audiofile: multiple ubsan crashes

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered multiple crashes because of undefined behavior.

The complete UBsan output:

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]'
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:290:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00191-audiofile-indexoob
CVE:
CVE-2017-6837

##########################################

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:42: runtime error: signed integer overflow: 65536 * 252936 cannot be represented in type 'int'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00192-audiofile-signintoverflow-sfconvert
CVE:
CVE-2017-6838

##########################################

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:115:27: runtime error: signed integer overflow: 5512570 * 409 cannot be represented in type 'int'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00193-audiofile-signintoverflow-MSADPCM
CVE:
CVE-2017-6839

##########################################

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

audiofile: multiple ubsan crashes

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *