Skip to content

Heap-buffer-overflow on vorbis-tools/oggenc #41

Closed
@Frank-Z7

Description

@Frank-Z7

Heap-buffer-overflow on vorbis-tools/oggenc


Description

We found a heap-buffer-overflow when vorbis-tools/oggenc converted wav files to ogg files.
It should be noted that vorbis-tools(version 1.4.0-11) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.
1694969784524

Version

root@38ad1e4b9d16:/vorbis-tools# /vorbis-tools/oggenc/oggenc --version
oggenc from vorbis-tools 1.4.2

vorbis-tools 1.4.2 is the latest version.

Reference

https://www.xiph.org/press/2021/vorbis-tools-1.4.2/

https://github.com/xiph/vorbis-tools

https://github.com/xiph/vorbis

https://xiph.org/vorbis/

Actual Behavior

Heap-buffer-overflow

PoC

https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/vorbis1poc

Reproduction

git clone https://github.com/xiph/vorbis-tools.git
cd vorbis-tools
apt install automake libtool m4 autoconf libogg-dev libvorbis-dev
./autogen.sh
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure
make
./oggenc/oggenc -q 5 vorbis1poc -o ./oggenc/

ASAN Log

=================================================================
==1899805==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000086 at pc 0x7ffff7600ccd bp 0x7fffffffde00 sp 0x7fffffffd5a8
READ of size 1 at 0x603000000086 thread T0
    #0 0x7ffff7600ccc in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671
    #1 0x55555556bd28 in create_directories /vorbis-tools/oggenc/platform.c:150
    #2 0x5555555609fd in main /vorbis-tools/oggenc/oggenc.c:353
    #3 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308
    #4 0x55555556280d in _start (/vorbis-tools/oggenc/oggenc+0xe80d)

0x603000000086 is located 0 bytes to the right of 22-byte region [0x603000000070,0x603000000086)
allocated by thread T0 here:
    #0 0x7ffff76223ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
    #1 0x5555555609d0 in main /vorbis-tools/oggenc/oggenc.c:308
    #2 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 in __interceptor_strchr
Shadow bytes around the buggy address:
  0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa 00 00
=>0x0c067fff8010:[06]fa fa fa 00 00 06 fa fa fa fa fa fa fa fa fa
  0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1899805==ABORTING

Location

image-20230916025548148
image-20230916025622500
image-20230916025948153

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09

Credit

Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
Song Jiaxuan

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions