Skip to content

NULL pointer dereference in ModuleState::setup, in ModuleState.cpp #49

Open
@92wyunchao

Description

@92wyunchao

There exists one NULL pointer dereference bug in ModuleState::setup, in ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file.
poc.zip

To reproduce with the attached poc file:
./sfconvert $poc output format aiff

ASan:
==98672==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff14364b98f bp 0x7ffd2fd4dd80 sp 0x7ffd2fd4d9c0 T0)
#0 0x7ff14364b98e in ModuleState::setup(_AFfilehandle*, Track*) /home/s2e/asan/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:143
#1 0x7ff143634abd in afGetFrameCount /home/s2e/asan/audiofile-0.3.6/libaudiofile/format.cpp:205
#2 0x4ec033 in copyaudiodata /home/s2e/asan/audiofile-0.3.6/sfcommands/sfconvert.c:329
#3 0x4ebbe4 in main /home/s2e/asan/audiofile-0.3.6/sfcommands/sfconvert.c:248
#4 0x7ff1426c382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x419068 in _start (/home/s2e/asan/audiofile-0.3.6/sfcommands/.libs/lt-sfconvert+0x419068)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/asan/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:143 in ModuleState::setup(_AFfilehandle*, Track*)
==98672==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions