Skip to content

WavPack crashes -- Heap buffer overwrite  #31

Closed
@thuanpv

Description

@thuanpv

Dear all,

This bug was found with AFLSmart, an extension of AFL. Thanks also to Marcel Böhme, Andrew Santosa and Alexandru Razvan Caciulescu. This
wavpack_crash2.wav.tar.gz
could lead to denial of service and potentially code execution.

This bug was found on Ubuntu 16.04 64-bit & WavPack revision 0a7295 (HEAD)

To reproduce:
Download & extract the attached file - wavpack_crash2.wav
wavpack -y wavpack_crash2.wav

Error message:

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.

creating wavpack_crash2.wv,*** Error in `../WavPack/cli/wavpack': double free or corruption (out): 0x0000000000a2d7d0 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f191607d7e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f191608637a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f191608a53c]
../WavPack/cli/wavpack[0x49080c]
../WavPack/cli/wavpack[0x4a0051]
../WavPack/cli/wavpack[0x4acd7e]
../WavPack/cli/wavpack[0x43565d]
../WavPack/cli/wavpack[0x407443]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f1916026830]
../WavPack/cli/wavpack[0x416bf9]
======= Memory map: ========
00400000-00536000 r-xp 00000000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00736000-00737000 r--p 00136000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
00737000-00738000 rw-p 00137000 08:02 74187737                           /home/thuan/subjects/WavPack/cli/wavpack
0097a000-00a59000 rw-p 00000000 00:00 0                                  [heap]
7f1910000000-7f1910021000 rw-p 00000000 00:00 0 
7f1910021000-7f1914000000 ---p 00000000 00:00 0 
7f1915def000-7f1915e05000 r-xp 00000000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1915e05000-7f1916004000 ---p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1916004000-7f1916005000 r--p 00015000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1916005000-7f1916006000 rw-p 00016000 08:02 70654120                   /lib/x86_64-linux-gnu/libgcc_s.so.1
7f1916006000-7f19161c6000 r-xp 00000000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19161c6000-7f19163c6000 ---p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19163c6000-7f19163ca000 r--p 001c0000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19163ca000-7f19163cc000 rw-p 001c4000 08:02 70648185                   /lib/x86_64-linux-gnu/libc-2.23.so
7f19163cc000-7f19163d0000 rw-p 00000000 00:00 0 
7f19163d0000-7f19164d8000 r-xp 00000000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19164d8000-7f19166d7000 ---p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19166d7000-7f19166d8000 r--p 00107000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19166d8000-7f19166d9000 rw-p 00108000 08:02 70648131                   /lib/x86_64-linux-gnu/libm-2.23.so
7f19166d9000-7f19166ff000 r-xp 00000000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f191670c000-7f19168f2000 rw-p 00000000 00:00 0 
7f19168fd000-7f19168fe000 rw-p 00000000 00:00 0 
7f19168fe000-7f19168ff000 r--p 00025000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f19168ff000-7f1916900000 rw-p 00026000 08:02 70648018                   /lib/x86_64-linux-gnu/ld-2.23.so
7f1916900000-7f1916901000 rw-p 00000000 00:00 0 
7ffe6e5e1000-7ffe6e602000 rw-p 00000000 00:00 0                          [stack]
7ffe6e74e000-7ffe6e750000 r--p 00000000 00:00 0                          [vvar]
7ffe6e750000-7ffe6e752000 r-xp 00000000 00:00 0                          [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]
Aborted

Valgrind says:

creating wavpack_crash2.wv,==167402== Invalid write of size 2
==167402==    at 0x49A650: send_float_data (pack_floats.c:217)
==167402==    by 0x4906D6: pack_block (pack.c:675)
==167402==    by 0x4A0050: pack_streams (pack_utils.c:951)
==167402==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==167402==    by 0x43565C: pack_audio (wavpack.c:2356)
==167402==    by 0x43565C: pack_file (wavpack.c:1891)
==167402==    by 0x407442: main (wavpack.c:1272)
==167402==  Address 0x57a268e is 45,134 bytes inside a block of size 45,135 alloc'd
==167402==    at 0x4C2DB8F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==167402==    by 0x49FF3D: pack_streams (pack_utils.c:928)
==167402==    by 0x4ACD7D: WavpackPackSamples (pack_utils.c:677)
==167402==    by 0x43565C: pack_audio (wavpack.c:2356)
==167402==    by 0x43565C: pack_file (wavpack.c:1891)
==167402==    by 0x407442: main (wavpack.c:1272)
==167402== 
output buffer overflowed!                             

ASAN says:

creating wavpack_crash2.wv,common_utils.c:626:104: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
pack_utils.c:344:36: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'
wavpack.c:3751:70: runtime error: left shift of negative value -128
write_words.c:502:9: runtime error: left shift of 18788819 by 10 places cannot be represented in type 'int'
pack_floats.c:217:17: runtime error: left shift of 8356652 by 9 places cannot be represented in type 'int'
=================================================================
==167535==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62e00000b44e at pc 0x00000046be3e bp 0x7fff6b5e9270 sp 0x7fff6b5e9260
WRITE of size 2 at 0x62e00000b44e thread T0
    #0 0x46be3d in send_float_data /home/thuan/subjects/WavPack-asan/src/pack_floats.c:217
    #1 0x4548ed in pack_block /home/thuan/subjects/WavPack-asan/src/pack.c:675
    #2 0x47919f in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:951
    #3 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
    #4 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
    #5 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #6 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #7 0x7f95a780c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x402528 in _start (/home/thuan/subjects/WavPack-asan/cli/wavpack+0x402528)

0x62e00000b44f is located 0 bytes to the right of 45135-byte region [0x62e000000400,0x62e00000b44f)
allocated by thread T0 here:
    #0 0x7f95a8ca4f70 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc6f70)
    #1 0x478bb3 in pack_streams /home/thuan/subjects/WavPack-asan/src/pack_utils.c:928
    #2 0x4770b9 in WavpackPackSamples /home/thuan/subjects/WavPack-asan/src/pack_utils.c:677
    #3 0x40ff19 in pack_audio /home/thuan/subjects/WavPack-asan/cli/wavpack.c:2356
    #4 0x40d8d8 in pack_file /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1891
    #5 0x40a80b in main /home/thuan/subjects/WavPack-asan/cli/wavpack.c:1272
    #6 0x7f95a780c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/thuan/subjects/WavPack-asan/src/pack_floats.c:217 in send_float_data
Shadow bytes around the buggy address:
  0x0c5c7fff9630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5c7fff9670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5c7fff9680: 00 00 00 00 00 00 00 00 00[07]fa fa fa fa fa fa
  0x0c5c7fff9690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5c7fff96d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Regards,

Thuan

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions