-
Notifications
You must be signed in to change notification settings - Fork 378
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
out of bounds read in the function d2alaw_array() and d2ulaw_array() of libsndfile 1.0.29pre1 #344
Comments
A similar threat seems to have appeared in 1.0.28, but not well-fixed in 1.0.29pre1 |
CVE-2017-17456 and CVE-2017-17457 were assigned for those two issues |
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN properly, leading to buffer underflow. INT_MIN is a special value since - INT_MIN cannot be represented as int. In this case round - INT_MIN to INT_MAX and proceed as usual. f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN properly, leading to null pointer dereference. In this case, arbitrarily set the buffer value to 0. This commit fixes libsndfile#429 (CVE-2018-19661 and CVE-2018-19662) and fixes libsndfile#344 (CVE-2017-17456 and CVE-2017-17457).
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN properly, leading to buffer underflow. INT_MIN is a special value since - INT_MIN cannot be represented as int. In this case round - INT_MIN to INT_MAX and proceed as usual. f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN properly, leading to null pointer dereference. In this case, arbitrarily set the buffer value to 0. This commit fixes libsndfile#429 (CVE-2018-19661 and CVE-2018-19662) and fixes libsndfile#344 (CVE-2017-17456 and CVE-2017-17457).
OK, this issue is identical to #317. Rationale: both issues share the exact same crash path. CVE-2017-17457 (#344):
Further debugging shows that the root issue is identical as well: NaN and Infinity values are passed to the d2ulaw_array function which uses these numbers as index to access an array, leading to OOB read. I have notified the MITRE team for CVE update. |
Duplicate of #317 |
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN properly, leading to buffer underflow. INT_MIN is a special value since - INT_MIN cannot be represented as int. In this case round - INT_MIN to INT_MAX and proceed as usual. f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN properly, leading to null pointer dereference. In this case, arbitrarily set the buffer value to 0. This commit fixes libsndfile#429 (CVE-2018-19661 and CVE-2018-19662) and fixes libsndfile#344 (CVE-2017-17456 and CVE-2017-17457).
i2ulaw_array() and i2alaw_array() fail to handle ptr [count] = INT_MIN properly, leading to buffer underflow. INT_MIN is a special value since - INT_MIN cannot be represented as int. In this case round - INT_MIN to INT_MAX and proceed as usual. f2ulaw_array() and f2alaw_array() fail to handle ptr [count] = NaN properly, leading to null pointer dereference. In this case, arbitrarily set the buffer value to 0. This commit fixes #429 (CVE-2018-19661 and CVE-2018-19662) and fixes #344 (CVE-2017-17456 and CVE-2017-17457).
root@yhk-RH2485-V2:~/ljl/libsndfile_new/programs# ./sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
crash_case.tar.gz
ASAN:SIGSEGV
==123453== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000485b74 sp 0x7fff2ffa4290 bp 0x7fff2ffa42c0 T0)
AddressSanitizer can not provide additional info.
#0 0x485b73 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x485b73)
#1 0x486860 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x486860)
#2 0x417667 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x417667)
#3 0x40360f (/root/ljl/libsndfile_new/programs/sndfile-convert+0x40360f)
#4 0x402fd2 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x402fd2)
#5 0x7f06e1f6bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#6 0x401a28 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x401a28)
==123453== ABORTING
root@yhk-RH2485-V2:
/ljl/libsndfile_new/programs# gdb sndfile-convert14.04.3) 7.7.1GNU gdb (Ubuntu 7.7.1-0ubuntu5
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sndfile-convert...done.
(gdb) r -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Starting program: /root/ljl/libsndfile_new/programs/sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
warning: the debug information found in "/lib/x86_64-linux-gnu/libc-2.19.so" does not match "/lib/x86_64-linux-gnu/libc.so.6" (CRC mismatch).
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x0000000000485b74 in d2alaw_array ()
(gdb) bt
#0 0x0000000000485b74 in d2alaw_array ()
#1 0x0000000000486861 in alaw_write_d2alaw ()
#2 0x0000000000417668 in sf_writef_double ()
#3 0x0000000000403610 in sfe_copy_data_fp ()
#4 0x0000000000402fd3 in main ()
(gdb) i r
rax 0x800000000075b300 -9223372036847062272
rbx 0x7fffffffd079 140737488343161
rcx 0x10000000800e3660 1152921506755262048
rdx 0x8000000000000000 -9223372036854775808
rsi 0x2 2
rdi 0x763100 7745792
rbp 0x7fffffffc130 0x7fffffffc130
rsp 0x7fffffffc100 0x7fffffffc100
r8 0x10007fff7c00 17594333494272
r9 0x0 0
r10 0x7fffffffbec0 140737488338624
r11 0x7ffff4b6fcd0 140737299021008
r12 0x7fffffffe714 140737488348948
r13 0x7fffffffe450 140737488348240
r14 0x0 0
r15 0x0 0
rip 0x485b74 0x485b74 <d2alaw_array+412>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/4i $pc
=> 0x485b74 <d2alaw_array+412>: movzbl (%rcx),%ecx
0x485b77 <d2alaw_array+415>: test %cl,%cl
0x485b79 <d2alaw_array+417>: setne %dil
0x485b7d <d2alaw_array+421>: mov %rax,%rsi
==18519== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004d0b24 sp 0x7ffd1ba8fea0 bp 0x7ffd1ba8fed0 T0)
AddressSanitizer can not provide additional info.
#0 0x4d0b23 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x4d0b23)
#1 0x4d1810 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x4d1810)
#2 0x417667 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x417667)
#3 0x40360f (/root/ljl/libsndfile_new/programs/sndfile-convert+0x40360f)
#4 0x402fd2 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x402fd2)
#5 0x7fe0cd4f9f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#6 0x401a28 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x401a28)
==18519== ABORTING
root@yhk-RH2485-V2:
/ljl/libsndfile_new/programs# gdb sndfile-convert14.04.3) 7.7.1GNU gdb (Ubuntu 7.7.1-0ubuntu5
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sndfile-convert...done.
(gdb) r -ulaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Starting program: /root/ljl/libsndfile_new/programs/sndfile-convert -ulaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
warning: the debug information found in "/lib/x86_64-linux-gnu/libc-2.19.so" does not match "/lib/x86_64-linux-gnu/libc.so.6" (CRC mismatch).
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
0x00000000004d0b24 in d2ulaw_array ()
(gdb) bt
#0 0x00000000004d0b24 in d2ulaw_array ()
#1 0x00000000004d1811 in ulaw_write_d2ulaw ()
#2 0x0000000000417668 in sf_writef_double ()
#3 0x0000000000403610 in sfe_copy_data_fp ()
#4 0x0000000000402fd3 in main ()
(gdb) i r
rax 0x800000000075f700 -9223372036847044864
rbx 0x7fffffffd079 140737488343161
rcx 0x10000000800e3ee0 1152921506755264224
rdx 0x8000000000000000 -9223372036854775808
rsi 0x2 2
rdi 0x763100 7745792
rbp 0x7fffffffc130 0x7fffffffc130
rsp 0x7fffffffc100 0x7fffffffc100
r8 0x10007fff7c00 17594333494272
r9 0x0 0
r10 0x7fffffffbec0 140737488338624
r11 0x7ffff4b6fcd0 140737299021008
r12 0x7fffffffe713 140737488348947
r13 0x7fffffffe450 140737488348240
r14 0x0 0
r15 0x0 0
rip 0x4d0b24 0x4d0b24 <d2ulaw_array+412>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/4i $pc
=> 0x4d0b24 <d2ulaw_array+412>: movzbl (%rcx),%ecx
0x4d0b27 <d2ulaw_array+415>: test %cl,%cl
0x4d0b29 <d2ulaw_array+417>: setne %dil
0x4d0b2d <d2ulaw_array+421>: mov %rax,%rsi
crash_case.tar.gz
usage: ./sndfile-convert -alaw(-ulaw) crash_case 1.raw
The text was updated successfully, but these errors were encountered: