UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF_CUE_POINT [100]'

[pietroborrello]

Describe the bug

UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF_CUE_POINT [100]' in wav.c:524

To Reproduce

Built libsndfile using clang-10 according to the oss-fuzz script with CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'

commit: 4b01368

UBSAN Output

$ ./sndfile_alt_fuzzer id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2
INFO: Seed: 3446105526
INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
Running: id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2
src/wav.c:524:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:524:8 in 
src/wav.c:525:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:525:8 in 
src/wav.c:526:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:526:8 in 
src/wav.c:527:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:527:8 in 
src/wav.c:528:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:528:8 in 
src/wav.c:529:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:529:8 in 
src/wav.c:530:8: runtime error: index 100 out of bounds for type 'SF_CUE_POINT [100]'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/wav.c:530:8 in 
Executed id:000051,sig:06,src:002454+003908,time:5669051,op:splice,rep:8,trial:2 in 2 ms

testcase:
idx out of bound.zip

[rfrohl]

FTR: someone also assigned a CVE to this bug report: CVE-2022-33064

[ellenjohnson]

Hello!
Can someone please provide an update on a timeframe for fixing this issue? We current use libsndfile v1.1.0 and CVE-2022-33064 was reported to our team as a high severity security bug.
Thanks!

[ellenjohnson]

Any updates on this? It's a high severity security bug on our plate. Thanks!

[evpobr]

Hi @ellenjohnson ! Unfortunately not plans to fix it yet. Maybe you can help us?

[ellenjohnson]

Hi @evpobr - thank you for letting us know there are no plans to fix this yet.

[kulikjak]

Hi, I don't have ASAN available and I have almost no prior knowledge of libsndfile code base; however, I looked a little into this (in version 1.1.0 - nothing relevant seems to have changed since), and I think this might be a false positive.

I added some debug prints and verified that the supplied input doesn't do anything unexpected.

The input file reports that it has 1024 cues, psf_cues_alloc allocates a structure that is 286724 bytes in size (4 bytes for cue_count and 1024*280 for all points), and then only 120 cues are actually present in the file, so it writes nowhere close to the end of the allocated memory.

My guess is that the following definition in sndfile.h makes it think that SF_CUES has 100 cue_points:

typedef struct
{	int32_t 	indx ;
	uint32_t 	position ;
	int32_t 	fcc_chunk ;
	int32_t 	chunk_start ;
	int32_t		block_start ;
	uint32_t 	sample_offset ;
	char name [256] ;
} SF_CUE_POINT ;

#define	SF_CUES_VAR(count) \
	struct \
	{	uint32_t cue_count ; \
		SF_CUE_POINT cue_points [count] ; \
	}

typedef SF_CUES_VAR (100) SF_CUES ;

which is a good guess, but that is not the case when allocated with psf_cues_alloc as it allocates a buffer of (sizeof (SF_CUES_0) + count * sizeof (SF_CUE_POINT)) bytes.

All that said, I might have overlooked something important, so take it with a grain of salt.

[mhlavink]

I have checked this, then did some evaluations for boundary conditions and ended up with same conclusion as kulikjak. I think that it is confused about how much memory is really allocated and this is false positive.

[ellenjohnson]

Thank you @kulikjak and @mhlavink for looking into this and for investigating whether this might be a false positive.
@evpobr: Can you or someone else from libsndfile confirm whether this CVE is a real issue or a false positive?
Thanks!

[ellenjohnson]

Hi @evpobr -- we're still tracking this security issue since it's still listed as a high-score CVE at https://nvd.nist.gov/vuln/detail/CVE-2022-33064.
I see also Linux distros Debian and Ubuntu are also tracking this as unresolved.
Would you or another developer at libsndfile please confirm what @kulikjak and @mhlavink suspect -- that this might be a false positive? Thank you!