-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in in msadpcm_decode_block #687
Comments
|
Hi @andreafioraldi, thanks for report. |
|
I think this problem is about |
|
Oop, maybe Lines 150 to 155 in 251a435
In the make test test case, ima_adpcm.wav doesn't have this feature.
|
|
Hi @galaktipus , it was fixed: https://oss-fuzz.com/testcase-detail/5696502087024640. I guess i forgot to close this issue. You can use master branch, we tagged unofficial release 1.1.0beta1 there. |
I don't see a tag, maybe it wasn't pushed? That link is also behind a login, can you point directly to a fix? |
|
@galaktipus , actually you can use master branch. @SoapGentoo , could you create tag for 1.1.0beta1? |
|
@evpobr sorry, forgot to push for beta1, pushed now |
|
CVE-2021-3246 appears to have been assigned for this issue. |
|
@carnil , thanks. |
|
Thank you very much for fixing this! Just to confirm, is this the commit and the pull request #713 that fixes this issue? I would also appreciate any information about the approximate timeline for the next official release... I think this fix is not in 1.0.31, and we are somewhat limited in ability to address CVEs by upgrading to an unofficial beta releases or by patching. So any info about the plans for the next release would be very helpful! |
Yes.
Unfortunately, there are no exact dates. I hope we will release 1.1.0 this year. We're waiting for @arthurt to finish whatever he wanted about the MP3 format, but he is probably very busy at work or maybe resting. We'll wait for him to respond. |
|
Uh oh, I thought we were waiting on something else! |
|
No 😄 |
|
The CVE states that only 1.0.30 is affected. I think that e4cc9d3 introduced the incomplete check, which is in 1.0.26. But given that there was no check before I assume that even older versions are affected. Can you confirm this, at least that >1.0.26 are affected, and update the CVE information, please? |
|
I found the bug fuzzing the 1.0.28 fyi |
Anyone can request CVE data to be updated: |
|
Hi everybody. It would be nice to update CVE. Maybe it is better to wait for 1.1.0 with fix and then update description? |
|
Hello all, |
|
Hi @KamicDemon
Hmm, i didn't quite understand, do you need a text file or did you create it? |
The test case is in the original report. |
Hi, thanks for the reply. I may have misunderstood the nature of the vulnerability in question. I assumed it could be triggered simply by playing a crafted WAV file on a device using the vulnerable version of Libsnd. I was asking if anyone had made a .wav PoC file, but forgot to type out the word "anyone" |
Hi,
fuzzing sndfile-info with AFL++ I found a heap-buffer-overflow in in msadpcm_decode_block /home/andreaf/real/libsndfile/src/ms_adpcm.c:279
I'm on an x86-64 Ubuntu 20.04 with Clang 10.
The AddressSanitizer report is the following:
To reproduce on git master:
The testcase that triggers the bug is (decompress it before):
sndfile_heap_overflow.tar.gz
The text was updated successfully, but these errors were encountered: