New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fluidsynth crashes when loading malformed sf2 file #808
Comments
|
Thanks for the detailed report. The problem here is that The next time it would be accessed is in Looking at the code, I think we'll have a similar flaw when parsing the presets. I'll make a PR for that in a second and mention you, so you can test it with potentially other malformed fonts you have around. If you have no time to test, pls. let me know, because I wanted to release 2.1.8 today or tomorrow. |
|
Fixed for 2.1.8 and merged to master. Thanks! |
- parser_test_valid: good case with simple test sf2 - pz_duplicate_gen_vel: duplicate VelRange generator in preset zone - pz_key_vel_wrong_order: invalid key/vel range generator order in pz - pz_two_global: two global zones, regression for #808
- iz_duplicate_gen_vel: duplicate VelRange generator in inst zone - iz_key_vel_wrong_order: invalid key/vel range generator order in iz - iz_two_global: two global zones, regression for #808
- iz_duplicate_gen_vel: duplicate VelRange generator in inst zone - iz_key_vel_wrong_order: invalid key/vel range generator order in iz - iz_two_global: two global zones, regression for #808
|
CVE-2021-28421 was assigned for this. |
|
Hello, I wonder if it's also affecting v1.1.11? Thanks! |
Pls. refer to the changelog: https://github.com/FluidSynth/fluidsynth/wiki/ChangeLog#fluidsynth-218 |
Eeks, sorry for not checking earlier. And thanks! |
GHSA-6fcq-pxhc-jxc9 mentions CVE-2021-21417 but references #808. Is this a duplicate? CVE-2021-21417 was assigned by GitHub, maybe automatically. |
|
CVE-2021-21417 is the one I've originally filed via Github security advice. Which actually worked quite smooth, but unfortunately, the CVE stayed "reserved" even after the advice was published on Mar 31. But it seems like it was finally published a few days ago. No clue why it stayed reserved for so long. The best guess I have is that veritas501 hasn't accepted the credit for this CVE. Although according to GH documentation this shouldn't matter... weird. |
Thanks for clarifying. I filed an update request for CVE-2021-28421 with Mitre (Duplicate of CVE-2021-21417). |
|
Hey Martin, funny meeting you here :-) |
haha, indeed! Fedora brought me here :) |
Fixes the CVE-2021-21417 security issue: GHSA-6fcq-pxhc-jxc9 FluidSynth/fluidsynth#808 See changelog since v2.1.5: - https://github.com/FluidSynth/fluidsynth/releases/tag/v2.1.6 - https://github.com/FluidSynth/fluidsynth/releases/tag/v2.1.7 - https://github.com/FluidSynth/fluidsynth/releases/tag/v2.1.8 - https://github.com/FluidSynth/fluidsynth/releases/tag/v2.1.9 ./utils/test-pkg --package fluidsynth 6 builds, 2 skipped, 0 build failed, 0 legal-info failed Signed-off-by: Julien Olivain <ju.o@free.fr> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
version: master(v.2.1.1), ubuntu18.04(v1.1.9), ubuntu20.04(v.2.1.1), ....
https://github.com/FluidSynth/fluidsynth/blob/master/src/sfloader/fluid_sffile.c#L1952
It says Gen_SampleId is the last gen, and then set
levelto 3 and break.but if a malformed sf2 doesn't contain Gen_SampleId, it will finally goto here:
https://github.com/FluidSynth/fluidsynth/blob/master/src/sfloader/fluid_sffile.c#L2041
it will be freed again at: https://github.com/FluidSynth/fluidsynth/blob/master/src/sfloader/fluid_sffile.c#L2293
fluid_synth_sfload() -> fluid_defsfloader_load() -> fluid_defsfont_load() -> fluid_sffile_close() -> delete_inst() -> delete_zone()
HERE is an example that trigger this vuln: vuln.zip
Programs like VLC that use this library are affected by this vulnerability:
The text was updated successfully, but these errors were encountered: