Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Heap-Buffer Overflow in SDL_LoadWAV_RW (InitMS_ADPCM) #835

Closed
SDLBugzilla opened this issue Feb 13, 2021 · 0 comments
Closed

Heap-Buffer Overflow in SDL_LoadWAV_RW (InitMS_ADPCM) #835

SDLBugzilla opened this issue Feb 13, 2021 · 0 comments

Comments

@SDLBugzilla
Copy link
Collaborator

@SDLBugzilla SDLBugzilla commented Feb 13, 2021

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

Reported in version: 1.2.15
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-02-05 15:05:21 +0000, Radue wrote:

Created attachment 3596
PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

==980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff3 at pc 0x7f58fc7949b4 bp 0x7fff74db7390 sp 0x7fff74db7388
READ of size 1 at 0x60300000eff3 thread T0
# 0 0x7f58fc7949b3 in InitMS_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64:38
# 1 0x7f58fc7949b3 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:464
# 2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
# 3 0x7f58fb50682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)

0x60300000eff3 is located 1 bytes to the right of 18-byte region [0x60300000efe0,0x60300000eff2)
allocated by thread T0 here:
# 0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
# 1 0x7f58fc794ea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64 InitMS_ADPCM
Shadow bytes around the buggy address:
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00[02]fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==980==ABORTING

PoC: See attachment
Reproducing steps:

  1. Download SDL-1.2.15 library
  2. ./configure with Asan enabled
  3. ./make
  4. sudo make install
  5. cd examples
  6. ./configure with Asan enabled
  7. make
  8. ./loopwave PoC

On 2019-02-07 07:18:05 +0000, Radue wrote:

Assigned CVE-2019-7576 by MITRE.

On 2019-02-15 09:49:36 +0000, Petr Pisar wrote:

This is a very similar bug to CVE-2019-7573 reported in bug # 4491. A fix for both issues is attached there.

On 2019-06-10 15:53:32 +0000, Sam Lantinga wrote:

I believe this is fixed, thanks!

*** This bug has been marked as a duplicate of bug 4491 ***

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant