audiofile icon indicating copy to clipboard operation
audiofile copied to clipboard

Published 20 hours ago verified publisher icon mpruett

heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h)

Open asarubbo opened this issue 8 years ago • 5 comments

http://blogs.gentoo.org/ago/2017/02/20/audiofile-heap-based-buffer-overflow-in-expand3to4modulerun-simplemodule-h/

asarubbo avatar Feb 20 '17 16:02 asarubbo

This is fixed by 7d65f89 (part of pr #42)

antlarr avatar Mar 09 '17 10:03 antlarr

This is CVE-2017-6836

carnil avatar Mar 13 '17 19:03 carnil

This bug seems not patched. My fuzzer triggers same bug even in commit ce536d707b8e2a26baca77320398c45238224ca7. PoC is here https://github.com/jakkdu/poc/blob/master/000007-audiofile-heapovfl-Expand3To4Module-run

insuyun avatar Aug 19 '17 00:08 insuyun

Unless I'm missing something, the latest commit is on 30 August 2016, so there were no patches for all of issues reported by me.

asarubbo avatar Aug 19 '17 09:08 asarubbo

Correct me if I am wrong. I used the patch in the pull request. I though it's patch for this issue, but not applied to mainline yet.

insuyun avatar Aug 19 '17 10:08 insuyun