New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid memory address dereference in huffcode (in libfaac/huff2.c:184) #23

Open
fantasy7082 opened this Issue Dec 5, 2018 · 2 comments

Comments

3 participants
@fantasy7082

fantasy7082 commented Dec 5, 2018

Hi, i found a issue in the FAAC 1.29.9.2, it is crashed by function huffcode .It just cause a Invalid memory address dereference.the details are below(ASAN):

./faac faac_res/unkown_addr_huff2_184  -o out.aac
Freeware Advanced Audio Coder
FAAC 1.29.9.2

Initial quantization quality: 50
Average bitrate: 64 kbps/channel
Bandwidth: 5512 Hz
PNS level: 4
Object type: Low Complexity(MPEG-2) + IS + PNS
Container format: Transport Stream (ADTS)
Encoding faac_res/unkown_addr_huff2_184 to out.aac
   frame          | bitrate | elapsed/estim | play/CPU | ETA
ASAN:SIGSEGV
=================================================================
==27224==ERROR: AddressSanitizer: SEGV on unknown address 0x7f46283263a0 (pc 0x7f482811d6b3 bp 0x7fff764d41e0 sp 0x7fff764d4110 T0)
    #0 0x7f482811d6b2 in huffcode /root/faac_asan/faac/libfaac/huff2.c:184
    #1 0x7f482811e7e0 in huffbook /root/faac_asan/faac/libfaac/huff2.c:417
    #2 0x7f482811abe6 in qlevel /root/faac_asan/faac/libfaac/quantize.c:282
    #3 0x7f482811aff8 in BlocQuant /root/faac_asan/faac/libfaac/quantize.c:312
    #4 0x7f482810e38e in faacEncEncode /root/faac_asan/faac/libfaac/frame.c:586
    #5 0x4057cf in main /root/faac_asan/faac/frontend/main.c:1071
    #6 0x7f4827d5682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #7 0x401968 in _start (/usr/local/faac-asan/bin/faac+0x401968)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/faac_asan/faac/libfaac/huff2.c:184 huffcode
==27224==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/004_unkown_addr_huff2_184_wav

@kirotawa

This comment has been minimized.

kirotawa commented Dec 6, 2018

It was assigned CVE-2018-19886 number.

@fabiangreffrath

This comment has been minimized.

Collaborator

fabiangreffrath commented Dec 7, 2018

This is six times the same bug. All code lines in question read like this:

blen = book[idx].len;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment