New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-buffer-overflow in src/flac.c:274:41 in flac_buffer_copy #731
Comments
@yuawn , thanks for report. Can you help to fix it? |
@evpobr retpcm [offset + j] = ((uint32_t) buffer [j][pflac->bufferpos]) << shift ; ASAN triggered The What do you think about it need to request larger size or it is not make a sense that |
I can't figure it out yet. |
I reproduced the vulnerability on the old released version 1.0.28, the older version is too old that I can't compile it with ASAN. This vulnerability exists in the shared library, not binary, and it is easy to be exploited because the overflow length and content of the buffer can be easily controlled by the crafted sound file. It should be fixed as soon as possible, Thanks! |
Thanks to you for your help. We will merge it soon. |
@yuawn could you please elaborate on:
Am I missing something? |
Hi @tcullum-rh,
I hope I answered your question, thank you! |
This issue is now CVE-2021-4156. |
@tcullum-rh , thanks. |
Hi, I found a vulnerability in current master 34bd39b.
There is a heap-buffer-overflow in src/flac.c:274:41 in flac_buffer_copy.
The vulnerability can lead to heap-based buffer overflow via a crafted sound file, and potentially control heap data by forge
buffer
content to perform heap exploitation.To reproduce on x86-64 Ubuntu 20.04.2 with clang-11:
PoC: heap_overflow_poc.gz
ASAN report:
The text was updated successfully, but these errors were encountered: