agostino's blog

libsndfile: global buffer overflow in i2les_array (pcm.c)

Posted on April 29, 2017 by ago

Description:
libsndfile is a C library for reading and writing files containing sampled sound.

The complete ASan output of the issue:

# sndfile-convert $FILE out.wav
==27948==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013cd13c at pc 0x7f59caaaaace bp 0x7ffcab360cf0 sp 0x7ffcab360ce8                                                                       
READ of size 4 at 0x0000013cd13c thread T0                                                                                                                                                                        
    #0 0x7f59caaaaacd in i2les_array /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/pcm.c:670:15                                                                                            
    #1 0x7f59caaaaacd in pcm_write_i2les /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/pcm.c:1696                                                                                          
    #2 0x7f59ca7bf831 in sf_writef_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/sndfile.c:2342:10                                                                                     
    #3 0x514b70 in sfe_copy_data_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/common.c:88:3                                                                                      
    #4 0x5138d1 in main /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/sndfile-convert.c:340:3                                                                                         
    #5 0x7f59c974178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                        
    #6 0x419e18 in _init (/usr/bin/sndfile-convert+0x419e18)                                                                                                                                                      
                                                                                                                                                                                                                  
0x0000013cd13c is located 4092 bytes to the right of global variable 'data' defined in '/tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/common.c:80:14' (0x13c8140) of size 16384       
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/pcm.c:670:15 in i2les_array                                                                
Shadow bytes around the buggy address:                                                                                                                                                                            
  0x0000802719d0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x0000802719e0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x0000802719f0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x000080271a00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
  0x000080271a10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9                                                                                                                                                 
=>0x000080271a20: f9 f9 f9 f9 f9 f9 f9[f9]00 00 00 00 00 00 00 00                                                                                                                                                 
  0x000080271a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x000080271a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x000080271a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x000080271a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
  0x000080271a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                 
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                              
  Addressable:           00                                                                                                                                                                                       
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                     
  Heap left redzone:       fa                                                                                                                                                                                     
  Freed heap region:       fd                                                                                                                                                                                     
  Stack left redzone:      f1                                                                                                                                                                                     
  Stack mid redzone:       f2                                                                                                                                                                                     
  Stack right redzone:     f3                                                                                                                                                                                     
  Stack after return:      f5                                                                                                                                                                                     
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27948==ABORTING

Affected version:
1.0.28

Fixed version:
N/A

Commit fix:
https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8365

Reproducer:
https://github.com/asarubbo/poc/blob/master/00263-libsndfile-globaloverflow-i2les_array

Timeline:
2017-04-11: bug discovered and reported to upstream
2017-04-12: upstream released a patch
2017-04-29: blog post about the issue
2017-04-30: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libsndfile: global buffer overflow in i2les_array (pcm.c)

Posted in advisories, security | Leave a comment

libsndfile: heap-based buffer overflow in flac_buffer_copy (flac.c)

Posted on April 29, 2017 by ago

Description:
libsndfile is a C library for reading and writing files containing sampled sound.

The complete ASan output of the issue:

# sndfile-convert $FILE out.wav
==26966==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000001110 at pc 0x7fd12fe865e6 bp 0x7ffea55e99f0 sp 0x7ffea55e99e8
READ of size 4 at 0x621000001110 thread T0
    #0 0x7fd12fe865e5 in flac_buffer_copy /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:267:41
    #1 0x7fd12fe86ef4 in flac_read_loop /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:928:3
    #2 0x7fd12fe721fb in flac_read_flac2i /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:979:13
    #3 0x7fd12fdca3a2 in sf_readf_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/sndfile.c:1835:10
    #4 0x514b5d in sfe_copy_data_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/common.c:87:16
    #5 0x5138d1 in main /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/sndfile-convert.c:340:3
    #6 0x7fd12ed6578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419e18 in _init (/usr/bin/sndfile-convert+0x419e18)

0x621000001110 is located 0 bytes to the right of 4112-byte region [0x621000000100,0x621000001110)
allocated by thread T0 here:
    #0 0x4d94e8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fd12eb2d492 in safe_malloc_muladd2_ /tmp/portage/media-libs/flac-1.3.2-r1/work/flac-1.3.2/include/share/alloc.h:153
    #2 0x7fd12eb2d492 in allocate_output_ /tmp/portage/media-libs/flac-1.3.2-r1/work/flac-1.3.2/src/libFLAC/stream_decoder.c:1294
    #3 0x7fd12eb2d492 in read_frame_ /tmp/portage/media-libs/flac-1.3.2-r1/work/flac-1.3.2/src/libFLAC/stream_decoder.c:2035

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:267:41 in flac_buffer_copy
Shadow bytes around the buggy address:
  0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8220: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26966==ABORTING

Affected version:
1.0.28

Fixed version:
N/A

Commit fix:
https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8363

Reproducer:
https://github.com/asarubbo/poc/blob/master/00266-libsndfile-heapoverflow-flac_buffer_copy

Timeline:
2017-04-12: bug discovered and reported to upstream
2017-04-12: upstream released a patch
2017-04-29: blog post about the issue
2017-04-30: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libsndfile: heap-based buffer overflow in flac_buffer_copy (flac.c)

Posted in advisories, security | 1 Comment

libsndfile: global buffer overflow in flac_buffer_copy (flac.c)

Posted on April 29, 2017 by ago

Description:
libsndfile is a C library for reading and writing files containing sampled sound.

The complete ASan output of the issue:

# sndfile-convert $FILE out.wav
==24715==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000013cc140 at pc 0x7f4f387e75ee bp 0x7ffe9d102370 sp 0x7ffe9d102368
WRITE of size 4 at 0x0000013cc140 thread T0
    #0 0x7f4f387e75ed in flac_buffer_copy /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:267:27
    #1 0x7f4f387db2fa in sf_flac_write_callback /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:390:2
    #2 0x7f4f3748f6ad in write_audio_frame_to_client_ /tmp/portage/media-libs/flac-1.3.2-r1/work/flac-1.3.2/src/libFLAC/stream_decoder.c:2981
    #3 0x7f4f3748f6ad in read_frame_ /tmp/portage/media-libs/flac-1.3.2-r1/work/flac-1.3.2/src/libFLAC/stream_decoder.c:2152
    #4 0x7f4f37491aef in FLAC__stream_decoder_process_single /tmp/portage/media-libs/flac-1.3.2-r1/work/flac-1.3.2/src/libFLAC/stream_decoder.c:1027
    #5 0x7f4f387e7fbb in flac_read_loop /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:932:8
    #6 0x7f4f387d31fb in flac_read_flac2i /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:979:13
    #7 0x7f4f3872b3a2 in sf_readf_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/sndfile.c:1835:10
    #8 0x514b5d in sfe_copy_data_int /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/common.c:87:16
    #9 0x5138d1 in main /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/sndfile-convert.c:340:3
    #10 0x7f4f376c678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #11 0x419e18 in _init (/usr/bin/sndfile-convert+0x419e18)

0x0000013cc140 is located 0 bytes to the right of global variable 'data' defined in '/tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/programs/common.c:80:14' (0x13c8140) of size 16384
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:267:27 in flac_buffer_copy
Shadow bytes around the buggy address:
  0x0000802717d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802717e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802717f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080271800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080271810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080271820: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9
  0x000080271830: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080271840: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080271850: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080271860: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000080271870: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24715==ABORTING

Affected version:
1.0.28

Fixed version:
N/A

Commit fix:
https://github.com/erikd/libsndfile/commit/fd0484aba8e51d16af1e3a880f9b8b857b385eb3

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8361

Reproducer:
https://github.com/asarubbo/poc/blob/master/00265-libsndfile-globaloverflow-flac_buffer_copy

Timeline:
2017-04-12: bug discovered and reported to upstream
2017-04-12: upstream released a patch
2017-04-29: blog post about the issue
2017-04-30: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libsndfile: global buffer overflow in flac_buffer_copy (flac.c)

Posted in advisories, security | Leave a comment

libsndfile: invalid memory read in flac_buffer_copy (flac.c)

Posted on April 29, 2017 by ago

Description:
libsndfile is a C library for reading and writing files containing sampled sound.

The complete ASan output of the issue:

# sndfile-resample -to 24000 -c 1 $FILE out
==19624==ERROR: AddressSanitizer: SEGV on unknown address 0x000000004000 (pc 0x7fe14fe3f2b3 bp 0x000000004000 sp 0x7ffcb49c4d50 T0)                                                                               
==19624==The signal is caused by a READ memory access.                                                                                                                                                            
    #0 0x7fe14fe3f2b2 in flac_buffer_copy /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:287                                                                                         
    #1 0x7fe14fe403d7 in flac_read_loop /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:928                                                                                           
    #2 0x7fe14fe404d4 in flac_read_flac2f /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:999                                                                                         
    #3 0x7fe14fe34925 in sf_readf_float /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/sndfile.c:1945                                                                                       
    #4 0x50a525 in sample_rate_convert /tmp/portage/media-libs/libsamplerate-0.1.9/work/libsamplerate-0.1.9/examples/sndfile-resample.c:206:29                                                                    
    #5 0x50a525 in main /tmp/portage/media-libs/libsamplerate-0.1.9/work/libsamplerate-0.1.9/examples/sndfile-resample.c:156                                                                                      
    #6 0x7fe14ef70680 in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                        
    #7 0x419fa8 in _init (/usr/bin/sndfile-resample+0x419fa8)                                                                                                                                                     
                                                                                                                                                                                                                  
AddressSanitizer can not provide additional info.                                                                                                                                                                 
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/libsndfile-1.0.28/work/libsndfile-1.0.28/src/flac.c:287 in flac_buffer_copy                                                                               
==19624==ABORTING

Affected version:
1.0.28

Fixed version:
N/A

Commit fix:
https://github.com/erikd/libsndfile/commit/ef1dbb2df1c0e741486646de40bd638a9c4cd808

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8362

Reproducer:
https://github.com/asarubbo/poc/blob/master/00264-libsndfile-invalidread-flac_buffer_copy

Timeline:
2017-04-12: bug discovered and reported to upstream
2017-04-14: upstream released a patch
2017-04-29: blog post about the issue
2017-04-30: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

libsndfile: invalid memory read in flac_buffer_copy (flac.c)

Posted in advisories, security | Leave a comment

imageworsener: heap-based buffer overflow in iw_process_cols_to_intermediate (imagew-main.c)

Posted on April 27, 2017 by ago

Description:
imageworsener is a utility for image scaling and processing.

The complete ASan output of the issue:

# imagew $FILE /tmp/out -outfmt bmp
==20314==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fe233b99af8 at pc 0x7fea7f55da64 bp 0x7ffdb4737840 sp 0x7ffdb4737838                                                                         
WRITE of size 4 at 0x7fe233b99af8 thread T0                                                                                                                                                                       
    #0 0x7fea7f55da63 in iw_process_cols_to_intermediate /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:903:75                                                             
    #1 0x7fea7f55da63 in iw_process_one_channel /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:1144                                                                        
    #2 0x7fea7f54ca71 in iw_process_internal /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:1405:7                                                                         
    #3 0x7fea7f520095 in iw_process_image /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:2248:8                                                                            
    #4 0x528de1 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1400:6                                                                                          
    #5 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7                                                                                         
    #6 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067                                                                                                 
    #7 0x7fea7e5e878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                        
    #8 0x41b028 in _init (/usr/bin/imagew+0x41b028)                                                                                                                                                               
                                                                                                                                                                                                                  
0x7fe233b99af8 is located 4 bytes to the right of 8003134196-byte region [0x7fe056b37800,0x7fe233b99af4)                                                                                                          
allocated by thread T0 here:                                                                                                                                                                                      
    #0 0x4da6f8 in malloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:66                                                                          
    #1 0x551fc0 in my_mallocfn /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:794:9                                                                                         
    #2 0x7fea7f6a39ae in iw_malloc_ex /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:48:8                                                                                  
    #3 0x7fea7f6a3dec in iw_malloc_large /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:77:9                                                                               
    #4 0x7fea7f54c5a0 in iw_process_internal /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:1396:44                                                                        
    #5 0x7fea7f520095 in iw_process_image /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:2248:8                                                                            
    #6 0x528de1 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1400:6                                                                                          
    #7 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7                                                                                         
    #8 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067                                                                                                 
    #9 0x7fea7e5e878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-main.c:903:75 in iw_process_cols_to_intermediate
Shadow bytes around the buggy address:
  0x0ffcc676b300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffcc676b340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ffcc676b350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04[fa]
  0x0ffcc676b360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b370: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ffcc676b3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20314==ABORTING

Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/86564051db45b466e5f667111ce00b5eeedc8fb6

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8325

Reproducer:
https://github.com/asarubbo/poc/blob/master/00269-imageworsener-heapoverflow-iw_process_cols_to_intermediate

Timeline:
2017-04-12: bug discovered and reported to upstream
2017-04-12: upstream released a patch
2017-04-27: blog post about the issue
2017-04-29: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: heap-based buffer overflow in iw_process_cols_to_intermediate (imagew-main.c)

Posted in advisories, security | Leave a comment

imageworsener: two left shift

Posted on April 27, 2017 by ago

Description:
imageworsener is a utility for image scaling and processing.

There are two left shift visible with UbSan enabled.

# imagew $FILE /tmp/out -outfmt bmp
src/imagew-util.c:415:68: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'
src/imagew-bmp.c:427:10: runtime error: left shift of 1 by 31 places cannot be represented in type 'int'

Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/a00183107d4b84bc8a714290e824ca9c68dac738

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8326

Reproducer:
https://github.com/asarubbo/poc/blob/master/00271-imageworsener-leftshift

Timeline:
2017-04-13: bug discovered and reported to upstream
2017-04-22: upstream released a patch
2017-04-27: blog post about the issue
2017-04-29: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: two left shift

Posted in advisories, security | Leave a comment

imageworsener: memory allocation failure in my_mallocfn (imagew-cmd.c)

Posted on April 27, 2017 by ago

Description:
imageworsener is a utility for image scaling and processing.

There is a memory allocation failure, I will show the interesting ASan output,

# imagew $FILE /tmp/out -outfmt bmp
    #8 0x551fc0 in my_mallocfn /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:794:9
    #9 0x7f37f140c9ae in iw_malloc_ex /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:48:8
    #10 0x7f37f140cdec in iw_malloc_large /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-util.c:77:9
    #11 0x7f37f136d66c in bmpr_read_uncompressed /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:665:32
    #12 0x7f37f134ce64 in iwbmp_read_bits /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:910:7
    #13 0x7f37f134ce64 in iw_read_bmp_file /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-bmp.c:980
    #14 0x7f37f1349f94 in iw_read_file_by_fmt /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-allfmts.c:66:12
    #15 0x519304 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1191:6
    #16 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7
    #17 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067
    #18 0x7f37f035178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #19 0x41b028 in _init (/usr/bin/imagew+0x41b028)

Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/86564051db45b466e5f667111ce00b5eeedc8fb6

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8327

Reproducer:
https://github.com/asarubbo/poc/blob/master/00276-imageworsener-memallocfailure

Timeline:
2017-04-13: bug discovered and reported to upstream
2017-04-12: upstream released a patch for another issue that fixes this issue too
2017-04-27: blog post about the issue
2017-04-29: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: memory allocation failure in my_mallocfn (imagew-cmd.c)

Posted in advisories, security | Leave a comment

imageworsener: divide-by-zero in iwgif_record_pixel (imagew-gif.c)

Posted on April 17, 2017 by ago

Description:
imageworsener is a utility for image scaling and processing.

A fuzz on it discovered a divide-by-zero.

The complete ASan output:

# imagew $FILE /tmp/out -outfmt bmp
==20305==ERROR: AddressSanitizer: FPE on unknown address 0x7f8e57340cd6 (pc 0x7f8e57340cd6 bp 0x7ffc0fee8910 sp 0x7ffc0fee87e0 T0)                                                                                
    #0 0x7f8e57340cd5 in iwgif_record_pixel /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:213:13                                                                           
    #1 0x7f8e57340cd5 in lzw_emit_code /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:312                                                                                   
    #2 0x7f8e57339a94 in lzw_process_code /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:376:3                                                                              
    #3 0x7f8e57339a94 in lzw_process_bytes /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:433                                                                               
    #4 0x7f8e57339a94 in iwgif_read_image /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:669                                                                                
    #5 0x7f8e57339a94 in iwgif_read_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:724                                                                                 
    #6 0x7f8e5732fb71 in iw_read_gif_file /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:773:6                                                                              
    #7 0x7f8e572e9091 in iw_read_file_by_fmt /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-allfmts.c:61:12                                                                       
    #8 0x519304 in iwcmd_run /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:1191:6                                                                                          
    #9 0x515326 in iwcmd_main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3018:7                                                                                         
    #10 0x515326 in main /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-cmd.c:3067                                                                                                
    #11 0x7f8e562f078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                       
    #12 0x41b028 in _init (/usr/bin/imagew+0x41b028)                                                                                                                                                              
                                                                                                                                                                                                                  
AddressSanitizer can not provide additional info.                                                                                                                                                                 
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-gfx/imageworsener-1.3.0/work/imageworsener-1.3.0/src/imagew-gif.c:213:13 in iwgif_record_pixel                                                                  
==20305==ABORTING

Affected version:
1.3.0

Fixed version:
1.3.1

Commit fix:
https://github.com/jsummers/imageworsener/commit/ca3356eb49fee03e2eaf6b6aff826988c1122d93

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7962

Reproducer:
https://github.com/asarubbo/poc/blob/master/00270-imageworsener-FPE-iwgif_record_pixel

Timeline:
2017-04-12: bug discovered and reported to upstream
2017-04-14: upstream released a patch
2017-04-17: blog post about the issue
2017-04-19: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

imageworsener: divide-by-zero in iwgif_record_pixel (imagew-gif.c)

Posted in advisories, security | Leave a comment

libcroco: heap overflow and undefined behavior

Posted on April 17, 2017 by ago

Description:
libcroco is a Generic Cascading Style Sheet (CSS) parsing and manipulation toolkit.

A fuzz on it discovered and heap overflow and an undefined behavior.

The complete ASan output:

# csslint-0.6 $FILE
==9246==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000007a at pc 0x7f3771a05074 bp 0x7fff426076a0 sp 0x7fff42607698                                                                          
READ of size 1 at 0x60400000007a thread T0                                                                                                                                                                        
    #0 0x7f3771a05073 in cr_input_read_byte /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19                                                                                      
    #1 0x7f3771a3c0ba in cr_tknzr_parse_rgb /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1295:17                                                                                     
    #2 0x7f3771a3c0ba in cr_tknzr_get_next_token /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:2127                                                                                   
    #3 0x7f3771ab6688 in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1179:18                                                                              
    #4 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #5 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #6 0x7f3771ab6c1e in cr_parser_parse_any_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1215:34                                                                              
    #7 0x7f3771ab9579 in cr_parser_parse_block_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:1005:26                                                                            
    #8 0x7f3771a8882a in cr_parser_parse_atrule_core /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:798:26                                                                            
    #9 0x7f3771ab0644 in cr_parser_parse_stylesheet /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c                                                                                    
    #10 0x7f3771a8131e in cr_parser_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:4381:26                                                                                      
    #11 0x7f3771a804f1 in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2993:18                                                                                 
    #12 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18                                                                            
    #13 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18                                                                                               
    #14 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997                                                                                                         
    #15 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                       
    #16 0x41a9b8 in _init (/usr/bin/csslint-0.6+0x41a9b8)

0x60400000007a is located 0 bytes to the right of 42-byte region 
[0x604000000050,0x60400000007a)
allocated by thread T0 here:
    #0 0x4da285 in calloc /tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.0/work/compiler-rt-4.0.0.src/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f377168a1a0 in g_malloc0 /tmp/portage/dev-libs/glib-2.48.2/work/glib-2.48.2/glib/gmem.c:124
    #2 0x7f3771a00c4d in cr_input_new_from_buf /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:151:26
    #3 0x7f3771a027d6 in cr_input_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:251:26
    #4 0x7f3771a22797 in cr_tknzr_new_from_uri /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1642:17
    #5 0x7f3771a8047c in cr_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-parser.c:2986:17
    #6 0x7f3771b04869 in cr_om_parser_parse_file /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-om-parser.c:956:18
    #7 0x51506f in cssom_parse /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:252:18
    #8 0x51506f in main /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/csslint/csslint.c:997
    #9 0x7f377041b78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-input.c:416:19 in cr_input_read_byte
Shadow bytes around the buggy address:
  0x0c087fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c087fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c087fff8000: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00[02]
  0x0c087fff8010: fa fa 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c087fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9246==ABORTING

Commit fix:
https://git.gnome.org/browse/libcroco/commit/?id=898e3a8c8c0314d2e6b106809a8e3e93cf9d4394
Reproducer:
https://github.com/asarubbo/poc/blob/master/00267-libcroco-heapoverflow-cr_input_read_byte
CVE:
CVE-2017-7960

#####################################

# csslint-0.6 $FILE
/tmp/portage/dev-libs/libcroco-0.6.12/work/libcroco-0.6.12/src/cr-tknzr.c:1283:15: runtime error: value 9.11111e+19 is outside the range of representable values of type 'long'

Commit fix:
https://git.gnome.org/browse/libcroco/commit/?id=9ad72875e9f08e4c519ef63d44cdbd94aa9504f7
Reproducer:
https://github.com/asarubbo/poc/blob/master/00268-libcroco-outside-long
CVE:
CVE-2017-7961

Affected version:
0.6.11 and 0.6.12

Fixed version:
0.6.13 (not released atm)

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-04-12: bugs discovered and reported to upstream
2017-04-16: upstream released a patch
2017-04-17: blog post about the issues
2017-04-19: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libcroco: heap overflow and undefined behavior

Posted in advisories, security | 3 Comments

libsndfile: invalid memory READ and invalid memory WRITE in flac_buffer_copy (flac.c)

Posted on April 11, 2017 by ago

Description:
libsndfile is a C library for reading and writing files containing sampled sound.

A fuzz via the sndfile-resample command-line tool of libsamplerate, discovered and invalid memory read and an invalid memory write. The upstream author Erik de Castro Lopo (erikd) said that they was fixed in the recent commit 60b234301adf258786d8b90be5c1d437fc8799e0 which addresses CVE-2017-7585. As usual I’m providing the stacktrace and the reproducer so that all release distros can test and check if their version is affected or not.

The complete ASan output:

# sndfile-resample -to 24000 -c 1 $FILE out
==959==ERROR: AddressSanitizer: SEGV on unknown address 0x0000013cc000 (pc 0x7fc1ba91251c bp 0x60e000000040 sp 0x7fff95597f70 T0)
==959==The signal is caused by a WRITE memory access.
    #0 0x7fc1ba91251b in flac_buffer_copy /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:264
    #1 0x7fc1ba913404 in flac_read_loop /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:884
    #2 0x7fc1ba913505 in flac_read_flac2f /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:949
    #3 0x7fc1ba907a49 in sf_readf_float /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/sndfile.c:1870
    #4 0x5135c5 in sample_rate_convert /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:213:29
    #5 0x5135c5 in main /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:163
    #6 0x7fc1b9a4178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419f88 in _init (/usr/bin/sndfile-resample+0x419f88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:264 in flac_buffer_copy
==959==ABORTING

Reproducer:
https://github.com/asarubbo/poc/blob/master/00261-libsndfile-invalidwrite-flac_buffer_copy
CVE:
CVE-2017-7741

#################

# sndfile-resample -to 24000 -c 1 $FILE out
==32533==ERROR: AddressSanitizer: SEGV on unknown address 0x000000004000 (pc 0x7f576a5e8512 bp 0x60e000000040 sp 0x7ffeab4e66d0 T0)
==32533==The signal is caused by a READ memory access.
    #0 0x7f576a5e8511 in flac_buffer_copy /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:263
    #1 0x7f576a5e9404 in flac_read_loop /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:884
    #2 0x7f576a5e9505 in flac_read_flac2f /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:949
    #3 0x7f576a5dda49 in sf_readf_float /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/sndfile.c:1870
    #4 0x5135c5 in sample_rate_convert /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:213:29
    #5 0x5135c5 in main /tmp/portage/media-libs/libsamplerate-0.1.8-r1/work/libsamplerate-0.1.8/examples/sndfile-resample.c:163
    #6 0x7f576971778f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419f88 in _init (/usr/bin/sndfile-resample+0x419f88)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/media-libs/libsndfile-1.0.27-r1/work/libsndfile-1.0.27/src/flac.c:263 in flac_buffer_copy
==32533==ABORTING

Reproducer:
https://github.com/asarubbo/poc/blob/master/00260-libsndfile-invalidread-flac_buffer_copy
CVE:
CVE-2017-7742

Affected version:
1.0.27

Fixed version:
1.0.28

Commit fix:
https://github.com/erikd/libsndfile/commit/60b234301adf258786d8b90be5c1d437fc8799e0

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-04-11: bugs discovered and reported to upstream
2017-04-11: blog post about the issues
2017-04-12: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

libsndfile: invalid memory READ and invalid memory WRITE in flac_buffer_copy (flac.c)

Posted in advisories, security | 1 Comment

libsndfile: global buffer overflow in i2les_array (pcm.c)

libsndfile: heap-based buffer overflow in flac_buffer_copy (flac.c)

libsndfile: global buffer overflow in flac_buffer_copy (flac.c)

libsndfile: invalid memory read in flac_buffer_copy (flac.c)

imageworsener: heap-based buffer overflow in iw_process_cols_to_intermediate (imagew-main.c)

imageworsener: two left shift

imageworsener: memory allocation failure in my_mallocfn (imagew-cmd.c)

imageworsener: divide-by-zero in iwgif_record_pixel (imagew-gif.c)

libcroco: heap overflow and undefined behavior

libsndfile: invalid memory READ and invalid memory WRITE in flac_buffer_copy (flac.c)

Recent Posts

Recent Comments

Archives

Categories

Meta