{"id":1195,"date":"2017-02-20T16:17:56","date_gmt":"2017-02-20T14:17:56","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1195"},"modified":"2017-03-13T11:07:18","modified_gmt":"2017-03-13T09:07:18","slug":"audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/20\/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp\/","title":{"rendered":"audiofile: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.68k.org\/~michael\/audiofile\/\">audiofile<\/a> is a C-based library for reading and writing audio files in many common formats.<\/p>\n<p>A fuzz with a wav file as input produced an heap overflow.<\/p>\n<p>The complete ASan output:<\/p>\n<pre><font size=\"2\"># sfinfo $FILE\r\n==6096==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x0000004bbc35 bp 0x7ffd65dbabf0 sp 0x7ffd65dba3a0                                                       \r\nREAD of size 33872 at 0x61a00001f708 thread T0                                                                                                                                                 \r\n    #0 0x4bbc34 in __asan_memcpy \/tmp\/portage\/sys-devel\/llvm-3.9.1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:413                                                  \r\n    #1 0x7efec209d7df in MSADPCM::initializeCoefficients() \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/modules\/MSADPCM.cpp:369:3                              \r\n    #2 0x7efec209d7df in MSADPCM::createDecompress(Track*, File*, bool, bool, long*) \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/modules\/MSADPCM.cpp:387      \r\n    #3 0x7efec2070da7 in ModuleState::initFileModule(_AFfilehandle*, Track*) \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/modules\/ModuleState.cpp:72:18        \r\n    #4 0x7efec207189d in ModuleState::init(_AFfilehandle*, Track*) \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/modules\/ModuleState.cpp:98:6                   \r\n    #5 0x7efec2053969 in _afOpenFile(int, File*, char const*, _AFfilehandle**, _AFfilesetup*) \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/openclose.cpp:396:18\r\n    #6 0x7efec2054331 in afOpenFile \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/openclose.cpp:217:6                                                           \r\n    #7 0x50a278 in printfileinfo \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/sfcommands\/printinfo.c:45:22                                                                  \r\n    #8 0x509f98 in main \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/sfcommands\/sfinfo.c:113:4                                                                              \r\n    #9 0x7efec111d78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                                                                     \r\n    #10 0x419b68 in _init (\/usr\/bin\/sfinfo+0x419b68)                                                                                                                                           \r\n                                                                                                                                                                                               \r\n0x61a00001f708 is located 0 bytes to the right of 1160-byte region [0x61a00001f280,0x61a00001f708)                                                                                             \r\nallocated by thread T0 here:                                                                                                                                                                   \r\n    #0 0x4d2928 in malloc \/tmp\/portage\/sys-devel\/llvm-3.9.1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:64                                                          \r\n    #1 0x7efec0b7c687 in operator new(unsigned long) (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.3.0\/libstdc++.so.6+0xb2687)                                                                           \r\n    #2 0x7efec2052d63 in _afOpenFile(int, File*, char const*, _AFfilehandle**, _AFfilesetup*) \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/openclose.cpp:337:15\r\n    #3 0x7efec2054331 in afOpenFile \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/libaudiofile\/openclose.cpp:217:6                                                           \r\n    #4 0x50a278 in printfileinfo \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/sfcommands\/printinfo.c:45:22                                                                  \r\n    #5 0x509f98 in main \/tmp\/portage\/media-libs\/audiofile-0.3.6-r3\/work\/audiofile-0.3.6\/sfcommands\/sfinfo.c:113:4                                                                              \r\n    #6 0x7efec111d78f in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                                                                     \r\n                                                                                                                                                                                               \r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/tmp\/portage\/sys-devel\/llvm-3.9.1\/work\/llvm-3.9.1.src\/projects\/compiler-rt\/lib\/asan\/asan_interceptors.cc:413 in __asan_memcpy                  \r\nShadow bytes around the buggy address:                                                                                                                                                         \r\n  0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n  0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\r\n=&gt;0x0c347fffbee0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Heap right redzone:      fb\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack partial redzone:   f4\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==6096==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n0.3.6<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-6827<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00136-audiofile-heapoverflow-MSADPCM-initializeCoefficients\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00136-audiofile-heapoverflow-MSADPCM-initializeCoefficients<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-01-30: bug discovered and reported to upstream<br \/>\n2017-02-20: blog post about the issue<br \/>\n2017-03-12: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"Ebn653kzDU\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/02\/20\/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp\/\">audiofile: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/02\/20\/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp\/embed\/#?secret=Ebn653kzDU\" data-secret=\"Ebn653kzDU\" width=\"600\" height=\"338\" title=\"&#8220;audiofile: heap-based buffer overflow in MSADPCM::initializeCoefficients (MSADPCM.cpp)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: audiofile is a C-based library for reading and writing audio files in many common formats. A fuzz with a wav file as input produced an heap overflow. The complete ASan output: # sfinfo $FILE ==6096==ERROR: AddressSanitizer: heap-buffer-overflow on address &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/02\/20\/audiofile-heap-based-buffer-overflow-in-msadpcminitializecoefficients-msadpcm-cpp\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-jh","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1195"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1195"}],"version-history":[{"count":7,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1195\/revisions"}],"predecessor-version":[{"id":1430,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1195\/revisions\/1430"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1195"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1195"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1195"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}