Description:
mp3gain is a program to analyze and adjust MP3 files to same volume.

The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL.
The upstream project seems to be dead, so the issue wasn’t communicated to them.

The complete ASan output of the issue:

# aacgain -f $FILE
==13869==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fa590d1b958 at pc 0x0000008b2341 bp 0x7ffc23c02b70 sp 0x7ffc23c02b68
READ of size 8 at 0x7fa590d1b958 thread T0
    #0 0x8b2340 in dct36 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/layer3.c:1279
    #1 0x8d26e6 in III_hybrid /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/layer3.c:1504
    #2 0x8d26e6 in do_layer3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/layer3.c:1695
    #3 0x8ac2f9 in decodeMP3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:643
    #4 0x43e767 in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:2262
    #5 0x7fa5937b1680 in __libc_start_main (/lib64/libc.so.6+0x20680)
    #6 0x4426c8 in _start (/usr/bin/aacgain+0x4426c8)

Address 0x7fa590d1b958 is located in stack of thread T0 at offset 18776 in frame
    #0 0x4341ff in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:1411

  This frame has 7 object(s):
    [32, 33) 'maxgain'
    [96, 97) 'mingain'
    [160, 164) 'nprocsamp'
    [224, 232) 'maxsample'
    [288, 9504) 'lsamples'
    [9536, 18752) 'rsamples'
    [18784, 50704) 'mp' 0x0ff53219b720: 00 00 00 00 00 00 00 00 f2 f2 f2[f2]00 00 00 00
  0x0ff53219b730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53219b740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53219b750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53219b760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff53219b770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13869==ABORTING

Affected version:
1.5.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14408

Reproducer:
https://github.com/asarubbo/poc/blob/master/00351-aacgain-stackoverflow-dct36

Timeline:
2017-08-28: bug discovered
2017-09-08: blog post about the issue
2017-09-13: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

mp3gain: stack-based buffer overflow in dct36 (mpglibDBL/layer3.c)

Description:
mp3gain is a program to analyze and adjust MP3 files to same volume.

The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL.
The upstream project seems to be dead, so the issue wasn’t communicated to them.

The complete ASan output of the issue:

# aacgain -f $FILE
==23791==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000107ff80 at pc 0x0000008e2acc bp 0x7fff34f7d100 sp 0x7fff34f7d0f8
WRITE of size 8 at 0x00000107ff80 thread T0
    #0 0x8e2acb in III_dequantize_sample /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/layer3.c:779
    #1 0x8e2acb in do_layer3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/layer3.c:1646
    #2 0x8ac2f9 in decodeMP3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:643
    #3 0x43e767 in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:2262
    #4 0x7f36927b3680 in __libc_start_main (/lib64/libc.so.6+0x20680)
    #5 0x4426c8 in _start (/usr/bin/aacgain+0x4426c8)

0x00000107ff80 is located 32 bytes to the left of global variable 'sideinfo' defined in 'layer3.c:1521:21' (0x107ffa0) of size 488
0x00000107ff80 is located 0 bytes to the right of global variable 'hybridIn' defined in 'layer3.c:1612:17' (0x107db80) of size 9216
SUMMARY: AddressSanitizer: global-buffer-overflow /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/layer3.c:779 in III_dequantize_sample
Shadow bytes around the buggy address:
  0x000080207fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080207fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080207fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080207fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080207fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080207ff0:[f9]f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080208000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080208010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080208020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080208030: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080208040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23791==ABORTING

Affected version:
1.5.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14409

Reproducer:
https://github.com/asarubbo/poc/blob/master/00350-aacgain-globaloverflow-III_dequantize_sample

Timeline:
2017-08-28: bug discovered
2017-09-08: blog post about the issue
2017-09-13: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

mp3gain: global buffer overflow in III_dequantize_sample (mpglibDBL/layer3.c)

Description:
mp3gain is a program to analyze and adjust MP3 files to same volume.

The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL.
The upstream project seems to be dead, so the issue wasn’t communicated to them.

The complete ASan output of the issue:

# aacgain -f $FILE
==23175==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f004fb593ff,0x7f004fb594fd) and [0x7f004fb59381, 0x7f004fb5947f) overlap
    #0 0x7f00532d5906  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/libasan.so.3+0x5c906)
    #1 0x8e9b25 in set_pointer /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/common.c:328
    #2 0x8cd58d in do_layer3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/layer3.c:1582
    #3 0x8ac2f9 in decodeMP3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:643
    #4 0x43e767 in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:2262
    #5 0x7f00525ee680 in __libc_start_main (/lib64/libc.so.6+0x20680)
    #6 0x4426c8 in _start (/usr/bin/aacgain+0x4426c8)

Address 0x7f004fb593ff is located in stack of thread T0 at offset 21503 in frame
    #0 0x4341ff in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:1411

  This frame has 7 object(s):
    [32, 33) 'maxgain'
    [96, 97) 'mingain'
    [160, 164) 'nprocsamp'
    [224, 232) 'maxsample'
    [288, 9504) 'lsamples'
    [9536, 18752) 'rsamples'
    [18784, 50704) 'mp' <== Memory access at offset 21503 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Address 0x7f004fb59381 is located in stack of thread T0 at offset 21377 in frame
    #0 0x4341ff in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:1411

  This frame has 7 object(s):
    [32, 33) 'maxgain'
    [96, 97) 'mingain'
    [160, 164) 'nprocsamp'
    [224, 232) 'maxsample'
    [288, 9504) 'lsamples'
    [9536, 18752) 'rsamples'
    [18784, 50704) 'mp' <== Memory access at offset 21377 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: memcpy-param-overlap (/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/libasan.so.3+0x5c906) 
==23175==ABORTING

Affected version:
1.5.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

Reproducer:
https://github.com/asarubbo/poc/blob/master/00349-aacgain-memcpyparamoverlap-set_pointer

Timeline:
2017-08-28: bug discovered
2017-09-08: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

mp3gain: memcpy-param-overlap in set_pointer (mpglibDBL/common.c)

Description:
mp3gain is a program to analyze and adjust MP3 files to same volume.

The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL.
The upstream project seems to be dead, so the issue wasn’t communicated to them.

The complete ASan output of the issue:

# aacgain -f $FILE
==17667==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f71080af610 at pc 0x7f710b824cfb bp 0x7ffd67817fa0 sp 0x7ffd67817750
WRITE of size 72 at 0x7f71080af610 thread T0
    #0 0x7f710b824cfa  (/usr/lib/gcc/x86_64-pc-linux-gnu/6.4.0/libasan.so.3+0x5ccfa)
    #1 0x8a8ad0 in copy_mp /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:188
    #2 0x8ac8bd in decodeMP3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:685
    #3 0x43e767 in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:2262
    #4 0x7f710ab3d680 in __libc_start_main (/lib64/libc.so.6+0x20680)
    #5 0x4426c8 in _start (/usr/bin/aacgain+0x4426c8)

Address 0x7f71080af610 is located in stack of thread T0 at offset 50704 in frame
    #0 0x4341ff in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:1411

  This frame has 7 object(s):
    [32, 33) 'maxgain'
    [96, 97) 'mingain'
    [160, 164) 'nprocsamp'
    [224, 232) 'maxsample'
    [288, 9504) 'lsamples'
    [9536, 18752) 'rsamples'
    [18784, 50704) 'mp' 0x0feea100dec0: 00 00[f4]f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x0feea100ded0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feea100dee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feea100def0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feea100df00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feea100df10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17667==ABORTING

Affected version:
1.5.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14411

Reproducer:
https://github.com/asarubbo/poc/blob/master/00348-aacgain-stackoverflow-copy_mp

Timeline:
2017-08-28: bug discovered
2017-09-08: blog post about the issue
2017-09-13: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

mp3gain: stack-based buffer overflow in copy_mp (mpglibDBL/interface.c)

Description:
mp3gain is a program to analyze and adjust MP3 files to same volume.

The fuzz was done via the aacgain command-line tool which uses mp3gain which bundles an old-modified version of mpg123 called mpglibDBL.
The upstream project seems to be dead, so the issue wasn’t communicated to them.

The complete ASan output of the issue:

# aacgain -f $FILE
ASAN:DEADLYSIGNAL                                                                                                                                                                                                 
=================================================================                                                                                                                                                 
==23063==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x0000008aafe0 bp 0x7ffe06c66450 sp 0x7ffe06c663f0 T0)
    #0 0x8aafdf in sync_buffer /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:393
    #1 0x8ae64c in decodeMP3 /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:665
    #2 0x43e767 in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:2262
    #3 0x7fa37f734680 in __libc_start_main (/lib64/libc.so.6+0x20680)
    #4 0x4426c8 in _start (/usr/bin/aacgain+0x4426c8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mpglibDBL/interface.c:393 in sync_buffer
==23063==ABORTING

Affected version:
1.5.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14406

Reproducer:
https://github.com/asarubbo/poc/blob/master/00347-aacgain-NULLptr-sync_buffer

Timeline:
2017-08-28: bug discovered
2017-09-08: blog post about the issue
2017-09-13: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

mp3gain: NULL pointer dereference in sync_buffer (mpglibDBL/interface.c)

Description:
mp3gain is a program to analyze and adjust MP3 files to same volume.

The fuzz was done via the aacgain command-line tool which uses mp3gain.
The upstream project seems to be dead, so the issue wasn’t communicated to them.

The complete ASan output of the issue:

# aacgain -f $FILE
==18941==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f2d1e9cd520 at pc 0x00000088af27 bp 0x7ffc10f47b20 sp 0x7ffc10f47b18
READ of size 8 at 0x7f2d1e9cd520 thread T0
    #0 0x88af26 in filterYule /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/gain_analysis.c:195
    #1 0x88bfcc in AnalyzeSamples /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/gain_analysis.c:344
    #2 0x43e89a in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:2281
    #3 0x7f2d21465680 in __libc_start_main (/lib64/libc.so.6+0x20680)
    #4 0x4426c8 in _start (/usr/bin/aacgain+0x4426c8)

Address 0x7f2d1e9cd520 is located in stack of thread T0 at offset 9504 in frame
    #0 0x4341ff in main /var/tmp/portage/media-sound/aacgain-1.9/work/aacgain-1.9/mp3gain/mp3gain.c:1411

  This frame has 7 object(s):
    [32, 33) 'maxgain'
    [96, 97) 'mingain'
    [160, 164) 'nprocsamp'
    [224, 232) 'maxsample'
    [288, 9504) 'lsamples' 0x0fe623d31aa0: 00 00 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00
  0x0fe623d31ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe623d31ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe623d31ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe623d31ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fe623d31af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18941==ABORTING

Affected version:
1.5.2

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14407

Reproducer:
https://github.com/asarubbo/poc/blob/master/00345-aacgain-stackoverflow-filterYule

Timeline:
2017-08-28: bug discovered
2017-09-08: blog post about the issue
2017-09-13: CVE Assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

mp3gain: stack-based buffer overflow in filterYule (gain_analysis.c)

Description:
aacplusenc is an High-Efficiency AAC (AAC+) Encoder.

The complete ASan output of the issue:

# aacplusenc $FILE out.aac 32
                                                                                                                                                                                                                  
*************************************************************                                                                                                                                                     
* Enhanced aacPlus Encoder                                                                                                                                                                                        
* Build Aug 30 2017, 14:40:49                                                                                                                                                                                     
* Matteo Croce                                                                                                                                                                                
*************************************************************                                                                                                                                                     
                                                                                                                                                                                                                  
input file 101.crashes.wav:                                                                                                                                                                                       
sr = 48000, nc = 1                                                                                                                                                                                                
                                                                                                                                                                                                                  
output file out.aac:                                                                                                                                                                                              
br = 32000 sr-OUT = 48000  nc-OUT = 1                                                                                                                                                                             
                                                                                                                                                                                                                  
                                                                                                                                                                                                                  
ASAN:DEADLYSIGNAL
=================================================================
==21496==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000030 (pc 0x000000562e2f bp 0x7ffc2ec32430 sp 0x7ffc2ec32430 T0)
==21496==The signal is caused by a WRITE memory access.
==21496==Hint: address points to the zero page.
    #0 0x562e2e in DeleteBitBuffer /var/tmp/portage/media-sound/aacplusenc-0.17.5/work/aacplusenc/libbitbuf/bitbuffer.c:97:23
    #1 0x50d909 in AacEncClose /var/tmp/portage/media-sound/aacplusenc-0.17.5/work/aacplusenc/libaacenc/aacenc.c:469:5
    #2 0x50c0df in main /var/tmp/portage/media-sound/aacplusenc-0.17.5/work/aacplusenc/aacplusenc.c:536:2
    #3 0x7f0e4c21b680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #4 0x419e78 in _init (/usr/bin/aacplusenc+0x419e78)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-sound/aacplusenc-0.17.5/work/aacplusenc/libbitbuf/bitbuffer.c:97:23 in DeleteBitBuffer
==21496==ABORTING

Affected version:
0.17.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14181

Reproducer:
https://github.com/asarubbo/poc/blob/master/00332-aacplusenc-NULLptr-DeleteBitBuffer

Timeline:
2017-08-31: bug discovered and reported to upstream
2017-09-07: blog post about the issue
2017-09-07: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

aacplusenc: NULL pointer dereference in DeleteBitBuffer (bitbuffer.c)

Description:
libarchive is a multi-format archive and compression library.

The complete ASan output of the issue:

# bsdtar -t -f $FILE
==13144==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000038800 at pc 0x7fb1c808f650 bp 0x7ffdd1b40990 sp 0x7ffdd1b40988            
READ of size 1 at 0x631000038800 thread T0                                                                                                           
    #0 0x7fb1c808f64f in xml_data /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read_support_format_xar.c      
    #1 0x7fb1c808f64f in expat_data_cb /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read_support_format_xar.c:3230                                                                                                                                                 
    #2 0x7fb1c697c3b6 in _init /var/tmp/portage/dev-libs/expat-2.2.1/work/expat-2.2.1/lib/xmlparse.c:2960                                            
    #3 0x7fb1c697cb9b in _init /var/tmp/portage/dev-libs/expat-2.2.1/work/expat-2.2.1/lib/xmlparse.c:2418                                            
    #4 0x7fb1c697e988 in _init /var/tmp/portage/dev-libs/expat-2.2.1/work/expat-2.2.1/lib/xmlparse.c:4366                                            
    #5 0x7fb1c697f137 in _init /var/tmp/portage/dev-libs/expat-2.2.1/work/expat-2.2.1/lib/xmlparse.c:4089                                            
    #6 0x7fb1c6980fc7 in XML_ParseBuffer /var/tmp/portage/dev-libs/expat-2.2.1/work/expat-2.2.1/lib/xmlparse.c:1915                                  
    #7 0x7fb1c807d62a in expat_read_toc /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read_support_format_xar.c:3273:8                                                                                                                                              
    #8 0x7fb1c807d62a in read_toc /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read_support_format_xar.c:584  
    #9 0x7fb1c807d62a in xar_read_header /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read_support_format_xar.c:677                                                                                                                                                
    #10 0x7fb1c7f728ed in _archive_read_next_header2 /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read.c:648:7
    #11 0x7fb1c7f72590 in _archive_read_next_header /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read.c:686:8 
    #12 0x51483f in read_archive /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/tar/read.c:260:7
    #13 0x513d89 in tar_mode_t /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/tar/read.c:94:2
    #14 0x50eaae in main /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/tar/bsdtar.c:858:3
    #15 0x7fb1c6ffe680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #16 0x41c628 in _init (/usr/bin/bsdtar+0x41c628)

0x631000038800 is located 0 bytes to the right of 65536-byte region [0x631000028800,0x631000038800)
allocated by thread T0 here:
    #0 0x4d1fd8 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:66
    #1 0x7fb1c69811f5 in XML_GetBuffer /var/tmp/portage/dev-libs/expat-2.2.1/work/expat-2.2.1/lib/xmlparse.c:2004

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/app-arch/libarchive-3.3.2/work/libarchive-3.3.2/libarchive/archive_read_support_format_xar.c in xml_data
Shadow bytes around the buggy address:
  0x0c627ffff0b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627ffff0f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627ffff100:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627ffff150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13144==ABORTING

Affected version:
3.3.2

Fixed version:
N/A

Commit fix:
https://github.com/libarchive/libarchive/commit/fa7438a0ff4033e4741c807394a9af6207940d71

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14166

Reproducer:
https://github.com/asarubbo/poc/blob/master/00316-libarchive-heapoverflow-archive_read_support_format_xar

Timeline:
2017-08-15: bug discovered and reported to upstream
2017-09-05: upstream released a patch
2017-09-06: blog post about the issue
2017-09-06: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

libarchive: heap-based buffer overflow in xml_data (archive_read_support_format_xar.c)

Description:
graphicsmagick is a collection of tools and libraries for many image formats.

The relevant ASan output of the issue:

# gm convert -negate -clip $file out
==25373==End of process memory map.
==25373==AddressSanitizer CHECK failed: /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/sanitizer_common/sanitizer_common.cc:120 "((0 && "unable to mmap")) != (0)" (0x0, 0x0)
    #0 0x4d966f in AsanCheckFailed /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_rtl.cc:69
    #1 0x4f43d5 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/sanitizer_common/sanitizer_termination.cc:79
    #2 0x4e3a02 in __sanitizer::ReportMmapFailureAndDie(unsigned long, char const*, char const*, int, bool) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/sanitizer_common/sanitizer_common.cc:120
    #3 0x4ed305 in __sanitizer::MmapOrDie(unsigned long, char const*, bool) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/sanitizer_common/sanitizer_posix.cc:132
    #4 0x420a02 in __sanitizer::LargeMmapAllocator::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:41
    #5 0x420a02 in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64 >, __sanitizer::LargeMmapAllocator >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64 >*, unsigned long, unsigned long, bool, bool) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:70
    #6 0x420a02 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_allocator.cc:407
    #7 0x420a02 in __asan::asan_malloc(unsigned long, __sanitizer::BufferedStackTrace*) /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_allocator.cc:782
    #8 0x4cf664 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:67
    #9 0x7fc323f784d6 in MagickMalloc /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/memory.c:156:10
    #10 0x7fc31e2b41a3 in ReadSUNImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/coders/sun.c:549:20
    #11 0x7fc323b96e88 in ReadImage /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/constitute.c:1607:13
    #12 0x7fc323a29f18 in ConvertImageCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:4348:22
    #13 0x7fc323a660c5 in MagickCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:8869:17
    #14 0x7fc323b1185b in GMCommandSingle /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17396:10
    #15 0x7fc323b0e991 in GMCommand /var/tmp/portage/media-gfx/graphicsmagick-1.3.26/work/GraphicsMagick-1.3.26/magick/command.c:17449:16
    #16 0x7fc322379680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289
    #17 0x419cd8 in _init (/usr/bin/gm+0x419cd8)

/usr/bin/gm convert: abort due to signal 6 (SIGABRT) "Abort"...

Affected version:
1.3.26

Fixed version:
N/A

Commit fix:
http://hg.code.sf.net/p/graphicsmagick/code/rev/493da54370aa

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14165

Reproducer:
https://github.com/asarubbo/poc/blob/master/00334-graphicsmagick-memallocfailure-MagickMalloc

Timeline:
2017-07-14: bug discovered and reported to upstream privately
2017-08-16: bug reported to the public upstream bugtracker
2017-08-20: upstream released a fix
2017-09-06: blog post about the issue
2017-09-06: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

graphicsmagick: memory allocation failure in MagickMalloc (memory.c)

Description:
openjpeg is an open-source JPEG 2000 library.

The fix for CVE-2017-14152 seems that wasn’t enough.

The complete ASan output of the issue:

# opj_compress -r 20,10,1 -jpip -EPH -SOP -cinema2K 24 -n 1 -i $FILE -o null.j2k
TIFFReadDirectoryCheckOrder: Warning, Invalid TIFF directory; tags are not sorted in ascending order.                                                                                                             
TIFFReadDirectory: Warning, Unknown field with tag 6376 (0x18e8) encountered.                                                                                                                                     
TIFFReadDirectory: Warning, Unknown field with tag 27154 (0x6a12) encountered.                                                                                                                                    
TIFFReadDirectory: Warning, Unknown field with tag 32512 (0x7f00) encountered.                                                                                                                                    
TIFFReadDirectory: Warning, Unknown field with tag 15163 (0x3b3b) encountered.                                                                                                                                    
TIFFFetchNormalTag: Warning, Sanity check on size of "Tag 6376" value failed; tag ignored.                                                                                                                        
TIFFFetchNormalTag: Warning, Incorrect count for "FillOrder"; tag ignored.                                                                                                                                        
TIFFReadDirectory: Warning, TIFF directory is missing required "StripByteCounts" field, calculating from imagelength.                                                                                             
=================================================================                                                                                                                                                 
==62004==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060000000b6 at pc 0x7fd4d46ef89a bp 0x7ffc068d7070 sp 0x7ffc068d7068                                                                         
WRITE of size 1 at 0x6060000000b6 thread T0                                                                                                                                                                       
    #0 0x7fd4d46ef899 in opj_write_bytes_LE /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/cio.c:67:23                                                                              
    #1 0x7fd4d4736bef in opj_j2k_write_sot /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/j2k.c:4225:5                                                                              
    #2 0x7fd4d4736bef in opj_j2k_write_all_tile_parts /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/j2k.c:11575                                                                    
    #3 0x7fd4d4736bef in opj_j2k_post_write_tile /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/j2k.c:11287                                                                         
    #4 0x7fd4d473545d in opj_j2k_encode /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/j2k.c:11028:15                                                                               
    #5 0x7fd4d47802f8 in opj_encode /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/openjpeg.c:775:20                                                                                
    #6 0x50b942 in main /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/opj_compress.c:1993:36                                                                                           
    #7 0x7fd4d3117680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289                                                                                    
    #8 0x41bc18 in _start (/usr/bin/opj_compress+0x41bc18)                                                                                                                                                        
                                                                                                                                                                                                                  
0x6060000000b6 is located 0 bytes to the right of 54-byte region [0x606000000080,0x6060000000b6)                                                                                                                  
allocated by thread T0 here:                                                                                                                                                                                      
    #0 0x4d15c8 in malloc /var/tmp/portage/sys-libs/compiler-rt-sanitizers-4.0.1/work/compiler-rt-4.0.1.src/lib/asan/asan_malloc_linux.cc:66                                                                      
    #1 0x7fd4d482be29 in opj_malloc /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/opj_malloc.c:196:12
    #2 0x7fd4d4762760 in opj_j2k_update_rates /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/j2k.c:5157:22
    #3 0x7fd4d473937f in opj_j2k_exec /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/j2k.c:7954:33
    #4 0x7fd4d473937f in opj_j2k_start_compress /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/j2k.c:11103
    #5 0x7fd4d478019c in opj_start_compress /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/openjpeg.c:758:20
    #6 0x50b90f in main /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/bin/jp2/opj_compress.c:1970:20
    #7 0x7fd4d3117680 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r4/work/glibc-2.23/csu/../csu/libc-start.c:289

SUMMARY: AddressSanitizer: heap-buffer-overflow /var/tmp/portage/media-libs/openjpeg-9999/work/openjpeg-9999/src/lib/openjp2/cio.c:67:23 in opj_write_bytes_LE
Shadow bytes around the buggy address:
  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00 07 fa fa fa fa fa
=>0x0c0c7fff8010: 00 00 00 00 00 00[06]fa fa fa fa fa 00 00 00 00
  0x0c0c7fff8020: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8030: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff8040: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c7fff8050: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==62004==ABORTING
CINEMA 2K profile activated
Other options specified could be overridden
[WARNING] JPEG 2000 Profile-3 and 4 (2k/4k dc profile) requires:
1 single quality layer-> Number of layers forced to 1 (rather than 3)
-> Rate of the last layer (1.0) will be used[INFO] tile number 1 / 1

Affected version:
2.2.0

Fixed version:
N/A

Commit fix:
https://github.com/uclouvain/openjpeg/commit/dcac91b8c72f743bda7dbfa9032356bc8110098a

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-14164

Reproducer:
https://github.com/asarubbo/poc/blob/master/00321-openjpeg-heapoverflow-opj_write_bytes_LE

Timeline:
2017-08-16: bug discovered and reported to upstream
2017-08-16: upstream released a fix
2017-09-06: blog post about the issue
2017-09-06: CVE assigned

Note:
This bug was found with American Fuzzy Lop.
This bug was identified with bare metal servers donated by Packet. This work is also supported by the Core Infrastructure Initiative.

Permalink:

heap-based buffer overflow in opj_write_bytes_LE (cio.c) (INCOMPLETE FIX FOR CVE-2017-14152)