New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

out of bounds read in the function d2alaw_array() and d2ulaw_array() of libsndfile 1.0.29pre1 #344

Open
my123px opened this Issue Dec 7, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@my123px

my123px commented Dec 7, 2017

root@yhk-RH2485-V2:~/ljl/libsndfile_new/programs# ./sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
crash_case.tar.gz

ASAN:SIGSEGV

==123453== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000485b74 sp 0x7fff2ffa4290 bp 0x7fff2ffa42c0 T0)
AddressSanitizer can not provide additional info.
#0 0x485b73 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x485b73)
#1 0x486860 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x486860)
#2 0x417667 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x417667)
#3 0x40360f (/root/ljl/libsndfile_new/programs/sndfile-convert+0x40360f)
#4 0x402fd2 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x402fd2)
#5 0x7f06e1f6bf44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#6 0x401a28 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x401a28)
==123453== ABORTING
root@yhk-RH2485-V2:/ljl/libsndfile_new/programs# gdb sndfile-convert
GNU gdb (Ubuntu 7.7.1-0ubuntu5
14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sndfile-convert...done.
(gdb) r -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Starting program: /root/ljl/libsndfile_new/programs/sndfile-convert -alaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
warning: the debug information found in "/lib/x86_64-linux-gnu/libc-2.19.so" does not match "/lib/x86_64-linux-gnu/libc.so.6" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000485b74 in d2alaw_array ()
(gdb) bt
#0 0x0000000000485b74 in d2alaw_array ()
#1 0x0000000000486861 in alaw_write_d2alaw ()
#2 0x0000000000417668 in sf_writef_double ()
#3 0x0000000000403610 in sfe_copy_data_fp ()
#4 0x0000000000402fd3 in main ()
(gdb) i r
rax 0x800000000075b300 -9223372036847062272
rbx 0x7fffffffd079 140737488343161
rcx 0x10000000800e3660 1152921506755262048
rdx 0x8000000000000000 -9223372036854775808
rsi 0x2 2
rdi 0x763100 7745792
rbp 0x7fffffffc130 0x7fffffffc130
rsp 0x7fffffffc100 0x7fffffffc100
r8 0x10007fff7c00 17594333494272
r9 0x0 0
r10 0x7fffffffbec0 140737488338624
r11 0x7ffff4b6fcd0 140737299021008
r12 0x7fffffffe714 140737488348948
r13 0x7fffffffe450 140737488348240
r14 0x0 0
r15 0x0 0
rip 0x485b74 0x485b74 <d2alaw_array+412>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/4i $pc
=> 0x485b74 <d2alaw_array+412>: movzbl (%rcx),%ecx
0x485b77 <d2alaw_array+415>: test %cl,%cl
0x485b79 <d2alaw_array+417>: setne %dil
0x485b7d <d2alaw_array+421>: mov %rax,%rsi

==18519== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004d0b24 sp 0x7ffd1ba8fea0 bp 0x7ffd1ba8fed0 T0)
AddressSanitizer can not provide additional info.
#0 0x4d0b23 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x4d0b23)
#1 0x4d1810 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x4d1810)
#2 0x417667 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x417667)
#3 0x40360f (/root/ljl/libsndfile_new/programs/sndfile-convert+0x40360f)
#4 0x402fd2 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x402fd2)
#5 0x7fe0cd4f9f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44)
#6 0x401a28 (/root/ljl/libsndfile_new/programs/sndfile-convert+0x401a28)
==18519== ABORTING
root@yhk-RH2485-V2:/ljl/libsndfile_new/programs# gdb sndfile-convert
GNU gdb (Ubuntu 7.7.1-0ubuntu5
14.04.3) 7.7.1
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from sndfile-convert...done.
(gdb) r -ulaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
Starting program: /root/ljl/libsndfile_new/programs/sndfile-convert -ulaw id:000000,sig:11,src:000024,op:flip2,pos:34 1.raw
warning: the debug information found in "/lib/x86_64-linux-gnu/libc-2.19.so" does not match "/lib/x86_64-linux-gnu/libc.so.6" (CRC mismatch).

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000004d0b24 in d2ulaw_array ()
(gdb) bt
#0 0x00000000004d0b24 in d2ulaw_array ()
#1 0x00000000004d1811 in ulaw_write_d2ulaw ()
#2 0x0000000000417668 in sf_writef_double ()
#3 0x0000000000403610 in sfe_copy_data_fp ()
#4 0x0000000000402fd3 in main ()
(gdb) i r
rax 0x800000000075f700 -9223372036847044864
rbx 0x7fffffffd079 140737488343161
rcx 0x10000000800e3ee0 1152921506755264224
rdx 0x8000000000000000 -9223372036854775808
rsi 0x2 2
rdi 0x763100 7745792
rbp 0x7fffffffc130 0x7fffffffc130
rsp 0x7fffffffc100 0x7fffffffc100
r8 0x10007fff7c00 17594333494272
r9 0x0 0
r10 0x7fffffffbec0 140737488338624
r11 0x7ffff4b6fcd0 140737299021008
r12 0x7fffffffe713 140737488348947
r13 0x7fffffffe450 140737488348240
r14 0x0 0
r15 0x0 0
rip 0x4d0b24 0x4d0b24 <d2ulaw_array+412>
eflags 0x10202 [ IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/4i $pc
=> 0x4d0b24 <d2ulaw_array+412>: movzbl (%rcx),%ecx
0x4d0b27 <d2ulaw_array+415>: test %cl,%cl
0x4d0b29 <d2ulaw_array+417>: setne %dil
0x4d0b2d <d2ulaw_array+421>: mov %rax,%rsi

crash_case.tar.gz
usage: ./sndfile-convert -alaw(-ulaw) crash_case 1.raw

@my123px

This comment has been minimized.

Show comment
Hide comment
@my123px

my123px Dec 7, 2017

A similar threat seems to have appeared in 1.0.28, but not well-fixed in 1.0.29pre1

my123px commented Dec 7, 2017

A similar threat seems to have appeared in 1.0.28, but not well-fixed in 1.0.29pre1

@carnil

This comment has been minimized.

Show comment
Hide comment
@carnil

carnil Dec 7, 2017

CVE-2017-17456 and CVE-2017-17457 were assigned for those two issues

carnil commented Dec 7, 2017

CVE-2017-17456 and CVE-2017-17457 were assigned for those two issues

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment