Heap-Buffer Overflow in SDL_LoadWAV_RW (InitMS_ADPCM)

[SDLBugzilla]

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

• PoC (crash_1_poc.wav, audio/wav, 2019-02-05 15:05:21 +0000, 121946 bytes)

Reported in version: 1.2.15
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-02-05 15:05:21 +0000, Radue wrote:

Created attachment 3596
PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

==980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff3 at pc 0x7f58fc7949b4 bp 0x7fff74db7390 sp 0x7fff74db7388
READ of size 1 at 0x60300000eff3 thread T0
# 0 0x7f58fc7949b3 in InitMS_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64:38
# 1 0x7f58fc7949b3 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:464
# 2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
# 3 0x7f58fb50682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)

0x60300000eff3 is located 1 bytes to the right of 18-byte region [0x60300000efe0,0x60300000eff2)
allocated by thread T0 here:
# 0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
# 1 0x7f58fc794ea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64 InitMS_ADPCM
Shadow bytes around the buggy address:
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00[02]fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==980==ABORTING

PoC: See attachment
Reproducing steps:

1. Download SDL-1.2.15 library
2. ./configure with Asan enabled
3. ./make
4. sudo make install
5. cd examples
6. ./configure with Asan enabled
7. make
8. ./loopwave PoC

On 2019-02-07 07:18:05 +0000, Radue wrote:

Assigned CVE-2019-7576 by MITRE.

On 2019-02-15 09:49:36 +0000, Petr Pisar wrote:

This is a very similar bug to CVE-2019-7573 reported in bug # 4491. A fix for both issues is attached there.

On 2019-06-10 15:53:32 +0000, Sam Lantinga wrote:

I believe this is fixed, thanks!

*** This bug has been marked as a duplicate of bug 4491 ***