Skip to content

out of bounds read in sf_write_int #427

Closed
@YourButterfly

Description

@YourButterfly

version

libsndfile: Version released 1.0.28

description

An issue was discovered in libsndfile 1.0.28. There is an out of bounds read at function sf_write_int, will lead to a denial of service or the others.

./sndfile-deinterleave tmp/id\:000000\,sig\:06\,src\:000000\,op\:havoc\,rep\:16
Input file : tmp/id:000000,sig:06,src:000000,op:havoc,rep:16
Output files :
    tmp/id:000000,sig:06,src:000000,op:havoc,rep:16_00
    tmp/id:000000,sig:06,src:000000,op:havoc,rep:16_01
......
    tmp/id:000000,sig:06,src:000000,op:havoc,rep:16_254
AddressSanitizer:DEADLYSIGNAL
=================================================================
==49998==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb21f1413c6 bp 0x7ffe8d3042c0 sp 0x7ffe8d27ba80 T0)
==49998==The signal is caused by a READ memory access.
==49998==Hint: address points to the zero page.
    #0 0x7fb21f1413c5 in sf_write_int /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/src/sndfile.c:2257:2
    #1 0x5137b2 in deinterleave_int /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/programs/sndfile-deinterleave.c:171:4
    #2 0x5137b2 in main /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/programs/sndfile-deinterleave.c:134
    #3 0x7fb21e138b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #4 0x41a519 in _start (/home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/installed-asan/bin/sndfile-deinterleave+0x41a519)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/pwd/fuzz/fuzz-wavpack/libsndfile-1.0.28/src/sndfile.c:2257:2 in sf_write_int
==49998==ABORTING

debug info

In function deinterleave_int, 'ch' is 0x10 , leads to the array bounds, and then crash in function sf_write_int .

// source:sndfile-deinterleave.c+170 
    165	 	do
    166	 	{	read_len = sf_readf_int (state->infile, state->din.i, BUFFER_LEN) ;
    167	 
    168	 		for (ch = 0 ; ch < state->channels ; ch ++)
    169	 		{	for (k = 0 ; k < read_len ; k++)
		// state=0x00007ffffff75438  →  [...]  →  0x0000000000000000, ch=0x10, k=0x0
 →  170	 				state->dout.i [k] = state->din.i [k * state->channels + ch] ;
    171	 			sf_write_int (state->outfile [ch], state->dout.i, read_len) ;
    172	 			} ;
    173	 		}
    174	 	while (read_len > 0) ;
    175	 
gef➤  p state->channels
$3 = 0xff
gef➤  p state->outfile 
$6 = {0x555555769300, 0x55555576c800, 0x55555576fd00, 0x555555773200, 0x555555776700, 0x555555779c00, 0x55555577d100, 0x555555780600, 0x555555783b00, 0x555555787000, 0x55555578a500, 0x55555578da00, 0x555555790f00, 0x555555794400, 0x555555797900, 0x55555579ae00}

......
// source:sndfile.c+2257
		// sndfile=0x00007ffffff75408  →  0xf62d0000f7db0000, psf=0x00007ffffff75410  →  0xf62d0000f7db0000
 → 2257	 	VALIDATE_SNDFILE_AND_ASSIGN_PSF (sndfile, psf, 1) ;
   2258	 
   2259	 	if (len <= 0)
   2260	 	{	psf->error = SFE_NEGATIVE_RW_LEN ;
   2261	 		return 0 ;
   2262	 		} 
[#0] Id 1, Name: "sndfile-deinter", stopped, reason: SIGSEGV

poc.tar.gz

others

this bug is reported by pwd@360TeamSeri0us,
please send email to teamSeri0us360@gmail.com if you have some quetion.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions