Description:
audiofile is a C-based library for reading and writing audio files in many common formats.
A fuzz on it discovered multiple crashes because of undefined behavior.
The complete UBsan output:
# sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]' /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:290:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]'
Reproducer:
https://github.com/asarubbo/poc/blob/master/00191-audiofile-indexoob
CVE:
CVE-2017-6837
##########################################
# sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:42: runtime error: signed integer overflow: 65536 * 252936 cannot be represented in type 'int'
Reproducer:
https://github.com/asarubbo/poc/blob/master/00192-audiofile-signintoverflow-sfconvert
CVE:
CVE-2017-6838
##########################################
# sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:115:27: runtime error: signed integer overflow: 5512570 * 409 cannot be represented in type 'int'
Reproducer:
https://github.com/asarubbo/poc/blob/master/00193-audiofile-signintoverflow-MSADPCM
CVE:
CVE-2017-6839
##########################################
Affected version:
0.3.6
Fixed version:
N/A
Commit fix:
N/A
Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.
Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned
Note:
These bugs were found with American Fuzzy Lop.
Permalink:
Pingback: SB17-086: Vulnerability Summary for the Week of March 20, 2017 – BuzzSec