agostino's blog

podofo: heap-based buffer overflow in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)

Posted on March 2, 2017 by ago

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered an heap overflow. The upstream project denies me to open a new ticket. So, I just will forward this on the -users mailing list.

The complete ASan output:

# podofocolor dummy $FILE foo
==5749==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000a0f8 at pc 0x000000529e84 bp 0x7ffee90e1ad0 sp 0x7ffee90e1ac8
READ of size 1 at 0x62500000a0f8 thread T0
    #0 0x529e83 in PoDoFo::PdfVariant::DelayedLoad() const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/podofo/base/../../src/base/PdfVariant.h:545:10
    #1 0x529e83 in PoDoFo::PdfVariant::GetReal() const /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/podofo/base/../../src/base/PdfVariant.h:675
    #2 0x52887e in ColorChanger::GetColorFromStack(int, std::vector<PoDoFo::PdfVariant, std::allocator >&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:423:33
    #3 0x525d4b in ColorChanger::ProcessColor(ColorChanger::EKeywordType, int, std::vector<PoDoFo::PdfVariant, std::allocator >&, GraphicsStack&) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:449:28
    #4 0x521b3c in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:214:31
    #5 0x51ed8e in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:120:15
    #6 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
    #7 0x7f6c2623561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #8 0x428718 in _start (/usr/bin/podofocolor+0x428718)

0x62500000a0f8 is located 8 bytes to the left of 8192-byte region [0x62500000a100,0x62500000c100)
allocated by thread T0 here:
    #0 0x518700 in operator new(unsigned long) /tmp/portage/sys-devel/llvm-3.9.0-r1/work/llvm-3.9.0.src/projects/compiler-rt/lib/asan/asan_new_delete.cc:78
    #1 0x52aa18 in __gnu_cxx::new_allocator::allocate(unsigned long, void const*) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/ext/new_allocator.h:104:27
    #2 0x52aa18 in __gnu_cxx::__alloc_traits<std::allocator >::allocate(std::allocator&, unsigned long) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/ext/alloc_traits.h:182
    #3 0x52aa18 in std::_Vector_base<PoDoFo::PdfVariant, std::allocator >::_M_allocate(unsigned long) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:170
    #4 0x52aa18 in std::vector<PoDoFo::PdfVariant, std::allocator >::_M_insert_aux(__gnu_cxx::__normal_iterator<PoDoFo::PdfVariant*, std::vector<PoDoFo::PdfVariant, std::allocator > >, PoDoFo::PdfVariant const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/vector.tcc:353
    #5 0x521bdd in std::vector<PoDoFo::PdfVariant, std::allocator >::push_back(PoDoFo::PdfVariant const&) /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.3/include/g++-v4/bits/stl_vector.h:925:4
    #6 0x521bdd in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:170
    #7 0x51ed8e in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/colorchanger.cpp:120:15
    #8 0x51c06d in main /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/tools/podofocolor/podofocolor.cpp:116:12
    #9 0x7f6c2623561f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/podofo-0.9.4/work/podofo-0.9.4/podofo/base/../../src/base/PdfVariant.h:545:10 in PoDoFo::PdfVariant::DelayedLoad() const
Shadow bytes around the buggy address:
  0x0c4a7fff93c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff93f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a7fff9400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a7fff9410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x0c4a7fff9420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a7fff9460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5749==ABORTING

Affected version:
0.9.4

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6843

Reproducer:
https://github.com/asarubbo/poc/blob/master/00170-podofo-heapoverflow-PoDoFo-PdfTokenizer-GetNextToken

Timeline:
2017-02-13: bug discovered
2017-03-02: bug reported to upstream
2017-03-02: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

podofo: heap-based buffer overflow in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)

Posted in advisories, security | Leave a comment

podofo: NULL pointer dereference in ColorChanger::GetColorFromStack (colorchanger.cpp)

Posted on March 2, 2017 by ago

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a null pointer access. The upstream project denies me to open a new ticket. So, I just will forward this on the -users mailing list.

The complete ASan output:

# podofocolor dummy $FILE foo
==18954==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000052302d bp 0x7fc24b8e2000 sp 0x7ffcaaf21810 T0)
==18954==The signal is caused by a READ memory access.
==18954==Hint: address points to the zero page.
    #0 0x52302c in getVtablePrefix /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:198
    #1 0x52302c in __ubsan::checkDynamicType(void*, void*, unsigned long) /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:221
    #2 0x521082 in HandleDynamicTypeCacheMiss /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:37
    #3 0x521922 in __ubsan_handle_dynamic_type_cache_miss /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:87
    #4 0x538eb2 in ColorChanger::GetColorFromStack(int, std::vector<PoDoFo::PdfVariant, std::allocator >&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:430:33
    #5 0x530d50 in ColorChanger::ProcessColor(ColorChanger::EKeywordType, int, std::vector<PoDoFo::PdfVariant, std::allocator >&, GraphicsStack&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:449:28
    #6 0x52c2a9 in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:214:31
    #7 0x526921 in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:120:15
    #8 0x523b8d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/podofocolor.cpp:116:12
    #9 0x7fc2490df78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #10 0x4300e8 in _start (/usr/bin/podofocolor+0x4300e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/ubsan/ubsan_type_hash_itanium.cc:198 in getVtablePrefix
==18954==ABORTING

Affected version:
0.9.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6842

Reproducer:
https://github.com/asarubbo/poc/blob/master/00217-podofo-nullptr-colorchanger-cpp

Timeline:
2017-03-01: bug discovered
2017-03-02: bug reported upstream
2017-03-02: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

podofo: NULL pointer dereference in ColorChanger::GetColorFromStack (colorchanger.cpp)

Posted in advisories, security | Leave a comment

podofo: NULL pointer dereference in GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement (graphicsstack.h)

Posted on March 2, 2017 by ago

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered a null pointer dereference. The upstream project denies me to open a new ticket. So, I just will forward this on the -users mailing list.

The complete ASan output:

# podofocolor dummy $FILE foo
==7677==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000054b701 bp 0x7ffe64ec7cb0 sp 0x7ffe64ec7c80 T0)
==7677==The signal is caused by a READ memory access.
==7677==Hint: address points to the zero page.
    #0 0x54b700 in GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement() /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/graphicsstack.h:29:11
    #1 0x55b772 in std::deque<GraphicsStack::TGraphicsStackElement, std::allocator >::pop_back() /usr/lib/gcc/x86_64-pc-linux-gnu/4.9.4/include/g++-v4/bits/stl_deque.h:1459:4
    #2 0x52c84d in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:190:35
    #3 0x526921 in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:120:15
    #4 0x523b8d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/podofocolor.cpp:116:12
    #5 0x7fc9a444f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x4300e8 in _start (/usr/bin/podofocolor+0x4300e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/graphicsstack.h:29:11 in GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement()
==7677==ABORTING

Affected version:
0.9.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6841

Reproducer:
https://github.com/asarubbo/poc/blob/master/00216-podofo-nullptr-graphicsstack-h

Timeline:
2017-03-01: bug discovered
2017-03-02: bug reported to upstream
2017-03-02: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

podofo: NULL pointer dereference in GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement (graphicsstack.h)

Posted in advisories, security | Leave a comment

podofo: invalid memory read in ColorChanger::GetColorFromStack (colorchanger.cpp)

Posted on March 2, 2017 by ago

Description:
podofo is a C++ library to work with the PDF file format.

A fuzz on it discovered an invalid memory read. The upstream project denies me to open a new ticket. So, I just will forward this on the -users mailing list.

The complete ASan output:

# podofocolor dummy $FILE foo
==9073==ERROR: AddressSanitizer: SEGV on unknown address 0xffffffffffffffe0 (pc 0x000000537d67 bp 0x7ffc54cb3c50 sp 0x7ffc54cb3ba0 T0)
==9073==The signal is caused by a READ memory access.
    #0 0x537d66 in ColorChanger::GetColorFromStack(int, std::vector<PoDoFo::PdfVariant, std::allocator >&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:416:32
    #1 0x530d50 in ColorChanger::ProcessColor(ColorChanger::EKeywordType, int, std::vector<PoDoFo::PdfVariant, std::allocator >&, GraphicsStack&) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:449:28
    #2 0x52c2a9 in ColorChanger::ReplaceColorsInPage(PoDoFo::PdfCanvas*) /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:214:31
    #3 0x526921 in ColorChanger::start() /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:120:15
    #4 0x523b8d in main /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/podofocolor.cpp:116:12
    #5 0x7f36fe7fe78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x4300e8 in _start (/usr/bin/podofocolor+0x4300e8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/portage/app-text/podofo-0.9.5/work/podofo-0.9.5/tools/podofocolor/colorchanger.cpp:416:32 in ColorChanger::GetColorFromStack(int, std::vector<PoDoFo::PdfVariant, std::allocator >&)
==9073==ABORTING

Affected version:
0.9.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6840

Reproducer:
https://github.com/asarubbo/poc/blob/master/00215-podofo-invalidread-colorchanger-cpp

Timeline:
2017-03-01: bug discovered
2017-03-02: bug reported upstream
2017-03-02: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

podofo: invalid memory read in ColorChanger::GetColorFromStack (colorchanger.cpp)

Posted in advisories, security | Leave a comment

pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)

Posted on February 25, 2017 by ago

Description:
pax-utils is a set of tools that check files for security relevant properties.

A fuzz on scanelf exposed that the out-of bound read already reported here was unfixed.

The complete ASan output:

# scanelf -s '*' -axetrnibSDIYZB $FILE
==1093==ERROR: AddressSanitizer: unknown-crash on address 0x7f4ddab2c3a0 at pc 0x000000524a77 bp 0x7fffcd2bc320 sp 0x7fffcd2bc318
READ of size 4 at 0x7f4ddab2c3a0 thread T0
    #0 0x524a76 in scanelf_file_get_symtabs /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3
    #1 0x514af2 in scanelf_file_sym /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1282:2
    #2 0x514af2 in scanelf_elfobj /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1502
    #3 0x5137f8 in scanelf_elf /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1567:8
    #4 0x5137f8 in scanelf_fileat /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1634
    #5 0x512d9b in scanelf_dirat /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1668:10
    #6 0x511d9d in scanelf_dir /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:1718:9
    #7 0x511d9d in parseargs /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2228
    #8 0x511d9d in main /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:2316
    #9 0x7f4dd9b4e61f in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.22-r4/work/glibc-2.22/csu/libc-start.c:289
    #10 0x419b28 in getenv (/usr/bin/scanelf+0x419b28)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: unknown-crash /tmp/portage/app-misc/pax-utils-1.2.2/work/pax-utils-1.2.2/scanelf.c:357:3 in scanelf_file_get_symtabs
Shadow bytes around the buggy address:
  0x0fea3b55d820: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d830: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d840: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d850: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d860: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
=>0x0fea3b55d870: fe fe fe fe[fe]fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d880: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d890: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d8a0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d8b0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
  0x0fea3b55d8c0: fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe fe
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1093==ABORTING

Affected version:
1.2.2

Fixed version:
1.2.3 (not released atm)

Commit fix:
https://github.com/gentoo/pax-utils/commit/e577c5b7e230c52e5fc4fa40e4e9014c634b3c1d
https://github.com/gentoo/pax-utils/commit/858939ea6ad63f1acb4ec74bba705c197a67d559

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00169-pax-utils-scanelf-oobread1

Timeline:
2017-02-09: bug discovered and reported to upstream
2017-02-11: upstream realeased a patch
2017-02-25: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/25/pax-utils-scanelf-out-of-bounds-read-in-scanelf_file_get_symtabs-scanelf-c-2

Posted in advisories, security | Leave a comment

gnu-paxutils: multiple crashes

Posted on February 21, 2017 by ago

Description:
GNU paxutils is a suite of archive utilities: it will provide cpio, tar and POSIX pax archivers.

A fuzzing on tar and pax shows multiple crashes.
I really don’t know if atm those tools are used somewhere.

Details:

# tar -t -f $FILE
buffer.c:1480:40: runtime error: index 7168 out of bounds for type 'char [512]'
SUMMARY: AddressSanitizer: undefined-behavior buffer.c:1480:40 in 
./bins/tar: Record size of archive appears to be 14 blocks (20 expected)
./bins/tar: Hmm, this doesn't look like a tar archive
./bins/tar: Skipping to next file header

reading.c:327:19: runtime error: member access within null pointer of type 'union block'
SUMMARY: AddressSanitizer: undefined-behavior reading.c:327:19 in 
reading.c:327:19: runtime error: member access within null pointer of type 'struct sparse_header'
SUMMARY: AddressSanitizer: undefined-behavior reading.c:327:19 in 

ASAN:DEADLYSIGNAL
=================================================================
==9542==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000001f8 (pc 0x000000570b4a bp 0x7ffd7ab13eb0 sp 0x7ffd7ab13e90 T0)
==9542==The signal is caused by a READ memory access.
==9542==Hint: address points to the zero page.
    #0 0x570b49 in skip_extended_headers /root/paxutils-2.4h/src/reading.c:327:33
    #1 0x55721d in list_archive /root/paxutils-2.4h/src/list.c:120:7
    #2 0x5718ef in read_and /root/paxutils-2.4h/src/reading.c:406:5
    #3 0x57c746 in main /root/paxutils-2.4h/src/./tar.c:1508:7
    #4 0x7f5c524fc78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a498 in _start (/root/bins/tar+0x41a498)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/paxutils-2.4h/src/reading.c:327:33 in skip_extended_headers
==9542==ABORTING

Reproducer:
https://github.com/asarubbo/poc/blob/master/00178-gnupaxutils-tar-segv

Obviously, the runtime error “member access within null pointer…” is the ubsan’s way to print what asan subsequently said as SEGV, so it is the same issue.

# pax -f $FILE
==10938==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000141615f at pc 0x00000052853e bp 0x7ffed94bdc30 sp 0x7ffed94bdc28
READ of size 1 at 0x00000141615f thread T0
    #0 0x52853d in read_in_tar_header /root/paxutils-2.4h/src/fmttar.c:363:8
    #1 0x50dd65 in read_in_header /root/paxutils-2.4h/src/copyin.c:99:7
    #2 0x50f675 in process_copy_in /root/paxutils-2.4h/src/copyin.c:236:7
    #3 0x50d164 in main /root/paxutils-2.4h/src/./pax.c:485:3
    #4 0x7fd70e06478f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x41a448 in _start (/usr/bin/pax+0x41a448)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00179-gnupaxutils-pax-globaloverflow

# pax -f $FILE
==21061==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efb9 at pc 0x00000048041a bp 0x7ffea3351e10 sp 0x7ffea33515c0
READ of size 10 at 0x60200000efb9 thread T0
    #0 0x480419 in __interceptor_strcmp /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:284
    #1 0x50f969 in process_copy_in /root/paxutils-2.4h/src/copyin.c:261:11
    #2 0x50d164 in main /root/paxutils-2.4h/src/./pax.c:485:3
    #3 0x7fe2d680178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x41a448 in _start (/usr/bin/pax+0x41a448)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00180-gnupaxutils-pax-heapoverflow

# pax -f $FILE
fmttar.c:450:11: runtime error: index 6 out of bounds for type 'char [6]'                                                                                                                      
SUMMARY: AddressSanitizer: undefined-behavior fmttar.c:450:11

==7159==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7fe6f8001420,0x7fe6f800161f) and [0x7fe6f8001421, 0x7fe6f8001620) overlap
    #0 0x4bc091 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413
    #1 0x526da0 in read_in_tar_header /root/paxutils-2.4h/src/fmttar.c:265:4
    #2 0x50dd65 in read_in_header /root/paxutils-2.4h/src/copyin.c:99:7
    #3 0x50f675 in process_copy_in /root/paxutils-2.4h/src/copyin.c:236:7
    #4 0x50d164 in main /root/paxutils-2.4h/src/./pax.c:485:3
    #5 0x7fe6fae7178f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a448 in _start (/usr/bin/pax+0x41a448)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00181-gnupaxutils-pax-memcpyparoverlap

# pax -f $FILE
==11514==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8b47900220 at pc 0x00000053bf25 bp 0x7ffd949d5cc0 sp 0x7ffd949d5cb8
READ of size 1 at 0x7f8b47900220 thread T0
    #0 0x53bf24 in otoa /root/paxutils-2.4h/lib/octal.c:33:10
    #1 0x5287f5 in is_tar_header /root/paxutils-2.4h/src/fmttar.c:427:3
    #2 0x50d8d4 in read_in_header /root/paxutils-2.4h/src/copyin.c:74:27
    #3 0x50f675 in process_copy_in /root/paxutils-2.4h/src/copyin.c:236:7
    #4 0x50d164 in main /root/paxutils-2.4h/src/./pax.c:485:3
    #5 0x7f8b4a75378f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x41a448 in _start (/usr/bin/pax+0x41a448)

Reproducer:
https://github.com/asarubbo/poc/blob/master/00182-gnupaxutils-pax-stackoverflow

Affected version:
2.4h

Fixed version:
N/A

Commit fix:
N/A

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-02-17: bugs discovered
2017-02-21: bugs reported to upstream
2017-02-21: blog post about the issue

Note:
These bugs were found with American Fuzzy Lop.
The email to upstream was rejected.

Permalink:
https://blogs.gentoo.org/ago/2017/02/21/gnu-paxutils-multiple-crashes

Posted in advisories, security | Leave a comment

audiofile: multiple ubsan crashes

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered multiple crashes because of undefined behavior.

The complete UBsan output:

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]'
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:290:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00191-audiofile-indexoob
CVE:
CVE-2017-6837

##########################################

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:42: runtime error: signed integer overflow: 65536 * 252936 cannot be represented in type 'int'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00192-audiofile-signintoverflow-sfconvert
CVE:
CVE-2017-6838

##########################################

# sfconvert @@ out.mp3 format aiff
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:115:27: runtime error: signed integer overflow: 5512570 * 409 cannot be represented in type 'int'

Reproducer:
https://github.com/asarubbo/poc/blob/master/00193-audiofile-signintoverflow-MSADPCM
CVE:
CVE-2017-6839

##########################################

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
These bugs were found with American Fuzzy Lop.

Permalink:

audiofile: multiple ubsan crashes

Posted in advisories, security | 1 Comment

audiofile: heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered an heap overflow.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
==1731==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd325141800 at pc 0x7fd324dab3e7 bp 0x7fff5fd78e20 sp 0x7fff5fd78e18                                                                                                                                       
WRITE of size 4 at 0x7fd325141800 thread T0                                                                                                                                                                                                                                    
    #0 0x7fd324dab3e6 in void Expand3To4Module::run(unsigned char const*, int*, int) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/SimpleModule.h:268:14                                                                           
    #1 0x7fd324dab3e6 in Expand3To4Module::run(Chunk&, Chunk&) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/SimpleModule.h:241                                                                                                         
    #2 0x7fd324d8105a in afReadFrames /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14                                                                                                                                             
    #3 0x50bbeb in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29                                                                                                                                                 
    #4 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #5 0x7fd323e5678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
    #6 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                               
0x7fd325141800 is located 0 bytes to the right of 524288-byte region [0x7fd3250c1800,0x7fd325141800)                                                                                                                                                                           
allocated by thread T0 here:                                                                                                                                                                                                                                                   
    #0 0x4d2d08 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64                                                                                                                                       
    #1 0x50bb48 in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:17                                                                                                                                                 
    #2 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #3 0x7fd323e5678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
                                                                                                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/SimpleModule.h:268:14 in void Expand3To4Module::run(unsigned char const*, int*, int)                                                 
Shadow bytes around the buggy address:                                                                                                                                                                                                                                         
  0x0ffae4a202b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ffae4a202c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ffae4a202d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ffae4a202e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ffae4a202f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
=>0x0ffae4a20300:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ffae4a20310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ffae4a20320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ffae4a20330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ffae4a20340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ffae4a20350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  
  Heap left redzone:       fa                                                                                                                                                                                                                                                  
  Heap right redzone:      fb                                                                                                                                                                                                                                                  
  Freed heap region:       fd                                                                                                                                                                                                                                                  
  Stack left redzone:      f1                                                                                                                                                                                                                                                  
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1731==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6836

Reproducer:
https://github.com/asarubbo/poc/blob/master/00190-audiofile-heapoverflow-Expand3To4Module-run

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h)

Posted in advisories, security | 1 Comment

audiofile: divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered a division by zero.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
==3538==ERROR: AddressSanitizer: FPE on unknown address 0x7f86a8cffe14 (pc 0x7f86a8cffe14 bp 0x7ffe41d2ae00 sp 0x7ffe41d2adf0 T0)                                                                                                                                              
    #0 0x7f86a8cffe13 in BlockCodec::reset1() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:74:61                                                                                                                        
    #1 0x7f86a8d0b794 in ModuleState::reset(_AFfilehandle*, Track*) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:218:9                                                                                                 
    #2 0x7f86a8d0b794 in ModuleState::setup(_AFfilehandle*, Track*) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:190                                                                                                   
    #3 0x7f86a8ced43c in afGetFrameCount /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/format.cpp:205:41                                                                                                                                        
    #4 0x50bb5c in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:329:29                                                                                                                                                 
    #5 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #6 0x7f86a7dbe78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
    #7 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:74:61 in BlockCodec::reset1()                                                                                                               
==3538==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6835

Reproducer:
https://github.com/asarubbo/poc/blob/master/00189-audiofile-fpe-BlockCodec-reset1

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp)

Posted in advisories, security | Leave a comment

audiofile: heap-based buffer overflow in ulaw2linear_buf (G711.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered an heap overflow.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
WRITE of size 2 at 0x7fb583d33800 thread T0                                                                                                                                                                                                                                    
    #0 0x7fb58398c8b1 in ulaw2linear_buf(unsigned char const*, short*, int) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:42:13                                                                                                
    #1 0x7fb58398c8b1 in G711::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:206                                                                                                                                     
    #2 0x7fb58397305a in afReadFrames /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14                                                                                                                                             
    #3 0x50bbeb in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29                                                                                                                                                 
    #4 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #5 0x7fb582a4878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
    #6 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                               
0x7fb583d33800 is located 0 bytes to the right of 917504-byte region [0x7fb583c53800,0x7fb583d33800)                                                                                                                                                                           
allocated by thread T0 here:                                                                                                                                                                                                                                                   
    #0 0x4d2d08 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64                                                                                                                                       
    #1 0x50bb48 in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:17                                                                                                                                                 
    #2 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #3 0x7fb582a4878f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
                                                                                                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:42:13 in ulaw2linear_buf(unsigned char const*, short*, int)                                                                      
Shadow bytes around the buggy address:                                                                                                                                                                                                                                         
  0x0ff73079e6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ff73079e6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ff73079e6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ff73079e6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0ff73079e6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
=>0x0ff73079e700:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ff73079e710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ff73079e720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ff73079e730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ff73079e740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
  0x0ff73079e750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                                                  
  Heap left redzone:       fa                                                                                                                                                                                                                                                  
  Heap right redzone:      fb                                                                                                                                                                                                                                                  
  Freed heap region:       fd                                                                                                                                                                                                                                                  
  Stack left redzone:      f1                                                                                                                                                                                                                                                  
  Stack mid redzone:       f2                                                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                                                  
  Stack partial redzone:   f4                                                                                                                                                                                                                                                  
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2586==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6834

Reproducer:
https://github.com/asarubbo/poc/blob/master/00188-audiofile-heapoverflow-ulaw2linear_buf

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: heap-based buffer overflow in ulaw2linear_buf (G711.cpp)

Posted in advisories, security | 1 Comment

podofo: heap-based buffer overflow in PoDoFo::PdfVariant::DelayedLoad (PdfVariant.h)

podofo: NULL pointer dereference in ColorChanger::GetColorFromStack (colorchanger.cpp)

podofo: NULL pointer dereference in GraphicsStack::TGraphicsStackElement::~TGraphicsStackElement (graphicsstack.h)

podofo: invalid memory read in ColorChanger::GetColorFromStack (colorchanger.cpp)

pax-utils: scanelf: out of bounds read in scanelf_file_get_symtabs (scanelf.c)

gnu-paxutils: multiple crashes

audiofile: multiple ubsan crashes

audiofile: heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h)

audiofile: divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp)

audiofile: heap-based buffer overflow in ulaw2linear_buf (G711.cpp)

Recent Posts

Recent Comments

Archives

Categories

Meta