here is a list of other bugs that were easily found using zzuf, each time in a matter of seconds. * OpenBSD (4.0 GENERIC!#1107 i386) || nm [/files/zzuf/bugs/lol-openbsd-nm lol-openbsd-nm] || SIGSEGV || crash in `strcmp()`, not exploitable || || objdump -T [/files/zzuf/bugs/lol-openbsd-objdump lol-openbsd-objdump] || SIGSEGV || ? || * Linux (Debian 4.0 i386 unstable) || nm [/files/zzuf/bugs/lol-debian-nm lol-debian-nm] || SIGKILL || memory usage exceeded || || identify [/files/zzuf/bugs/fuzz1.xpm fuzz1.xpm] [/files/zzuf/bugs/fuzz2.xpm fuzz2.xpm] [/files/zzuf/bugs/fuzz3.xpm fuzz3.xpm] || SIGSEGV || Memory corruption in !ImageMagick. Security implications look promising. || || antiword [/files/zzuf/bugs/lol-antiword.doc lol-antiword.doc] || SIGSEGV || ? || || firefox [/files/zzuf/bugs/lol-firefox.gif lol-firefox.gif] || !BadAlloc || X11 error || || dvipng [/files/zzuf/bugs/lol-dvipng.dvi lol-dvipng.dvi] || SIGSEGV || Also occurs with `dvi2ps` || || giftopnm [/files/zzuf/bugs/lol-giftopnm.gif lol-giftopnm.gif] || SIGSEGV || ? || * FreeBSD (6.1-RELEASE FreeBSD 6.1-RELEASE !#0: Sun May 7 04:32:43 UTC 2006 root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC i386) || nm [/files/zzuf/bugs/lol-freebsd-nm lol-freebsd-nm] || SIGSEGV || ? || * Mac OS X (8.3.1 Darwin Kernel Version 8.3.1: Wed Nov 2 21:12:54 PST 2005; root:xnu-792.7.56.obj~6/RELEASE_I386 i386 i386) || nm [/files/zzuf/bugs/lol-macosx-nm lol-macosx-nm] || SIGSEGV || ? || || otool -I [/files/zzuf/bugs/lol-macosx-otool lol-macosx-otool] || SIGSEGV || ? || * HP-UX B.11.31 U ia64 3426292962 unlimited-user license || nm [/files/zzuf/bugs/lol-hpux-ia64-nm] || SIGSEGV in `nm_elf` || ? ||