Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global Buffer Overflow found within IMA_ADPCM_nibble pertaining to SDL_wave.c #3159

Closed
SDLBugzilla opened this issue Feb 11, 2021 · 0 comments

Comments

@SDLBugzilla
Copy link
Collaborator

This bug report was migrated from our old Bugzilla tracker.

These attachments are available in the static archive:

Reported in version: HG 2.0
Reported for operating system, platform: Linux, x86_64

Comments on the original bug report:

On 2019-02-06 14:09:40 +0000, Radue wrote:

Created attachment 3601
PoC

A global buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan report:

=================================================================
==9641==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f1c908cf238 at pc 0x7f1c90774bcb bp 0x7fff3e1d2dd0 sp 0x7fff3e1d2dc8
READ of size 4 at 0x7f1c908cf238 thread T0
# 0 0x7f1c90774bca in IMA_ADPCM_nibble /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:268:9
# 1 0x7f1c90774bca in Fill_IMA_ADPCM_block /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:306
# 2 0x7f1c90774bca in IMA_ADPCM_decode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:379
# 3 0x7f1c90774bca in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:542
# 4 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
# 5 0x7f1c8f4e682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 6 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)

0x7f1c908cf238 is located 8 bytes to the left of global variable 'step_table' defined in '../src/audio/SDL_wave.c:255:15' (0x7f1c908cf240) of size 356
0x7f1c908cf238 is located 24 bytes to the right of global variable 'index_table' defined in '../src/audio/SDL_wave.c:249:12' (0x7f1c908cf1e0) of size 64
SUMMARY: AddressSanitizer: global-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:268 IMA_ADPCM_nibble
Shadow bytes around the buggy address:
0x0fe412111df0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe412111e00: 02 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9
0x0fe412111e10: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0fe412111e20: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 07 f9 f9 f9 f9
0x0fe412111e30: 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0fe412111e40: 00 00 00 00 f9 f9 f9[f9]00 00 00 00 00 00 00 00
0x0fe412111e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe412111e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fe412111e70: 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe412111e80: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0fe412111e90: 05 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9641==ABORTING

PoC: See attachment
Reproducing steps:

  1. Download SDL-1.2.15 library
  2. ./configure with Asan enabled
  3. ./make
  4. sudo make install
  5. cd examples
  6. ./configure with Asan enabled
  7. make
  8. ./loopwave PoC

On 2019-02-06 14:29:52 +0000, Ryan C. Gordon wrote:

This bug is still present in SDL2's revision control, so I'm assigning it there.

--ryan.

On 2019-02-07 07:14:12 +0000, Radue wrote:

(In reply to Ryan C. Gordon from comment # 1)

This bug is still present in SDL2's revision control, so I'm assigning it
there.

--ryan.

Assigned CVE-2019-7572 by MITRE.

On 2019-02-14 16:17:55 +0000, Petr Pisar wrote:

Created attachment 3612
Fix a buffer overread in IMA_ADPCM_nibble

There is yet another issue trigger with this WAV file:

valgrind output, line numbers do not agree with vanilla 1.2.15:
==21383== Invalid write of size 1
==21383== at 0x4855E83: Fill_IMA_ADPCM_block (SDL_wave.c:327)
==21383== by 0x485613A: IMA_ADPCM_decode (SDL_wave.c:395)
==21383== by 0x48565A2: SDL_LoadWAV_RW (SDL_wave.c:562)
==21383== by 0x4013A6: main (loopwave.c:76)

I will attach a fix for the buffer overwrite in Fill_IMA_ADPCM_block() later here.

On 2019-02-15 09:08:45 +0000, Petr Pisar wrote:

Created attachment 3618
Fix a buffer overwrite in IMA_ADPCM_decode

This is a fix for second issue triggered by this reproducer.

On 2019-05-18 18:48:55 +0000, Ryan C. Gordon wrote:

Tagging a bunch of bugs with "target-2.0.10" so we have a clear list of things to address before a 2.0.10 release.

Please note that "addressing" one of these bugs might mean deciding to defer on it until after 2.0.10, or resolving it as WONTFIX, etc. This is just here to tell us we should look at it carefully, and soon.

If you have new information or feedback on this issue, this is a good time to add it to the conversation, as we're likely to be paying attention to this specific report in the next few days/weeks.

Thanks!

--ryan.

On 2019-06-09 01:01:15 +0000, Sam Lantinga wrote:

The first patch is in, thanks!
https://hg.libsdl.org/SDL/rev/e52413f52586

The buffer overwrite doesn't cleanly apply to the version of SDL in Mercurial, can you revisit that patch?

Also, it looks like the first one was already fixed in SDL 2.0. Is SDL 2.0 vulnerable for the second one as well? Offhand it looks like the memory allocation covers the needed output space, but it looks like that code is the same in SDL 1.2.

On 2019-06-10 07:24:03 +0000, Petr Pisar wrote:

The buffer overwrite patch requires applying a patch from https://bugzilla.libsdl.org/show_bug.cgi?id=4496 first. It's referred in the commit message.

On 2019-06-10 15:58:10 +0000, Sam Lantinga wrote:

Gotcha. Okay the second patch is now in as well:
https://hg.libsdl.org/SDL/rev/a8afedbcaea0

This code has been rewritten in SDL 2.0, can you verify that this issue has been fixed there?
http://www.libsdl.org/tmp/SDL-2.0.zip

On 2019-06-10 21:01:07 +0000, Simon Hug wrote:

The WAVE file (attachment 3601) doesn't seem to be invalid, just very garbled.

With the current tip, SDL_LoadWAV_RW loads this file with no apparent problems. I will look at it a bit more to make sure there's no buffer overwrite issue slipping through.

On 2019-06-11 23:08:43 +0000, Simon Hug wrote:

More on the file: The block headers look OK for the first 32 blocks, then the reserved byte and later the step index start to have unexpected values in it. Perhaps the stream got shifted a bit there. The values are out of the range according to the specification, but the SDL code just clamps it to the right range. There is also a check in place that prevents overflows if the buffer size calculation goes wrong for some reason. It should hold up to things like this.

On 2019-06-12 03:36:01 +0000, Sam Lantinga wrote:

Great, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant