A heap Out-of-bounds Read in WavpackPackSamples (src/pack_utils.c)

dbry / WavPack

WavPack encode/decode library, command-line programs, and several plugins

BSD 3-Clause "New" or "Revised" License

346 stars 65 forks source link

A heap Out-of-bounds Read in WavpackPackSamples (src/pack_utils.c) #110

Closed jeffreyer closed 2 years ago

jeffreyer commented 2 years ago

Hi,

I have found a heap out of bounds read bug in function WavpackPackSamples, base on the commit a0ba858455b7c94f26c8f75511592323a70c3feb, code that caused crash shows below: source:src/pack_utils.c+632

    628              if (wps->wphdr.flags & MONO_FLAG) {
    629                  switch (wpc->config.bytes_per_sample) {
    630                      case 1:
    631                          while (cnt--) {
 →  632                                     *dptr++ = (signed char) *sptr;
    633                              sptr += nch;
    634                          }
    635
    636                          break;

Variable cnt is too large, that makes pointer sptr read beyond heap bound.

Crash file: crash.zip

dbry commented 2 years ago

Thanks so much for reporting this...quite a catch! Please let me know if you find anything else.

Fixed in https://github.com/dbry/WavPack/commit/773f9d0803c6888ae7d5391878d7337f24216f4a .

carnil commented 2 years ago

CVE-2021-44269 appears to have been assigned for this issue.

dbry commented 2 years ago

Thanks for the heads up! Fortunately this doesn't affect libwavpack (only the command-line program) and it can only cause a crash (no code execution). So the only possible security issue would be a denial-of-service for a website that uses the WavPack command-line program on user-provided files. And the only site I know about that did that stopped supporting WavPack a long time ago.