Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
out of bounds read in sf_write_int #427
libsndfile: Version released 1.0.28
An issue was discovered in libsndfile 1.0.28. There is an out of bounds read at function sf_write_int, will lead to a denial of service or the others.
./sndfile-deinterleave tmp/id\:000000\,sig\:06\,src\:000000\,op\:havoc\,rep\:16 Input file : tmp/id:000000,sig:06,src:000000,op:havoc,rep:16 Output files : tmp/id:000000,sig:06,src:000000,op:havoc,rep:16_00 tmp/id:000000,sig:06,src:000000,op:havoc,rep:16_01 ...... tmp/id:000000,sig:06,src:000000,op:havoc,rep:16_254 AddressSanitizer:DEADLYSIGNAL ================================================================= ==49998==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb21f1413c6 bp 0x7ffe8d3042c0 sp 0x7ffe8d27ba80 T0) ==49998==The signal is caused by a READ memory access. ==49998==Hint: address points to the zero page. #0 0x7fb21f1413c5 in sf_write_int /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/src/sndfile.c:2257:2 #1 0x5137b2 in deinterleave_int /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/programs/sndfile-deinterleave.c:171:4 #2 0x5137b2 in main /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/programs/sndfile-deinterleave.c:134 #3 0x7fb21e138b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #4 0x41a519 in _start (/home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/installed-asan/bin/sndfile-deinterleave+0x41a519) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/src/sndfile.c:2257:2 in sf_write_int ==49998==ABORTING
In function deinterleave_int, 'ch' is 0x10 , leads to the array bounds, and then crash in function sf_write_int .
this bug is reported by pwd@360TeamSeri0us,
The poc defines a number of channels = 255 > MAX_CHANNELS (=16). This triggers a first overflow which is silently ignored in sndfile-deinterleave.c:main:
This is the main problem. If a file defines a number of channels > MAX_CHANNELS we should either artificially reduce the number of channels or reject it.
(FTR, issue #397 was assigned CVE-2018-13139)