New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple heap-based buffer overflows in Ca2mLoader::load() #88
Labels
Comments
|
Could someone do a PR to have these included in the unit tests? |
|
This issue has been assigned CVE-2019-14732. |
miller-alex
added a commit
to miller-alex/adplug
that referenced
this issue
Apr 3, 2020
While fuzzing AdPlug with American Fuzzy Lop, Frederic Cambus found several memory issues and reported them on github. Hook up the reproducers he provided as test cases in stresstest.cpp. This includes tests for the following github issues: * Issue adplug#85 ("Heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream()") * Issue adplug#86 ("Heap-based buffer overflow in CdtmLoader::load()") * Issue adplug#87 ("Heap-based buffer overflow in CmkjPlayer::load()") * Issue adplug#88 ("Multiple heap-based buffer overflows in Ca2mLoader::load()") * Issue adplug#89 ("Multiple heap-based buffer overflows in CradLoader::load()") * Issue adplug#90 ("Multiple heap-based buffer overflows in CmtkLoader::load()") * Issue adplug#91 ("Double free in Cu6mPlayer::~Cu6mPlayer()") Co-authored-by: Frederic Cambus <fred@statdns.com> Bug: adplug#85 Bug: adplug#86 Bug: adplug#87 Bug: adplug#88 Bug: adplug#89 Bug: adplug#90 Bug: adplug#91
miller-alex
added a commit
to miller-alex/adplug
that referenced
this issue
Apr 3, 2020
Missing checks and wrong calculations in src/a2m.cpp cause multiple heap-based buffer overflows and out-of-bounds reads in heap, stack, and static data. Bugs addressed in this commit: * Check the number of patterns. Too big values can cause reads past the end of the len array. * Reading a not packed data block with odd length will allocate a buffer which is one byte too small and write past the end of it (issue adplug#88). Change the allocation/deallocation code to fix that in both places. * Check that data blocks (afer unpacking if applicable) are big enough for the expected data before accessing the memory. * Ensure that the length byte for author, song name, and instrument names doesn't exceed the maximum size available. * Also change the accessor functions for these strings to call the proper std::string constructors for char arrays. * Avoid reads past the end of convfx/newconvfx arrays while converting track data. This commit fixes CVE-2019-14732. Fixes: adplug#88
Malvineous
pushed a commit
that referenced
this issue
May 11, 2020
While fuzzing AdPlug with American Fuzzy Lop, Frederic Cambus found several memory issues and reported them on github. Hook up the reproducers he provided as test cases in stresstest.cpp. This includes tests for the following github issues: * Issue #85 ("Heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream()") * Issue #86 ("Heap-based buffer overflow in CdtmLoader::load()") * Issue #87 ("Heap-based buffer overflow in CmkjPlayer::load()") * Issue #88 ("Multiple heap-based buffer overflows in Ca2mLoader::load()") * Issue #89 ("Multiple heap-based buffer overflows in CradLoader::load()") * Issue #90 ("Multiple heap-based buffer overflows in CmtkLoader::load()") * Issue #91 ("Double free in Cu6mPlayer::~Cu6mPlayer()") Co-authored-by: Frederic Cambus <fred@statdns.com> Bug: #85 Bug: #86 Bug: #87 Bug: #88 Bug: #89 Bug: #90 Bug: #91
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
While fuzzing AdPlug with American Fuzzy Lop, I found multiple heap-based buffer overflows in Ca2mLoader::load(), in src/a2m.cpp L106 and L184.
Attaching reproducers for both issues (gzipped so GitHub accepts them):
The text was updated successfully, but these errors were encountered: