agostino's blog

audiofile: divide-by-zero in BlockCodec::runPull (BlockCodec.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered a division by zero.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
==2529==ERROR: AddressSanitizer: FPE on unknown address 0x7ff06b121920 (pc 0x7ff06b121920 bp 0x7ffd0ddf2d90 sp 0x7ffd0ddf2d00 T0)                                                                                                                                              
    #0 0x7ff06b12191f in BlockCodec::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:50:46                                                                                                                       
    #1 0x7ff06b15ac20 in RebufferModule::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/RebufferModule.cpp:122:3                                                                                                               
    #2 0x7ff06b10b05a in afReadFrames /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14                                                                                                                                             
    #3 0x50bbeb in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29                                                                                                                                                 
    #4 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #5 0x7ff06a1e078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
    #6 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                               
AddressSanitizer can not provide additional info.                                                                                                                                                                                                                              
SUMMARY: AddressSanitizer: FPE /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:50:46 in BlockCodec::runPull()                                                                                                              
==2529==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6833

Reproducer:
https://github.com/asarubbo/poc/blob/master/00187-audiofile-fpe-BlockCodec-runPull

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: divide-by-zero in BlockCodec::runPull (BlockCodec.cpp)

Posted in advisories, security | Leave a comment

audiofile: heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered an heap overflow.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
==2512==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d00001c45a at pc 0x7fe7476f387d bp 0x7ffc3b0e3bf0 sp 0x7ffc3b0e3be8
WRITE of size 2 at 0x62d00001c45a thread T0
    #0 0x7fe7476f387c in MSADPCM::decodeBlock(unsigned char const*, short*) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:222:14
    #1 0x7fe7476c1ac9 in BlockCodec::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:55:3
    #2 0x7fe7476fac20 in RebufferModule::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/RebufferModule.cpp:122:3
    #3 0x7fe7476ab05a in afReadFrames /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14
    #4 0x50bbeb in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29
    #5 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17
    #6 0x7fe74678078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #7 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)

0x62d00001c45a is located 0 bytes to the right of 32858-byte region [0x62d000014400,0x62d00001c45a)
allocated by thread T0 here:
    #0 0x4d2d08 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fe746419687 in operator new(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xb2687)
    #2 0x7fe7476af43c in afGetFrameCount /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/format.cpp:205:41
    #3 0x50bb5c in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:329:29
    #4 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17
    #5 0x7fe74678078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:222:14 in MSADPCM::decodeBlock(unsigned char const*, short*)
Shadow bytes around the buggy address:
  0x0c5a7fffb830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffb840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffb850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5a7fffb870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a7fffb880: 00 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa
  0x0c5a7fffb890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffb8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffb8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffb8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5a7fffb8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2512==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6832

Reproducer:
https://github.com/asarubbo/poc/blob/master/00186-audiofile-heapoverflow-MSADPCM-decodeBlock

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp)

Posted in advisories, security | 1 Comment

audiofile: heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered an heap overflow.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
==2486==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62f0000286e8 at pc 0x7fc5db36626e bp 0x7ffcecb1cbf0 sp 0x7ffcecb1cbe8                                                                                                                                       
WRITE of size 2 at 0x62f0000286e8 thread T0                                                                                                                                                                                                                                    
    #0 0x7fc5db36626d in IMA::decodeBlockWAVE(unsigned char const*, short*) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:188:13                                                                                                
    #1 0x7fc5db365671 in IMA::decodeBlock(unsigned char const*, short*) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:110:10                                                                                                    
    #2 0x7fc5db361ac9 in BlockCodec::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:55:3                                                                                                                        
    #3 0x7fc5db39ac20 in RebufferModule::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/RebufferModule.cpp:122:3                                                                                                               
    #4 0x7fc5db34b05a in afReadFrames /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14                                                                                                                                             
    #5 0x50bbeb in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29                                                                                                                                                 
    #6 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #7 0x7fc5da42078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
    #8 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)                                                                                                                                                                                                                         
                                                                                                                                                                                                                                                                               
0x62f0000286e8 is located 0 bytes to the right of 49896-byte region [0x62f00001c400,0x62f0000286e8)                                                                                                                                                                            
allocated by thread T0 here:                                                                                                                                                                                                                                                   
    #0 0x4d2d08 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64                                                                                                                                       
    #1 0x7fc5da0b9687 in operator new(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xb2687)                                                                                                                                                           
    #2 0x7fc5db34f43c in afGetFrameCount /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/format.cpp:205:41                                                                                                                                        
    #3 0x50bb5c in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:329:29                                                                                                                                                 
    #4 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17                                                                                                                                                          
    #5 0x7fc5da42078f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                     
                                                                                                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:188:13 in IMA::decodeBlockWAVE(unsigned char const*, short*)                                                                      
Shadow bytes around the buggy address:                                                                                                                                                                                                                                         
  0x0c5e7fffd080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                                                              
  0x0c5e7fffd090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffd0a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffd0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c5e7fffd0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5e7fffd0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
  0x0c5e7fffd0e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffd0f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffd100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffd110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c5e7fffd120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2486==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6831

Reproducer:
https://github.com/asarubbo/poc/blob/master/00185-audiofile-heapoverflow-IMA-decodeBlockWAVE

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp)

Posted in advisories, security | Leave a comment

audiofile: heap-based buffer overflow in alaw2linear_buf (G711.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered an heap overflow.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff
==2480==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f5eb894d800 at pc 0x7f5eb85a699f bp 0x7ffe19064df0 sp 0x7ffe19064de8
WRITE of size 2 at 0x7f5eb894d800 thread T0
    #0 0x7f5eb85a699e in alaw2linear_buf(unsigned char const*, short*, int) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:54:13
    #1 0x7f5eb85a699e in G711::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:209
    #2 0x7f5eb858d05a in afReadFrames /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14
    #3 0x50bbeb in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29
    #4 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17
    #5 0x7f5eb766278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #6 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)

0x7f5eb894d800 is located 0 bytes to the right of 393216-byte region [0x7f5eb88ed800,0x7f5eb894d800)
allocated by thread T0 here:
    #0 0x4d2d08 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x50bb48 in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:17
    #2 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17
    #3 0x7f5eb766278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:54:13 in alaw2linear_buf(unsigned char const*, short*, int)
Shadow bytes around the buggy address:
  0x0fec57121ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec57121ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec57121ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec57121ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fec57121af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fec57121b00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fec57121b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fec57121b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fec57121b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fec57121b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0fec57121b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2480==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6830

Reproducer:
https://github.com/asarubbo/poc/blob/master/00184-audiofile-heapoverflow-alaw2linear_buf

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: heap-based buffer overflow in alaw2linear_buf (G711.cpp)

Posted in advisories, security | 1 Comment

audiofile: global buffer overflow in decodeSample (IMA.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz on it discovered a global overflow.

The complete ASan output:

# sfconvert @@ out.mp3 format aiff                                                                                                                                                                                                                                               
==1779==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f0add7e6a7a at pc 0x7f0add77c221 bp 0x7ffe13caabf0 sp 0x7ffe13caabe8
READ of size 2 at 0x7f0add7e6a7a thread T0
    #0 0x7f0add77c220 in decodeSample(adpcmState&, unsigned char) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:144:13
    #1 0x7f0add77c220 in IMA::decodeBlockWAVE(unsigned char const*, short*) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:186
    #2 0x7f0add77b671 in IMA::decodeBlock(unsigned char const*, short*) /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:110:10
    #3 0x7f0add777ac9 in BlockCodec::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/BlockCodec.cpp:55:3
    #4 0x7f0add7b0c20 in RebufferModule::runPull() /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/RebufferModule.cpp:122:3
    #5 0x7f0add76105a in afReadFrames /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14
    #6 0x50bbeb in copyaudiodata /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:340:29
    #7 0x50b050 in main /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/sfcommands/sfconvert.c:248:17
    #8 0x7f0adc83678f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #9 0x419f48 in _init (/usr/bin/sfconvert+0x419f48)

0x7f0add7e6a7a is located 6 bytes to the left of global variable 'indexTable' defined in '/tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:116:21' (0x7f0add7e6a80) of size 16
0x7f0add7e6a7a is located 40 bytes to the right of global variable 'stepTable' defined in '/tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:122:22' (0x7f0add7e69a0) of size 178
SUMMARY: AddressSanitizer: global-buffer-overflow /tmp/portage/media-libs/audiofile-0.3.6-r1/work/audiofile-0.3.6/libaudiofile/modules/IMA.cpp:144:13 in decodeSample(adpcmState&, unsigned char)
Shadow bytes around the buggy address:
  0x0fe1dbaf4cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe1dbaf4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 07 f9 f9
  0x0fe1dbaf4d10: f9 f9 f9 f9 00 00 00 00 00 00 00 04 f9 f9 f9 f9
  0x0fe1dbaf4d20: 00 00 00 00 00 00 01 f9 f9 f9 f9 f9 00 00 01 f9
  0x0fe1dbaf4d30: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fe1dbaf4d40: 00 00 00 00 00 00 00 00 00 00 02 f9 f9 f9 f9[f9]
  0x0fe1dbaf4d50: 00 00 f9 f9 f9 f9 f9 f9 00 00 03 f9 f9 f9 f9 f9
  0x0fe1dbaf4d60: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x0fe1dbaf4d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe1dbaf4d80: 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0fe1dbaf4d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1779==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6829

Reproducer:
https://github.com/asarubbo/poc/blob/master/00183-audiofile-globaloverflow-decodeSample

Timeline:
2017-02-20: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: global buffer overflow in decodeSample (IMA.cpp)

Posted in advisories, security | 1 Comment

audiofile: heap-based buffer overflow in readValue (FileHandle.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz with a wav file as input produced an heap overflow.

The complete ASan output:

# sfinfo $FILE
==6051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x0000004513de bp 0x7ffc71379b20 sp 0x7ffc713792d0
WRITE of size 2 at 0x61a00001f708 thread T0
    #0 0x4513dd in read /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:765
    #1 0x7fd944373b2c in bool readValue(File*, short*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/FileHandle.cpp:353:12
    #2 0x7fd944373b2c in bool readSwap(File*, short*, int) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/FileHandle.cpp:375
    #3 0x7fd944373b2c in _init /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/FileHandle.cpp:397
    #4 0x7fd94439ce2f in WAVEFile::parseFormat(Tag const&, unsigned int) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:5
    #5 0x7fd9443a1568 in WAVEFile::readInit(_AFfilesetup*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:733:13
    #6 0x7fd9443b4fb9 in _afOpenFile(int, File*, char const*, _AFfilehandle**, _AFfilesetup*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:356:15
    #7 0x7fd9443b6331 in afOpenFile /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:217:6
    #8 0x50a278 in printfileinfo /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/printinfo.c:45:22
    #9 0x509f98 in main /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfinfo.c:113:4
    #10 0x7fd94347f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #11 0x419b68 in _init (/usr/bin/sfinfo+0x419b68)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region [0x61a00001f280,0x61a00001f708)
allocated by thread T0 here:
    #0 0x4d2928 in malloc /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fd942ede687 in operator new(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xb2687)
    #2 0x7fd9443b4d63 in _afOpenFile(int, File*, char const*, _AFfilehandle**, _AFfilesetup*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:337:15
    #3 0x7fd9443b6331 in afOpenFile /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:217:6
    #4 0x50a278 in printfileinfo /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/printinfo.c:45:22
    #5 0x509f98 in main /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfinfo.c:113:4
    #6 0x7fd94347f78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:765 in read
Shadow bytes around the buggy address:
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6051==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6828

Reproducer:
https://github.com/asarubbo/poc/blob/master/00135-audiofile-heapoverflow-readValue

Timeline:
2017-01-30: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: heap-based buffer overflow in readValue (FileHandle.cpp)

Posted in advisories, security | Leave a comment

audiofile: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp)

Posted on February 20, 2017 by ago

Description:
audiofile is a C-based library for reading and writing audio files in many common formats.

A fuzz with a wav file as input produced an heap overflow.

The complete ASan output:

# sfinfo $FILE
==6096==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x0000004bbc35 bp 0x7ffd65dbabf0 sp 0x7ffd65dba3a0                                                       
READ of size 33872 at 0x61a00001f708 thread T0                                                                                                                                                 
    #0 0x4bbc34 in __asan_memcpy /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413                                                  
    #1 0x7efec209d7df in MSADPCM::initializeCoefficients() /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:369:3                              
    #2 0x7efec209d7df in MSADPCM::createDecompress(Track*, File*, bool, bool, long*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:387      
    #3 0x7efec2070da7 in ModuleState::initFileModule(_AFfilehandle*, Track*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:72:18        
    #4 0x7efec207189d in ModuleState::init(_AFfilehandle*, Track*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:98:6                   
    #5 0x7efec2053969 in _afOpenFile(int, File*, char const*, _AFfilehandle**, _AFfilesetup*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:396:18
    #6 0x7efec2054331 in afOpenFile /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:217:6                                                           
    #7 0x50a278 in printfileinfo /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/printinfo.c:45:22                                                                  
    #8 0x509f98 in main /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfinfo.c:113:4                                                                              
    #9 0x7efec111d78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                     
    #10 0x419b68 in _init (/usr/bin/sfinfo+0x419b68)                                                                                                                                           
                                                                                                                                                                                               
0x61a00001f708 is located 0 bytes to the right of 1160-byte region [0x61a00001f280,0x61a00001f708)                                                                                             
allocated by thread T0 here:                                                                                                                                                                   
    #0 0x4d2928 in malloc /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64                                                          
    #1 0x7efec0b7c687 in operator new(unsigned long) (/usr/lib/gcc/x86_64-pc-linux-gnu/6.3.0/libstdc++.so.6+0xb2687)                                                                           
    #2 0x7efec2052d63 in _afOpenFile(int, File*, char const*, _AFfilehandle**, _AFfilesetup*) /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:337:15
    #3 0x7efec2054331 in afOpenFile /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/openclose.cpp:217:6                                                           
    #4 0x50a278 in printfileinfo /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/printinfo.c:45:22                                                                  
    #5 0x509f98 in main /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfinfo.c:113:4                                                                              
    #6 0x7efec111d78f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                     
                                                                                                                                                                                               
SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:413 in __asan_memcpy                  
Shadow bytes around the buggy address:                                                                                                                                                         
  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6096==ABORTING

Affected version:
0.3.6

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6827

Reproducer:
https://github.com/asarubbo/poc/blob/master/00136-audiofile-heapoverflow-MSADPCM-initializeCoefficients

Timeline:
2017-01-30: bug discovered and reported to upstream
2017-02-20: blog post about the issue
2017-03-12: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

audiofile: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp)

Posted in advisories, security | Leave a comment

mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)

Posted on February 17, 2017 by ago

Description:
Mujstest, which is part of mupdf is a scriptable tester for mupdf + js.

A crafted image posted early for another issue, causes a stack overflow.

The complete ASan output:

# mujstest $FILE
==32127==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff29560b00 at pc 0x00000047cbf3 bp 0x7fff29560630 sp 0x7fff2955fde0
WRITE of size 1453 at 0x7fff29560b00 thread T0
    #0 0x47cbf2 in __interceptor_strcpy /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:548
    #1 0x50e903 in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/platform/x11/jstest_main.c:358:7
    #2 0x7f68df3c578f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #3 0x41bc18 in _init (/usr/bin/mujstest+0x41bc18)

Address 0x7fff29560b00 is located in stack of thread T0 at offset 1056 in frame
    #0 0x50c45f in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/platform/x11/jstest_main.c:293

  This frame has 7 object(s):
    [32, 1056) 'path'
    [1184, 2208) 'text' <== Memory access at offset 1056 partially underflows this variable
    [2336, 2340) 'w' <== Memory access at offset 1056 partially underflows this variable
    [2352, 2356) 'h' <== Memory access at offset 1056 partially underflows this variable
    [2368, 2372) 'x' <== Memory access at offset 1056 partially underflows this variable
    [2384, 2388) 'y' <== Memory access at offset 1056 partially underflows this variable
    [2400, 2404) 'b' 0x1000652a4160:[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000652a4170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a4190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000652a41b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==32127==ABORTING

Affected version:
1.10a

Fixed version:
N/A

Commit fix:
http://git.ghostscript.com/?p=user/sebras/mupdf.git;a=blobdiff;f=platform/x11/jstest_main.c;h=f158d9628ed0c0a84e37fe128277679e8334422a;hp=13c3a0a3ba3ff4aae29f6882d23740833c1d842f;hb=06a012a42c9884e3cd653e7826cff1ddec04eb6e;hpb=34e18d127a02146e3415b33c4b67389ce1ddb614

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-6060

Reproducer:
https://github.com/asarubbo/poc/blob/master/00147-mupdf-mujstest-stackoverflow-main

Timeline:
2017-02-05: bug discovered and reported to upstream
2017-02-17: blog post about the issue
2017-02-17: CVE assigned via cveform.mitre.org
2017-04-11: upstream released a patch

Note:
This bug was found with Address Sanitizer.

Permalink:

mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)

Posted in advisories, security | Leave a comment

mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)

Posted on February 9, 2017 by ago

Description:
mupdf is a lightweight PDF viewer and toolkit written in portable C.

A fuzzing through mutool revealed a use-after-free. It seems that a fix for the recent heap overflow in fz_subsample_pixmap fixes this issue too.

The complete ASan output:

 # mutool draw $FILE
==17100==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000abb6 at pc 0x7fba6a8cee53 bp 0x7ffedf859700 sp 0x7ffedf8596f8                                                                                                                                       
READ of size 1 at 0x60c00000abb6 thread T0                                                                                                                                                                                                                                     
    #0 0x7fba6a8cee52 in fz_subsample_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12                                                                                                                                            
    #1 0x7fba6a8d4dfa in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:686:3                                                                                                                                          
    #2 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11                                                                                                                                        
    #3 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3                                                                                                                                                    
    #4 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6                                                                                                                                        
    #5 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4                                                                                                                                                              
    #6 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6                                                                                                                                                            
    #7 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3                                                                                                                                                             
    #8 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5                                                                                                                                                            
    #9 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7                                                                                                                                                          
    #10 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12                                                                                                                                                                
    #11 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                                                                                    
    #12 0x41e1a8 in _init (/usr/bin/mutool+0x41e1a8)                                                                                                                                                                                                                           
                                                                                                                                                                                                                                                                               
0x60c00000abb6 is located 1 bytes to the right of 117-byte region [0x60c00000ab40,0x60c00000abb5)                                                                                                                                                                              
freed by thread T0 here:                                                                                                                                                                                                                                                       
    #0 0x4d6c10 in free /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47                                                                                                                                         
    #1 0x7fba6a810878 in fz_free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:187:2                                                                                                                                                          
    #2 0x7fba6a8d0a0c in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:330:3                                                                                                                                       
    #3 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
    #4 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
    #5 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
    #6 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
    #7 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
    #8 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
    #9 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
    #10 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
    #11 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
    #12 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
    #13 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12
    #14 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

previously allocated by thread T0 here:
    #0 0x4d6f68 in malloc /tmp/portage/sys-devel/llvm-3.9.1-r1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fba6a80c08f in do_scavenging_malloc /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:17:7
    #2 0x7fba6a80c08f in fz_malloc_array /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/memory.c:80
    #3 0x7fba6a8cfd40 in fz_decomp_image_from_stream /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:268:13
    #4 0x7fba6a8d7cdc in compressed_image_get_pixmap /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:468:10
    #5 0x7fba6a8d4a1f in fz_get_pixmap_from_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/image.c:677:9
    #6 0x7fba6a88cfae in fz_draw_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/draw-device.c:1292:11
    #7 0x7fba6a7915f8 in fz_fill_image /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/device.c:319:3
    #8 0x7fba6a8b6ab4 in fz_run_display_list /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/list-device.c:1651:6
    #9 0x51d503 in drawband /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:562:4
    #10 0x51b026 in dodrawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:918:6
    #11 0x51edba in drawpage /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1173:3
    #12 0x51825b in drawrange /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1190:5
    #13 0x514aa1 in mudraw_main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mudraw.c:1733:7
    #14 0x50eded in main /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/tools/mutool.c:110:12
    #15 0x7fba6973278f in __libc_start_main /tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/portage/app-text/mupdf-1.10a/work/mupdf-1.10a-source/source/fitz/pixmap.c:1210:12 in fz_subsample_pixmap
Shadow bytes around the buggy address:
  0x0c187fff9520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fff9560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fff9570: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
  0x0c187fff9580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
  0x0c187fff9590: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fff95a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fff95b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c187fff95c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17100==ABORTING

Affected version:
1.10a

Fixed version:
1.11 (that will be released in march)

Commit fix:
http://git.ghostscript.com/?p=mupdf.git;h=2c4e5867ee699b1081527bc6c6ea0e99a35a5c27

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-7264

Reproducer:
https://github.com/asarubbo/poc/blob/master/00149-mupdf-UAF-fz_subsample_pixmap

Timeline:
2017-02-06: bug discovered and reported to upstream
2017-02-09: upstream released a patch
2017-02-09: blog post about the issue
2017-03-26: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:

mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)

Posted in advisories, security | Leave a comment

zziplib: assertion failure in seeko.c

Posted on February 9, 2017 by ago

Description:
zziplib is an intentionally lightweight library that offers the ability to easily extract data from files archived in a single zip file.

A fuzz on it discovered an a NULL pointer access.

The complete ASan output:

# unzzipcat-seeko $FILE
/tmp/portage/dev-libs/zziplib-0.13.62-r1/work/zziplib-0.13.62/zzip/fseeko.c:313: ZZIP_ENTRY *zzip_entry_findfirst(FILE *): Assertion `0 <= root && root < mapsize' failed.

Affected version:
0.13.62

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-5981

Reproducer:
https://github.com/asarubbo/poc/blob/master/00161-zziplib-assertionfailure-seeko_C

Timeline:
2017-01-17: bug discovered and poked upstream
2017-02-09: blog post about the issue
2017-02-13: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/02/09/zziplib-assertion-failure-in-seeko-c

Posted in advisories, security | 1 Comment

audiofile: divide-by-zero in BlockCodec::runPull (BlockCodec.cpp)

audiofile: heap-based buffer overflow in MSADPCM::decodeBlock (MSADPCM.cpp)

audiofile: heap-based buffer overflow in IMA::decodeBlockWAVE (IMA.cpp)

audiofile: heap-based buffer overflow in alaw2linear_buf (G711.cpp)

audiofile: global buffer overflow in decodeSample (IMA.cpp)

audiofile: heap-based buffer overflow in readValue (FileHandle.cpp)

audiofile: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp)

mupdf: mujstest: stack-based buffer overflow in main (jstest_main.c)

mupdf: use-after-free in fz_subsample_pixmap (pixmap.c)

zziplib: assertion failure in seeko.c

Recent Posts

Recent Comments

Archives

Categories

Meta