Description:
libmad stays for “M”peg “A”udio “D”ecoder library.
The same testcase provided in the article: libmad: heap-based buffer overflow in mad_layer_III (layer3.c) is able to show an assertion failure if libmad was compiled with debug (–enable-debugging).
The complete output of the failure:
# madplay -v -i -o raw:out $FILE madplay: /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2633: mad_layer_III: Assertion `stream->md_len + md_len - si.main_data_begin <= MAD_BUFFER_MDLEN' failed.
Affected version:
0.15.1b
Fixed version:
N/A
Commit fix:
N/A
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
CVE:
CVE-2017-8372
Reproducer:
https://github.com/asarubbo/poc/blob/master/00213-libmad-heapoverflow-mad_layer_III
Timeline:
2017-01-01: bug discovered and reported to upstream
2017-04-30: blog post about the issue
2017-05-01: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink: