You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We found a heap-buffer-overflow when vorbis-tools/oggenc converted wav files to ogg files.
It should be noted that vorbis-tools(version 1.4.0-11) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.
Version
root@38ad1e4b9d16:/vorbis-tools# /vorbis-tools/oggenc/oggenc --version
oggenc from vorbis-tools 1.4.2
=================================================================
==1899805==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000086 at pc 0x7ffff7600ccd bp 0x7fffffffde00 sp 0x7fffffffd5a8
READ of size 1 at 0x603000000086 thread T0
#0 0x7ffff7600ccc in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671#1 0x55555556bd28 in create_directories /vorbis-tools/oggenc/platform.c:150#2 0x5555555609fd in main /vorbis-tools/oggenc/oggenc.c:353#3 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308#4 0x55555556280d in _start (/vorbis-tools/oggenc/oggenc+0xe80d)
0x603000000086 is located 0 bytes to the right of 22-byte region [0x603000000070,0x603000000086)
allocated by thread T0 here:
#0 0x7ffff76223ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445#1 0x5555555609d0 in main /vorbis-tools/oggenc/oggenc.c:308#2 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 in __interceptor_strchr
Shadow bytes around the buggy address:
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa 00 00
=>0x0c067fff8010:[06]fa fa fa 00 00 06 fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1899805==ABORTING
Location
Environment
ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1
afl-cc++4.09
Heap-buffer-overflow on vorbis-tools/oggenc
Description
We found a heap-buffer-overflow when vorbis-tools/oggenc converted wav files to ogg files.
![1694969784524](https://private-user-images.githubusercontent.com/67280615/268516408-dd613c48-047c-41f1-b008-fdd29707c722.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjA3MjA4MjMsIm5iZiI6MTcyMDcyMDUyMywicGF0aCI6Ii82NzI4MDYxNS8yNjg1MTY0MDgtZGQ2MTNjNDgtMDQ3Yy00MWYxLWIwMDgtZmRkMjk3MDdjNzIyLmpwZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzExVDE3NTUyM1omWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWJjY2IyYWEzMjRjMzRiNGU2ZDA0OWQxYWJjOGI4ZjdhNDBiMDg2YTUxNDRhM2E3NmE2MTEzNDJkNmY5NTAyYzUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.vaiNL4qCsTR0DAnAQ2MUJhTUAfxXYiYNkbxLcBqlGD8)
It should be noted that vorbis-tools(version 1.4.0-11) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.
Version
vorbis-tools 1.4.2 is the latest version.
Reference
https://www.xiph.org/press/2021/vorbis-tools-1.4.2/
https://github.com/xiph/vorbis-tools
https://github.com/xiph/vorbis
https://xiph.org/vorbis/
Actual Behavior
Heap-buffer-overflow
PoC
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/vorbis1poc
Reproduction
ASAN Log
Location
Environment
Credit
Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
Song Jiaxuan
The text was updated successfully, but these errors were encountered: