Segmentation fault in FlacDecoderInternal::s_writeCallback when nqr::NyquistIO::Load a bad .flac file

[bladchan]

Hi,

I am running some experiments for AFLAPI and it has found a segmentation fault in FlacDecoderInternal::s_writeCallback when nqr::NyquistIO::Load a bad .flac file. This bug may allows attackers to cause DoS, so I report it here.

Environment: Ubuntu 20.04 + g++ 9.6.0

Test target: https://github.com/ddiakopoulos/libnyquist/blob/master/examples/src/Main.cpp

Poc: segv1.zip

To reproduce:

1. Complie the hole project with ASAN
2. Complie the example with ASAN:

ubuntu@ubuntu:~/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src$ g++ -fsanitize=address -o example Main.cpp.o AudioDevice.cpp.o -llibnyquist -lrtaudio

3. Run:

$ ./example ./segv1.flac

---

ASAN says:

ubuntu@ubuntu:~/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src$ ./example segv1.flac 
[rtaudio] Found: 3 device(s)
	Device: 0 - hw:Ensoniq AudioPCI,0
	Device: 1 - hw:Ensoniq AudioPCI,1
	Device: 2 - default

AddressSanitizer:DEADLYSIGNAL
=================================================================
==1646422==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7efc7260ec30 bp 0x7ffd0d1b4a80 sp 0x7ffd0d1b41e8 T0)
==1646422==The signal is caused by a READ memory access.
==1646422==Hint: address points to the zero page.
    #0 0x7efc7260ec2f  (/lib/x86_64-linux-gnu/libc.so.6+0xbbc2f)
    #1 0x7efc72b4a37e in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
    #2 0x563605538c2d in FlacDecoderInternal::s_writeCallback(FLAC__StreamDecoder const*, FLAC__Frame const*, int const* const*, void*) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:164
    #3 0x5636055ac8ae in write_audio_frame_to_client_ /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:2972
    #4 0x56360559e1ac in read_frame_ /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:2146
    #5 0x56360558cf7b in FLAC__stream_decoder_process_until_end_of_stream /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:1101
    #6 0x5636055373b3 in FlacDecoderInternal::FlacDecoderInternal(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:66
    #7 0x5636055361f0 in nqr::FlacDecoder::LoadFromPath(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:247
    #8 0x5636054e7e4d in nqr::NyquistIO::Load(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/Common.cpp:47
    #9 0x5636054cfaed in main /home/ubuntu/test/libnyquist/examples/src/Main.cpp:34
    #10 0x7efc72577082 in __libc_start_main ../csu/libc-start.c:308
    #11 0x5636054cf6dd in _start (/home/ubuntu/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src/example+0x826dd)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbc2f) 
==1646422==ABORTING

Impact: An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service attack.