You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
global buffer overflow running wavpack with "-y poc.wav" option
Running 'wavpack -y poc.wav' with the attached file raises global buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow
june@june:~/temp/report/wavpack/00000178$ ../../binary/wavpack-5.1.0/cli/.libs/wavpack -y poc.wav
WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0
Copyright (c) 1998 - 2017 David Bryant. All Rights Reserved.
creating poc.wv,=================================================================
==13894==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55555558ac95 at pc 0x7ffff6e96181 bp 0x7fffffffb1f0 sp 0x7fffffffa9a0
READ of size 22 at 0x55555558ac95 thread T0
#0 0x7ffff6e96180 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x58180)
#1 0x555555578d57 in ParseCaffHeaderConfig /home/june/temp/report/binary/wavpack-5.1.0/cli/caff.c:425
#2 0x555555567c3a in pack_file /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
#3 0x555555565e5e in main /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
#4 0x7ffff65902b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#5 0x5555555609a9 in _start (/home/june/temp/report/binary/wavpack-5.1.0/cli/.libs/wavpack+0xc9a9)
0x55555558ac95 is located 0 bytes to the right of global variable 'TMH_full' defined in 'caff.c:92:19' (0x55555558ac80) of size 21
0x55555558ac95 is located 43 bytes to the left of global variable 'TMH_std' defined in 'caff.c:93:19' (0x55555558acc0) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x58180) in strdup
Shadow bytes around the buggy address:
0x0aab2aaa9540: 00 03 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa9550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aaa9560: 00 00 00 00 03 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0aab2aaa9570: 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
0x0aab2aaa9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aab2aaa9590: 00 00[05]f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0aab2aaa95a0: 03 f9 f9 f9 f9 f9 f9 f9 03 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95b0: 03 f9 f9 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95c0: 06 f9 f9 f9 f9 f9 f9 f9 07 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95d0: 00 01 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0aab2aaa95e0: 05 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13894==ABORTING
Forwarding a bug report we received in the Debian Bug Tracker (https://bugs.debian.org/889274):
global buffer overflow running wavpack with "-y poc.wav" option
Running 'wavpack -y poc.wav' with the attached file raises global buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow
poc.wav can be downloaded from https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=889274;filename=poc.wav;msg=5.
The text was updated successfully, but these errors were encountered: