This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This wavpack_crash2.wav.tar.gz
could lead to denial of service and potentially code execution.
This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)
To reproduce:
Download & extract the attached file - wavpack_crash2.wav
wavpack -y wavpack_crash2.wav
creating wavpack_crash2.wv,==167402== Invalid write of size 2
==167402== at 0x49A650: send_float_data (pack_floats.c:217)
==167402== by 0x4906D6: pack_block (pack.c:675)
==167402== by 0x4A0050: pack_streams (pack_utils.c:951)
==167402== by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==167402== by 0x43565C: pack_audio (wavpack.c:2356)
==167402== by 0x43565C: pack_file (wavpack.c:1891)
==167402== by 0x407442: main (wavpack.c:1272)
==167402== Address 0x57a268e is 45,134 bytes inside a block of size 45,135 alloc'd
==167402== at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==167402== by 0x49FF3D: pack_streams (pack_utils.c:928)
==167402== by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==167402== by 0x43565C: pack_audio (wavpack.c:2356)
==167402== by 0x43565C: pack_file (wavpack.c:1891)
==167402== by 0x407442: main (wavpack.c:1272)
==167402==
output buffer overflowed!
ASAN says:
creating wavpack_crash2.wv,common_utils.c:626:104: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
pack_utils.c:344:36: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
wavpack.c:3751:70: runtime error: left shift of negative value -128
write_words.c:502:9: runtime error: left shift of 18788819 by 10 places cannot be represented in type 'int'
pack_floats.c:217:17: runtime error: left shift of 8356652 by 9 places cannot be represented in type 'int'
=================================================================
==167535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000b44e at pc 0x00000046be3e bp 0x7fff6b5e9270 sp 0x7fff6b5e9260
WRITE of size 2 at 0x62e00000b44e thread T0
#0 0x46be3d in send_float_data /home/thuan/subjects/WavPack-asan/src/pack_floats.c:217
#1 0x4548ed in pack_block /home/thuan/subjects/WavPack-asan/src/pack.c:675
#2 0x47919f in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:951
#3 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
#4 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
#5 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
#6 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
#7 0x7f95a780c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#8 0x402528 in _start (/home/thuan/subjects/WavPack-asan/cli/wavpack+0x402528)
0x62e00000b44f is located 0 bytes to the right of 45135-byte region [0x62e000000400,0x62e00000b44f)
allocated by thread T0 here:
#0 0x7f95a8ca4f70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
#1 0x478bb3 in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:928
#2 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
#3 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
#4 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
#5 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
#6 0x7f95a780c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/subjects/WavPack-asan/src/pack_floats.c:217 in send_float_data
Shadow bytes around the buggy address:
0x0c5c7fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5c7fff9670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff9680: 00 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa
0x0c5c7fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5c7fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Regards,
Thuan
The text was updated successfully, but these errors were encountered:
Dear all,
This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This
wavpack_crash2.wav.tar.gz
could lead to denial of service and potentially code execution.
This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)
To reproduce:
Download & extract the attached file - wavpack_crash2.wav
wavpack -y wavpack_crash2.wav
Error message:
Valgrind says:
ASAN says:
Regards,
Thuan
The text was updated successfully, but these errors were encountered: