libmad: heap-based buffer overflow in mad_bit_skip (bit.c)

Description:
libmad stays for “M”peg “A”udio “D”ecoder library.

There is an heap overflow discovered through madplay.

The complete ASan output:

# madplay -v -i -o raw:out $FILE
==12603==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000c09f at pc 0x7f72d6aa05c0 bp 0x7fff03e32040 sp 0x7fff03e32038
READ of size 1 at 0x61200000c09f thread T0
    #0 0x7f72d6aa05bf in mad_bit_skip /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/bit.c:130:21
    #1 0x7f72d6b032ad in III_huffdecode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:953:3
    #2 0x7f72d6b032ad in III_decode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2403
    #3 0x7f72d6af1a8e in mad_layer_III /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2648:13
    #4 0x7f72d6ab584d in mad_frame_decode /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/frame.c:453:7
    #5 0x7f72d6ada4e4 in run_sync /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:404:11
    #6 0x7f72d6ad8c59 in mad_decoder_run /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:557:12
    #7 0x5277a1 in decode /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1862:12
    #8 0x5277a1 in play_one /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1951
    #9 0x5277a1 in play_all /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2041
    #10 0x5215a2 in player_run /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2768:14
    #11 0x50c46c in main /tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/madplay.c:816:7
    #12 0x7f72d599d78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #13 0x41aa78 in _init (/usr/bin/madplay+0x41aa78)

Affected version:
0.15.1b

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8374

Reproducer:
https://github.com/asarubbo/poc/blob/master/00211-libmad-heapoverflow-mad_bit_skip

Timeline:
2017-01-01: bug discovered and reported to upstream
2017-04-30: blog post about the issue
2017-05-01: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libmad: heap-based buffer overflow in mad_bit_skip (bit.c)

This entry was posted in advisories, security. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.