You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Reported in version: HG 2.0 Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-05 15:17:31 +0000, Radue wrote:
Created attachment 3597
PoC
A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.
Asan output:
=================================================================
==3418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dff3 at pc 0x7f79928acd06 bp 0x7ffc61a2e870 sp 0x7ffc61a2e868
READ of size 1 at 0x60400000dff3 thread T0
# 0 0x7f79928acd05 in InitMS_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:73:35
# 1 0x7f79928acd05 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:464
# 2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
# 3 0x7f799161e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)
0x60400000dff3 is located 1 bytes to the right of 34-byte region [0x60400000dfd0,0x60400000dff2)
allocated by thread T0 here:
# 0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
# 1 0x7f79928acea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:73 InitMS_ADPCM
Shadow bytes around the buggy address:
0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[02]fa
0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3418==ABORTING
PoC: See attachment
Reproducing steps:
Download SDL-1.2.15 library
./configure with Asan enabled
./make
sudo make install
cd examples
./configure with Asan enabled
make
./loopwave PoC
On 2019-02-07 07:15:12 +0000, Radue wrote:
Assigned CVE-2019-7573 by MITRE.
On 2019-02-15 09:43:05 +0000, Petr Pisar wrote:
Created attachment 3619
Fix
On 2019-02-15 09:51:53 +0000, Petr Pisar wrote:
Created attachment 3620
Fix
The patch fixed both CVE-2019-7573 and CVE-2019-7576 (bug # 4490). This attachment refers to both vulnerabilities.
On 2019-02-15 10:11:29 +0000, Petr Pisar wrote:
Created attachment 3621
Fix for similar bug in InitIMA_ADPCM
InitIMA_ADPCM() suffers from the same issue, yet it has not been reported or assigned a CVE identifier. This patch fixes the issue in InitIMA_ADPCM().
On 2019-02-15 12:04:49 +0000, Petr Pisar wrote:
Comment on attachment 3621
Fix for similar bug in InitIMA_ADPCM
This was actually reported in bug # 4494 as CVE-2019-7578. I moved the patch there.
Simon, can you verify that your changes fix this issue as well?
On 2019-06-10 21:00:06 +0000, Simon Hug wrote:
The WAVE file (attachment 3597) seems to have its fmt chunk size shortened to 34.
With the current tip, SDL_LoadWAV_RW rejects this file with "Missing data chunk in WAVE file" as it can't find the data chunk because of the misalignment due to altered chunk size.
On 2019-06-11 13:23:19 +0000, Sam Lantinga wrote:
Great, thanks!
The text was updated successfully, but these errors were encountered:
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Fix (0001-CVE-2019-7573-Fix-a-buffer-overread-in-InitMS_ADPCM.patch, text/plain, 2019-02-15 09:43:05 +0000, 2796 bytes)Fix for similar bug in InitIMA_ADPCM (0001-Fix-a-buffer-overread-in-InitIMA_ADPCM.patch, text/plain, 2019-02-15 10:11:29 +0000, 2420 bytes)Reported in version: HG 2.0
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-05 15:17:31 +0000, Radue wrote:
On 2019-02-07 07:15:12 +0000, Radue wrote:
On 2019-02-15 09:43:05 +0000, Petr Pisar wrote:
On 2019-02-15 09:51:53 +0000, Petr Pisar wrote:
On 2019-02-15 10:11:29 +0000, Petr Pisar wrote:
On 2019-02-15 12:04:49 +0000, Petr Pisar wrote:
On 2019-06-09 01:10:13 +0000, Sam Lantinga wrote:
On 2019-06-10 07:40:09 +0000, Petr Pisar wrote:
On 2019-06-10 15:53:32 +0000, Sam Lantinga wrote:
On 2019-06-10 16:10:22 +0000, Sam Lantinga wrote:
On 2019-06-10 16:11:00 +0000, Sam Lantinga wrote:
On 2019-06-10 21:00:06 +0000, Simon Hug wrote:
On 2019-06-11 13:23:19 +0000, Sam Lantinga wrote:
The text was updated successfully, but these errors were encountered: