audiofile icon indicating copy to clipboard operation
audiofile copied to clipboard

Published 20 hours ago verified publisher icon mpruett

one heap buffer overflow in FilePOSIX::read in File.cpp

Open 92wyunchao opened this issue 5 years ago • 2 comments

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch. poc.zip

$uname -a Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86_64 GNU/Linux

$./sfconvert poc.wav output format wave asan:

==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38 WRITE of size 2 at 0x61a00001f708 thread T0 #0 0x7f64fd42ee54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54) #1 0x7f64fd14b8cb in FilePOSIX::read(void*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126 #2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353 #3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375 #4 0x7f64fd14ee93 in _AFfilehandle::readS16(short*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397 #5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289 #6 0x7f64fd171751 in WAVEFile::readInit(_AFfilesetup*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733 #7 0x7f64fd18067e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356 #8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217 #9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195 #10 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #11 0x401568 in _start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region [0x61a00001f280,0x61a00001f708) allocated by thread T0 here: #0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532) #1 0x7f64fd14c4f1 in _AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80 #2 0x7f64fd18042e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337 #3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217 #4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195 #5 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fffbee0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==90086==ABORTING

92wyunchao avatar Nov 28 '19 10:11 92wyunchao

This appears to have been assigned CVE-2020-18781.

carnil avatar Aug 25 '23 21:08 carnil

It looks that the patch from https://github.com/mpruett/audiofile/issues/41 as proposed by https://github.com/antlarr/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 fixes the issue.

carnil avatar Nov 07 '23 19:11 carnil