Closed
Description
Heap-buffer-overflow on vorbis-tools/oggenc
Description
We found a heap-buffer-overflow when vorbis-tools/oggenc converted wav files to ogg files.
It should be noted that vorbis-tools(version 1.4.0-11) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.

Version
root@38ad1e4b9d16:/vorbis-tools# /vorbis-tools/oggenc/oggenc --version
oggenc from vorbis-tools 1.4.2vorbis-tools 1.4.2 is the latest version.
Reference
https://www.xiph.org/press/2021/vorbis-tools-1.4.2/
https://github.com/xiph/vorbis-tools
https://github.com/xiph/vorbis
Actual Behavior
Heap-buffer-overflow
PoC
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/vorbis1poc
Reproduction
git clone https://github.com/xiph/vorbis-tools.git
cd vorbis-tools
apt install automake libtool m4 autoconf libogg-dev libvorbis-dev
./autogen.sh
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure
make
./oggenc/oggenc -q 5 vorbis1poc -o ./oggenc/ASAN Log
=================================================================
==1899805==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000086 at pc 0x7ffff7600ccd bp 0x7fffffffde00 sp 0x7fffffffd5a8
READ of size 1 at 0x603000000086 thread T0
#0 0x7ffff7600ccc in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671
#1 0x55555556bd28 in create_directories /vorbis-tools/oggenc/platform.c:150
#2 0x5555555609fd in main /vorbis-tools/oggenc/oggenc.c:353
#3 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308
#4 0x55555556280d in _start (/vorbis-tools/oggenc/oggenc+0xe80d)
0x603000000086 is located 0 bytes to the right of 22-byte region [0x603000000070,0x603000000086)
allocated by thread T0 here:
#0 0x7ffff76223ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445
#1 0x5555555609d0 in main /vorbis-tools/oggenc/oggenc.c:308
#2 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 in __interceptor_strchr
Shadow bytes around the buggy address:
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa 00 00
=>0x0c067fff8010:[06]fa fa fa 00 00 06 fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1899805==ABORTINGLocation
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Credit
Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
Song Jiaxuan
Metadata
Metadata
Assignees
Labels
No labels


