libming: listmp3: global-buffer-overflow in printMP3Headers (listmp3.c)

Description:
libming is a Flash (SWF) output library. It can be used from PHP, Perl, Ruby, Python, C, C++, Java, and probably more on the way..

A fuzzing revealed a global buffer overflow in listmp3. The bug does not reside in any shared object but if you have a web application that calls directly the listmp3 binary to parse untrusted mp3, then you are affected.

The complete ASan output:

# listmp3 $FILE
==29519==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000722e0c at pc 0x0000004f1a99 bp 0x7ffe42b1d7f0 sp 0x7ffe42b1d7e8
READ of size 4 at 0x000000722e0c thread T0
    #0 0x4f1a98 in printMP3Headers /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:128:20
    #1 0x4f1bee in main /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:191:3
    #2 0x7fe262a4761f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #3 0x418ae8 in getenv (/usr/bin/listmp3+0x418ae8)

0x000000722e0c is located 52 bytes to the left of global variable 'mp2_samplerate_table' defined in 'listmp3.c:44:5' (0x722e40) of size 12
0x000000722e0c is located 0 bytes to the right of global variable 'mp1_samplerate_table' defined in 'listmp3.c:43:5' (0x722e00) of size 12
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/media-libs/ming-0.4.7/work/ming-0_4_7/util/listmp3.c:128:20 in printMP3Headers
Shadow bytes around the buggy address:
  0x0000800dc570: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc580: 00 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9
  0x0000800dc590: 00 00 00 00 00 00 00 04 f9 f9 f9 f9 00 00 00 00
  0x0000800dc5a0: 00 00 00 04 f9 f9 f9 f9 00 00 00 00 00 00 00 04
  0x0000800dc5b0: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
=>0x0000800dc5c0: 00[04]f9 f9 f9 f9 f9 f9 00 04 f9 f9 f9 f9 f9 f9
  0x0000800dc5d0: 00 04 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0000800dc5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800dc610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                                                  
  Stack partial redzone:   f4                                                                                                                                                                                                                                                  
  Stack after return:      f5                                                                                                                                                                                                                                                  
  Stack use after scope:   f8                                                                                                                                                                                                                                                  
  Global redzone:          f9                                                                                                                                                                                                                                                  
  Global init order:       f6                                                                                                                                                                                                                                                  
  Poisoned by user:        f7                                                                                                                                                                                                                                                  
  Container overflow:      fc                                                                                                                                                                                                                                                  
  Array cookie:            ac                                                                                                                                                                                                                                                  
  Intra object redzone:    bb                                                                                                                                                                                                                                                  
  ASan internal:           fe                                                                                                                                                                                                                                                  
  Left alloca redzone:     ca                                                                                                                                                                                                                                                  
  Right alloca redzone:    cb                                                                                                                                                                                                                                                  
==29519==ABORTING                                                                                                                                                                                                                                                              
frame 1: MP25 layer 1, 8000 Hz, 0kbps, mono, length=0, protect off

Affected version:
0.4.7

Fixed version:
0.4.8

Commit fix:
https://github.com/libming/libming/commit/19e7127e29122be571c87bfb90bca9581417d220

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2016-9264

Reproducer:
https://github.com/asarubbo/poc/blob/master/00034-libming-globaloverflow-printMP3Headers

Timeline:
2016-08-13: bug discovered
2016-10-20: bug reported to upstream
2016-11-07: blog post about the issue
2016-11-10: CVE assigned
2017-01-30: upstream released a patch
2017-04-07: upstream released 0.4.8

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libming: listmp3: global-buffer-overflow in printMP3Headers (listmp3.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.