Heap-buffer-overflow on vorbis-tools/oggenc #41
Comments
|
Thanks for the report! Proposed fix at https://gitlab.xiph.org/xiph/vorbis-tools/-/merge_requests/7 |
my pleasure. |
|
CVE-2023-43361 was assigned to this. I did not had any involvement on the assignment. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Heap-buffer-overflow on vorbis-tools/oggenc
Description
We found a heap-buffer-overflow when vorbis-tools/oggenc converted wav files to ogg files.
It should be noted that vorbis-tools(version 1.4.0-11) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.
Version
vorbis-tools 1.4.2 is the latest version.
Reference
https://www.xiph.org/press/2021/vorbis-tools-1.4.2/
https://github.com/xiph/vorbis-tools
https://github.com/xiph/vorbis
https://xiph.org/vorbis/
Actual Behavior
Heap-buffer-overflow
PoC
https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/vorbis1poc
Reproduction
ASAN Log
================================================================= ==1899805==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000000086 at pc 0x7ffff7600ccd bp 0x7fffffffde00 sp 0x7fffffffd5a8 READ of size 1 at 0x603000000086 thread T0 #0 0x7ffff7600ccc in __interceptor_strchr ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 #1 0x55555556bd28 in create_directories /vorbis-tools/oggenc/platform.c:150 #2 0x5555555609fd in main /vorbis-tools/oggenc/oggenc.c:353 #3 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308 #4 0x55555556280d in _start (/vorbis-tools/oggenc/oggenc+0xe80d) 0x603000000086 is located 0 bytes to the right of 22-byte region [0x603000000070,0x603000000086) allocated by thread T0 here: #0 0x7ffff76223ed in __interceptor_strdup ../../../../src/libsanitizer/asan/asan_interceptors.cc:445 #1 0x5555555609d0 in main /vorbis-tools/oggenc/oggenc.c:308 #2 0x7ffff7189082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:671 in __interceptor_strchr Shadow bytes around the buggy address: 0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c067fff8000: fa fa 00 00 00 fa fa fa 00 00 06 fa fa fa 00 00 =>0x0c067fff8010:[06]fa fa fa 00 00 06 fa fa fa fa fa fa fa fa fa 0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1899805==ABORTINGLocation
Environment
Credit
Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
Song Jiaxuan
The text was updated successfully, but these errors were encountered: