search

dbry / WavPack

WavPack encode/decode library, command-line programs, and several plugins
BSD 3-Clause "New" or "Revised" License
371 stars 67 forks source link

Memory leak on wavpack #165

Closed Frank-Z7 closed 1 year ago

Frank-Z7 commented 1 year ago

Memory leak on wavpack

Description

We found a Memory leak bug when we used wavpack to convert wav format files to wv files under the specific configuration option "-bn=22.1 -c -v [inputfile] -o".

It should be noted that wavpack(version 5.2.0-1) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.

image-20230918174940462

Version

wavpack 5.6.6,the latest version.

root@38ad1e4b9d16:/afltest/wavpackgit# ./cli/wavpack --version
wavpack 5.6.6
libwavpack 5.6.6

image-20230918171447790

Reference

http://www.wavpack.com/

https://github.com/dbry/WavPack

Actual Behavior

Memory leak

PoC

wavpackpoc1: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/wavpackpoc1

Reproduction

git clone https://github.com/dbry/WavPack.git wavpackgit
cd wavpackgit
./autogen.sh
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure
make

./cli/wavpack -bn=22.1 -c -v wavpackpoc1 -o ./test1.wv

ASAN Log

=================================================================
==437243==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4106 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff7699808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5555555684e7 in main cli/wavpack.c:928
    #2 0x7ffff71dc082 in __libc_start_main ../csu/libc-start.c:308

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff7699c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x555555568587 in main cli/wavpack.c:934
    #2 0x7ffff71dc082 in __libc_start_main ../csu/libc-start.c:308

Indirect leak of 21 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff7699808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5555555685e9 in main cli/wavpack.c:935
    #2 0x7ffff71dc082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: 4135 byte(s) leaked in 3 allocation(s).

image-20230918174114029

Location

image-20230919002354644

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1

Credit

Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))

dbry commented 1 year ago

Thanks very much for reporting this, and for the detailed analysis!

It turns out that the problem has nothing to do with the test file. The problem is that there is a syntax error (several, actually) in the command line and the program is reporting those and terminating early. You can see the error messages above ("illegal option"). This was actually reported once before in issue #124 and I discuss it there in great detail.

In short, I do not consider this a possible security vulnerability, but if you can explain how this might be exploited I would be happy to listen.

Frank-Z7 commented 1 year ago

thanks a lot!