Closed
Description
version
- libsndfile: Version released 1.0.28
- libsndfile-1.0.29pre1.
description
An issue was discovered in libsndfile 1.0.28. There is a global-buffer-overflow at the function i2alaw_array and i2ulaw_array, will lead to a denial of service or the others.
similar this issue but occur at the function i2alaw_array and i2ulaw_array.
target
./sndfile-convert -alaw poc out.raw
./sndfile-convert -ulaw poc out.rawASAN report
=================================================================
==25251==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f259292a260 at pc 0x7f259289fdda bp 0x7ffc0e3efe50 sp 0x7ffc0e3efe48
READ of size 1 at 0x7f259292a260 thread T0
#0 0x7f259289fdd9 in i2alaw_array /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/alaw.c:332:28
#1 0x7f259289fdd9 in alaw_write_i2alaw /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/alaw.c:488
#2 0x7f259276ebd2 in sf_writef_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/sndfile.c:2328:10
#3 0x507211 in sfe_copy_data_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/common.c:88:3
#4 0x5065d3 in main /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/sndfile-convert.c:352:3
#5 0x7f2591763b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41a349 in _start (/home/pwd/fuzz/fuzz-wavpack/libsndfile/installed-asan/bin/sndfile-convert+0x41a349)
0x7f259292a260 is located 927 bytes to the right of global variable 'ulaw_encode' defined in 'src/ulaw.c:107:15' (0x7f2592927ec0) of size 8193
SUMMARY: AddressSanitizer: global-buffer-overflow /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/alaw.c:332:28 in i2alaw_array
Shadow bytes around the buggy address:
0x0fe53251d3f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d400: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d410: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d420: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d430: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0fe53251d440: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9
0x0fe53251d450: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d460: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d470: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d480: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0fe53251d490: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25251==ABORTINGand
=================================================================
==25248==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f714254dec0 at pc 0x7f71424c539a bp 0x7ffcd08c2370 sp 0x7ffcd08c2368
READ of size 1 at 0x7f714254dec0 thread T0
#0 0x7f71424c5399 in i2ulaw_array /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/ulaw.c:833:28
#1 0x7f71424c5399 in ulaw_write_i2ulaw /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/ulaw.c:989
#2 0x7f7142396bd2 in sf_writef_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/sndfile.c:2328:10
#3 0x507211 in sfe_copy_data_int /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/common.c:88:3
#4 0x5065d3 in main /home/pwd/fuzz/fuzz-wavpack/libsndfile/programs/sndfile-convert.c:352:3
#5 0x7f714138bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#6 0x41a349 in _start (/home/pwd/fuzz/fuzz-wavpack/libsndfile/installed-asan/bin/sndfile-convert+0x41a349)
0x7f714254dec0 is located 32 bytes to the left of global variable '<string literal>' defined in 'src/command.c:47:3' (0x7f714254dee0) of size 26
'<string literal>' is ascii string 'AU (Sun/Next 8-bit u-law)'
0x7f714254dec0 is located 29 bytes to the right of global variable '<string literal>' defined in 'src/command.c:43:31' (0x7f714254dea0) of size 3
'<string literal>' is ascii string 'au'
SUMMARY: AddressSanitizer: global-buffer-overflow /home/pwd/fuzz/fuzz-wavpack/libsndfile/src/ulaw.c:833:28 in i2ulaw_array
Shadow bytes around the buggy address:
0x0feea84a1b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feea84a1b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0feea84a1ba0: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 05 f9 f9 f9
0x0feea84a1bb0: f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9 05 f9 f9 f9
0x0feea84a1bc0: f9 f9 f9 f9 00 00 00 03 f9 f9 f9 f9 00 00 00 01
=>0x0feea84a1bd0: f9 f9 f9 f9 03 f9 f9 f9[f9]f9 f9 f9 00 00 00 02
0x0feea84a1be0: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
0x0feea84a1bf0: f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9 00 04 f9 f9
0x0feea84a1c00: f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9 00 00 07 f9
0x0feea84a1c10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 05
0x0feea84a1c20: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==25248==ABORTING