New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF_CUE_POINT [100]' #832
Comments
FTR: someone also assigned a CVE to this bug report: CVE-2022-33064 |
Hello! |
Any updates on this? It's a high severity security bug on our plate. Thanks! |
Hi @ellenjohnson ! Unfortunately not plans to fix it yet. Maybe you can help us? |
Hi @evpobr - thank you for letting us know there are no plans to fix this yet. |
Hi, I don't have ASAN available and I have almost no prior knowledge of libsndfile code base; however, I looked a little into this (in version 1.1.0 - nothing relevant seems to have changed since), and I think this might be a false positive. I added some debug prints and verified that the supplied input doesn't do anything unexpected. The input file reports that it has 1024 cues, My guess is that the following definition in typedef struct
{ int32_t indx ;
uint32_t position ;
int32_t fcc_chunk ;
int32_t chunk_start ;
int32_t block_start ;
uint32_t sample_offset ;
char name [256] ;
} SF_CUE_POINT ;
#define SF_CUES_VAR(count) \
struct \
{ uint32_t cue_count ; \
SF_CUE_POINT cue_points [count] ; \
}
typedef SF_CUES_VAR (100) SF_CUES ; which is a good guess, but that is not the case when allocated with All that said, I might have overlooked something important, so take it with a grain of salt. |
I have checked this, then did some evaluations for boundary conditions and ended up with same conclusion as kulikjak. I think that it is confused about how much memory is really allocated and this is false positive. |
Hi @evpobr -- we're still tracking this security issue since it's still listed as a high-score CVE at https://nvd.nist.gov/vuln/detail/CVE-2022-33064. |
Describe the bug
UndefinedBehaviorSanitizer: index 100 out of bounds for type 'SF_CUE_POINT [100]' in wav.c:524
To Reproduce
Built libsndfile using clang-10 according to the oss-fuzz script with
CXXFLAGS='-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr'
commit: 4b01368
UBSAN Output
testcase:
idx out of bound.zip
The text was updated successfully, but these errors were encountered: