Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WavPack crashes -- Heap buffer overwrite #31

Closed
thuanpv opened this issue Apr 22, 2018 · 1 comment
Closed

WavPack crashes -- Heap buffer overwrite #31

thuanpv opened this issue Apr 22, 2018 · 1 comment
Assignees
@dbry

Comments

@thuanpv
Copy link

thuanpv commented Apr 22, 2018

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This
wavpack_crash2.wav.tar.gz
could lead to denial of service and potentially code execution.

This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)

To reproduce:
Download & extract the attached file - wavpack_crash2.wav
wavpack -y wavpack_crash2.wav

Error message:

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

creating wavpack_crash2.wv,*** Error in `../WavPack/cli/wavpack': double free or corruption (out): 0x0000000000a2d7d0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f191607d7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f191608637a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f191608a53c]
../WavPack/cli/wavpack[0x49080c]
../WavPack/cli/wavpack[0x4a0051]
../WavPack/cli/wavpack[0x4acd7e]
../WavPack/cli/wavpack[0x43565d]
../WavPack/cli/wavpack[0x407443]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f1916026830]
../WavPack/cli/wavpack[0x416bf9]
======= Memory map: ========
00400000-00536000 r-xp 00000000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00736000-00737000 r--p 00136000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00737000-00738000 rw-p 00137000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
0097a000-00a59000 rw-p 00000000 00:00 0                                  [heap]
7f1910000000-7f1910021000 rw-p 00000000 00:00 0 
7f1910021000-7f1914000000 ---p 00000000 00:00 0 
7f1915def000-7f1915e05000 r-xp 00000000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1915e05000-7f1916004000 ---p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1916004000-7f1916005000 r--p 00015000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1916005000-7f1916006000 rw-p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1916006000-7f19161c6000 r-xp 00000000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19161c6000-7f19163c6000 ---p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19163c6000-7f19163ca000 r--p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19163ca000-7f19163cc000 rw-p 001c4000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19163cc000-7f19163d0000 rw-p 00000000 00:00 0 
7f19163d0000-7f19164d8000 r-xp 00000000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19164d8000-7f19166d7000 ---p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19166d7000-7f19166d8000 r--p 00107000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19166d8000-7f19166d9000 rw-p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19166d9000-7f19166ff000 r-xp 00000000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f191670c000-7f19168f2000 rw-p 00000000 00:00 0 
7f19168fd000-7f19168fe000 rw-p 00000000 00:00 0 
7f19168fe000-7f19168ff000 r--p 00025000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f19168ff000-7f1916900000 rw-p 00026000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f1916900000-7f1916901000 rw-p 00000000 00:00 0 
7ffe6e5e1000-7ffe6e602000 rw-p 00000000 00:00 0                          [stack]
7ffe6e74e000-7ffe6e750000 r--p 00000000 00:00 0                          [vvar]
7ffe6e750000-7ffe6e752000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Valgrind says:

creating wavpack_crash2.wv,==167402== Invalid write of size 2
==167402==    at 0x49A650: send_float_data (pack_floats.c:217)
==167402==    by 0x4906D6: pack_block (pack.c:675)
==167402==    by 0x4A0050: pack_streams (pack_utils.c:951)
==167402==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==167402==    by 0x43565C: pack_audio (wavpack.c:2356)
==167402==    by 0x43565C: pack_file (wavpack.c:1891)
==167402==    by 0x407442: main (wavpack.c:1272)
==167402==  Address 0x57a268e is 45,134 bytes inside a block of size 45,135 alloc'd
==167402==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==167402==    by 0x49FF3D: pack_streams (pack_utils.c:928)
==167402==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==167402==    by 0x43565C: pack_audio (wavpack.c:2356)
==167402==    by 0x43565C: pack_file (wavpack.c:1891)
==167402==    by 0x407442: main (wavpack.c:1272)
==167402== 
output buffer overflowed!

ASAN says:

creating wavpack_crash2.wv,common_utils.c:626:104: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
pack_utils.c:344:36: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
wavpack.c:3751:70: runtime error: left shift of negative value -128
write_words.c:502:9: runtime error: left shift of 18788819 by 10 places cannot be represented in type 'int'
pack_floats.c:217:17: runtime error: left shift of 8356652 by 9 places cannot be represented in type 'int'
=================================================================
==167535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000b44e at pc 0x00000046be3e bp 0x7fff6b5e9270 sp 0x7fff6b5e9260
WRITE of size 2 at 0x62e00000b44e thread T0
    #0 0x46be3d in send_float_data /home/thuan/subjects/WavPack-asan/src/pack_floats.c:217
    #1 0x4548ed in pack_block /home/thuan/subjects/WavPack-asan/src/pack.c:675
    #2 0x47919f in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:951
    #3 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
    #4 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
    #5 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #6 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #7 0x7f95a780c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402528 in _start (/home/thuan/subjects/WavPack-asan/cli/wavpack+0x402528)

0x62e00000b44f is located 0 bytes to the right of 45135-byte region [0x62e000000400,0x62e00000b44f)
allocated by thread T0 here:
    #0 0x7f95a8ca4f70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
    #1 0x478bb3 in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:928
    #2 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
    #3 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
    #4 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #5 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #6 0x7f95a780c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/subjects/WavPack-asan/src/pack_floats.c:217 in send_float_data
Shadow bytes around the buggy address:
  0x0c5c7fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff9680: 00 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa
  0x0c5c7fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Regards,

Thuan
@thuanpv
Copy link
Author

thuanpv commented Apr 23, 2018

This is potentially a duplicate of #30 . I attach here another crash-inducing test case.
wavpack_crash3.wav.tar.gz

@dbry dbry self-assigned this Apr 24, 2018
dbry added a commit that referenced this issue Apr 25, 2018
@dbry
issue #30 issue #31 issue #32: no multiple format chunks in WAV or W64
26cb47f
@thuanpv thuanpv closed this as completed Apr 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dbry dbry

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thuanpv @dbry