libmp3splt: NULL pointer dereference in splt_cue_export_to_file (cue.c)

Description:
libmp3splt a library for mp3splt to split mp3 and ogg files without decoding.

A fuzz on it discovered a NULL pointer access.

The complete ASan output:

# mp3splt -P -f -t 0.1 -a $FILE
==2581==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f36fb0a159a bp 0x7ffdc2708cb0 sp 0x7ffdc2708438 T0)
==2581==The signal is caused by a READ memory access.
==2581==Hint: address points to the zero page.
    #0 0x7f36fb0a1599 in strlen /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/strlen.S:76
    #1 0x47a571 in __interceptor_fopen64 /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:5167
    #2 0x7f36fbf0d27e in splt_cue_export_to_file /tmp/portage/media-libs/libmp3splt-0.9.2/work/libmp3splt-0.9.2/src/cue.c:725
    #3 0x7f36fbf0911b in mp3splt_export /tmp/portage/media-libs/libmp3splt-0.9.2/work/libmp3splt-0.9.2/src/mp3splt.c:1665
    #4 0x51d5f0 in main /tmp/portage/media-sound/mp3splt-2.6.2/work/mp3splt-2.6.2/src/mp3splt.c:901:13
    #5 0x7f36fb04061f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #6 0x41ad08 in _init (/usr/bin/mp3splt+0x41ad08)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/string/../sysdeps/x86_64/strlen.S:76 in strlen
==2581==ABORTING

Affected version:
0.9.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5665

Reproducer:
https://github.com/asarubbo/poc/blob/master/00129-mp3splt-nullptr-splt_cue_export_to_file

Timeline:
2017-01-01: private report to upstream via mail
2017-01-29: public upstream report on sourceforge
2017-01-29: blog post about the issue
2017-01-31: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libmp3splt: NULL pointer dereference in splt_cue_export_to_file (cue.c)

This entry was posted in advisories, security. Bookmark the permalink.

One Response to libmp3splt: NULL pointer dereference in splt_cue_export_to_file (cue.c)

  1. Pingback: SB17-065: Vulnerability Summary for the Week of February 27, 2017 – sec.uno

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.