Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

global buffer overflow in printMP3Headers #75

Closed
bestshow opened this issue Jun 7, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@bestshow
Copy link

commented Jun 7, 2017

On libming latest version, a global buffer overflow was found in function printMP3Headers.

#listmp3 $FILE
global-buffer-overflow on address 0x00000074ad3c at pc 0x000000515d76 bp 0x7ffd9e6b9250 sp 0x7ffd9e6b9248
READ of size 4 at 0x00000074ad3c thread T0
    #0 0x515d75 in printMP3Headers /usr/include/bits/stdio.h:81:25
    #1 0x515f03 in main /home/haojun/Downloads/libming-master/util/listmp3.c:209:3
    #2 0x7f1d4bd07b34 in __libc_start_main /usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:274
    #3 0x41ab8b in _start (/home/haojun/Downloads/libming-afl-build/bin/listmp3+0x41ab8b)

0x00000074ad3c is located 36 bytes to the left of global variable 'mp2l23_bitrate_table' defined in 'listmp3.c:37:5' (0x74ad60) of size 60
0x00000074ad3c is located 0 bytes to the right of global variable 'mp2l1_bitrate_table' defined in 'listmp3.c:34:5' (0x74ad00) of size 60
global-buffer-overflow /usr/include/bits/stdio.h:81:25 in printMP3Headers
Shadow bytes around the buggy address:
  0x0000800e1550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800e1560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800e1570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800e1580: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 04
  0x0000800e1590: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
=>0x0000800e15a0: 00 00 00 00 00 00 00[04]f9 f9 f9 f9 00 00 00 00
  0x0000800e15b0: 00 00 00 04 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x0000800e15c0: 00 04 f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x0000800e15d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800e15e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800e15f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24629==ABORTING

testcase : https://github.com/bestshow/p0cs/blob/master/global-buffer-overflow_in_printMP3Headers
Credit : ADLab of Venustech

@hlef

This comment has been minimized.

Copy link
Contributor

commented Nov 20, 2017

Successfully reproduced vulnerability on latest master.

As far as I am aware, this issue wasn't assigned a CVE id. I'll request one.

@hlef

This comment has been minimized.

Copy link
Contributor

commented Nov 20, 2017

For the record, this issue was assigned identifier CVE-2017-16898.

@hlef

This comment has been minimized.

Copy link
Contributor

commented Dec 5, 2017

$ hexdump global-buffer-overflow_in_printMP3Headers
0000000 e6ff fff8 ffff 007f
0000008

Third byte = 1111 1000, so it looks like this MP3 header is declaring a bitrate n°15 which is not a valid value. Unfortunately printMP3Headers doesn't handle this special case and calls bitrate = mp2l23_bitrate_table[bitrate_idx]; with bitrate_idx = 15, but the array has only 15 entries. This explains the buffer overflow.

I'll submit a PR once we're done with #96.

hlef added a commit to hlef/libming that referenced this issue Jan 10, 2018

Fix global buffer overflow in printMP3Headers.
The printMP3Headers function in util/listmp3.c processes mp3 files
without checking their bitrate values. This leads to bitrate_idx = 15
being used as index in mp2l23_bitrate_table[bitrate_idx] while
mp2l23_bitrate_table has only 14 elements.

In this commit we add a check rejecting mp3 files declaring invalid
bitrates.

This commit fixes CVE-2017-16898 (fixes: libming#75).

@strk strk closed this in #99 Jan 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.