You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This could lead to denial of service and potentially code execution.
This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)
To reproduce:
Download & extract the attached file - wavpack_crash4.wav
wavpack -y wavpack_crash4.wav
creating wavpack_crash4.wv, 0% done...==168858== Invalid write of size 2
==168858== at 0x4C868F: flush_word (write_words.c:502)
==168858== by 0x4C868F: send_words_lossless (write_words.c:405)
==168858== by 0x4854CB: pack_samples (pack.c:1159)
==168858== by 0x48F5F7: pack_block (pack.c:638)
==168858== by 0x4A0050: pack_streams (pack_utils.c:951)
==168858== by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858== by 0x434405: pack_audio (wavpack.c:2393)
==168858== by 0x434405: pack_file (wavpack.c:1891)
==168858== by 0x407442: main (wavpack.c:1272)
==168858== Address 0x57a9b1c is 13,212 bytes inside a block of size 13,213 alloc'd
==168858== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==168858== by 0x49FF3D: pack_streams (pack_utils.c:928)
==168858== by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858== by 0x434405: pack_audio (wavpack.c:2393)
==168858== by 0x434405: pack_file (wavpack.c:1891)
==168858== by 0x407442: main (wavpack.c:1272)
==168858==
==168858== Invalid write of size 2
==168858== at 0x4C2203: flush_word (write_words.c:502)
==168858== by 0x4C87CB: send_words_lossless (write_words.c:438)
==168858== by 0x4854CB: pack_samples (pack.c:1159)
==168858== by 0x48F5F7: pack_block (pack.c:638)
==168858== by 0x4A0050: pack_streams (pack_utils.c:951)
==168858== by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858== by 0x434405: pack_audio (wavpack.c:2393)
==168858== by 0x434405: pack_file (wavpack.c:1891)
==168858== by 0x407442: main (wavpack.c:1272)
==168858== Address 0x57a9b20 is 3 bytes after a block of size 13,213 alloc'd
==168858== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==168858== by 0x49FF3D: pack_streams (pack_utils.c:928)
==168858== by 0x4ACE6C: WavpackFlushSamples (pack_utils.c:701)
==168858== by 0x434405: pack_audio (wavpack.c:2393)
==168858== by 0x434405: pack_file (wavpack.c:1891)
==168858== by 0x407442: main (wavpack.c:1272)
ASAN says:
==169033==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700001bc9c at pc 0x000000495f60 bp 0x7fff5c6d1640 sp 0x7fff5c6d1630
WRITE of size 2 at 0x62700001bc9c thread T0
#0 0x495f5f in flush_word /home/thuan/subjects/WavPack-asan/src/write_words.c:502
#1 0x49169f in send_words_lossless /home/thuan/subjects/WavPack-asan/src/write_words.c:405
#2 0x45a842 in pack_samples /home/thuan/subjects/WavPack-asan/src/pack.c:1136
#3 0x4541ba in pack_block /home/thuan/subjects/WavPack-asan/src/pack.c:638
#4 0x47919f in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:951
#5 0x4772ef in WavpackFlushSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:701
#6 0x40f7f4 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2393
#7 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
#8 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
#9 0x7f1df62b382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x402528 in _start (/home/thuan/subjects/WavPack-asan/cli/wavpack+0x402528)
0x62700001bc9d is located 0 bytes to the right of 13213-byte region [0x627000018900,0x62700001bc9d)
allocated by thread T0 here:
#0 0x7f1df774bf70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
#1 0x478bb3 in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:928
#2 0x4772ef in WavpackFlushSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:701
#3 0x40f7f4 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2393
#4 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
#5 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
#6 0x7f1df62b382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/subjects/WavPack-asan/src/write_words.c:502 in flush_word
Shadow bytes around the buggy address:
0x0c4e7fffb740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4e7fffb780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4e7fffb790: 00 00 00[05]fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4e7fffb7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==169033==ABORTING
Thanks, David, for applying the patch so promptly.
Here is our analysis:
The file contains the mandatory riff, fmt, and data chunks, plus an additional fmt chunk placed right after the first fmt chunk. The first fmt chunk specifies IEEE float as WAVE format. The second fmt chunk specifies PCM as WAVE format, one bit per sample, 20 channels, and 20 as block align.
The first fmt chunk passes all sanity checks (incl. bits per sample = 32 and BlockAlign / NumChannels < bits per sample / 8; riff.c:185) and sets config->float_norm_exp = 127riff.c:220
The second fmt chunk allows to override the number of bits per sample, channels, and block align while maintaining the IEEE float format setting (i.e., the value of config->float_norm_exp), effectively circumventing the sanity checks. The assumption of the sanity checks holding later in the packing leads to the buffer overwrite.
MITRE assigned
CVE-2018-10536 for WAVE parser component (*.wav; ParseRiffHeaderConfig in riff.c)
CVE-2018-10537 for WAVE64 parser component (*.w64; ParseWave64HeaderConfig in wave64.c)
Dear all,
This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This could lead to denial of service and potentially code execution.
This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)
To reproduce:
Download & extract the attached file - wavpack_crash4.wav
wavpack -y wavpack_crash4.wav
Error message:
Valgrind says:
ASAN says:
Regards,
Thuan
wavpack_crash4.wav.tar.gz
The text was updated successfully, but these errors were encountered: