Description
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
- PoC (crash_2_poc.wav, audio/wav, 2019-02-05 15:17:31 +0000, 121946 bytes)
Fix (0001-CVE-2019-7573-Fix-a-buffer-overread-in-InitMS_ADPCM.patch, text/plain, 2019-02-15 09:43:05 +0000, 2796 bytes)- Fix (0001-CVE-2019-7573-CVE-2019-7576-Fix-buffer-overreads-in-.patch, text/plain, 2019-02-15 09:51:53 +0000, 2874 bytes)
Fix for similar bug in InitIMA_ADPCM (0001-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch, text/plain, 2019-02-15 10:11:29 +0000, 2420 bytes)
Reported in version: HG 2.0
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-05 15:17:31 +0000, Radue wrote:
Created attachment 3597
PoCA heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.
Asan output:
=================================================================
==3418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dff3 at pc 0x7f79928acd06 bp 0x7ffc61a2e870 sp 0x7ffc61a2e868
READ of size 1 at 0x60400000dff3 thread T0
# 0 0x7f79928acd05 in InitMS_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:73:35
# 1 0x7f79928acd05 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:464
# 2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
# 3 0x7f799161e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)0x60400000dff3 is located 1 bytes to the right of 34-byte region [0x60400000dfd0,0x60400000dff2)
allocated by thread T0 here:
# 0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
# 1 0x7f79928acea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:73 InitMS_ADPCM
Shadow bytes around the buggy address:
0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[02]fa
0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3418==ABORTINGPoC: See attachment
Reproducing steps:
- Download SDL-1.2.15 library
- ./configure with Asan enabled
- ./make
- sudo make install
- cd examples
- ./configure with Asan enabled
- make
- ./loopwave PoC
On 2019-02-07 07:15:12 +0000, Radue wrote:
Assigned CVE-2019-7573 by MITRE.
On 2019-02-15 09:43:05 +0000, Petr Pisar wrote:
Created attachment 3619
Fix
On 2019-02-15 09:51:53 +0000, Petr Pisar wrote:
Created attachment 3620
FixThe patch fixed both CVE-2019-7573 and CVE-2019-7576 (bug # 4490). This attachment refers to both vulnerabilities.
On 2019-02-15 10:11:29 +0000, Petr Pisar wrote:
Created attachment 3621
Fix for similar bug in InitIMA_ADPCMInitIMA_ADPCM() suffers from the same issue, yet it has not been reported or assigned a CVE identifier. This patch fixes the issue in InitIMA_ADPCM().
On 2019-02-15 12:04:49 +0000, Petr Pisar wrote:
Comment on attachment 3621
Fix for similar bug in InitIMA_ADPCMThis was actually reported in bug # 4494 as CVE-2019-7578. I moved the patch there.
On 2019-06-09 01:10:13 +0000, Sam Lantinga wrote:
This is fixed, thanks!
https://hg.libsdl.org/SDL/rev/388987dff7bf
https://hg.libsdl.org/SDL/rev/f9a9d6c76b21
On 2019-06-10 07:40:09 +0000, Petr Pisar wrote:
The patch attached to hits bug report, that touches InitMS_ADPCM(), is still missing from SDL-1.2 branch.
On 2019-06-10 15:53:32 +0000, Sam Lantinga wrote:
*** Bug 4490 has been marked as a duplicate of this bug. ***
On 2019-06-10 16:10:22 +0000, Sam Lantinga wrote:
Ah, that's now committed, thanks!
https://hg.libsdl.org/SDL/rev/fcbecae42795
On 2019-06-10 16:11:00 +0000, Sam Lantinga wrote:
Simon, can you verify that your changes fix this issue as well?
On 2019-06-10 21:00:06 +0000, Simon Hug wrote:
The WAVE file (attachment 3597) seems to have its fmt chunk size shortened to 34.
With the current tip, SDL_LoadWAV_RW rejects this file with "Missing data chunk in WAVE file" as it can't find the data chunk because of the misalignment due to altered chunk size.
On 2019-06-11 13:23:19 +0000, Sam Lantinga wrote:
Great, thanks!