search

dbry / WavPack

WavPack encode/decode library, command-line programs, and several plugins
BSD 3-Clause "New" or "Revised" License
363 stars 66 forks source link

AddressSanitizer: heap-buffer-overflow (Read OOB) at src/open_utils.c:1215 #54

Closed hongxuchen closed 5 years ago

hongxuchen commented 5 years ago

As of 6673775, when running wvunpack $FILE, it may result in an read out-of-bound error on variable dp inside WavpackVerifySingleBlock (blind decode mode is ok).

=================================================================                                                                                                                                                                              
==10571==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000000054 at pc 0x7fc8ab060e41 bp 0x7fff4f2a4b30 sp 0x7fff4f2a4b28                                                                                                      
READ of size 1 at 0x606000000054 thread T0                                                                                                                                                                                                     
    #0 0x7fc8ab060e40 in WavpackVerifySingleBlock /home/hongxu/FOT/WavPack/src/open_utils.c:1215:19                                                                                                                                            
    #1 0x7fc8ab05d9e7 in WavpackOpenFileInputEx64 /home/hongxu/FOT/WavPack/src/open_utils.c:124:14                                                                                                                                             
    #2 0x7fc8ab06b401 in WavpackOpenFileInput /home/hongxu/FOT/WavPack/src/open_filename.c:261:12                                                                                                                                              
    #3 0x517a4c in unpack_file /home/hongxu/FOT/WavPack/cli/wvunpack.c:1049:11                                                                                                                                                                 
    #4 0x51668b in main /home/hongxu/FOT/WavPack/cli/wvunpack.c:765:22                                                                                                                                                                         
    #5 0x7fc8a9c05b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310                                                                                                                                          
    #6 0x41b419 in _start (/home/hongxu/FOT/WavPack/install/bin/wvunpack+0x41b419)                                                                                                                                                             

0x606000000054 is located 0 bytes to the right of 52-byte region [0x606000000020,0x606000000054)                                                                                                                                               
allocated by thread T0 here:                                                                                                                                                                                                                   
    #0 0x4db2d0 in __interceptor_malloc (/home/hongxu/FOT/WavPack/install/bin/wvunpack+0x4db2d0)                                                                                                                                               
    #1 0x7fc8ab05d612 in WavpackOpenFileInputEx64 /home/hongxu/FOT/WavPack/src/open_utils.c:111:43                                                                                                                                             
    #2 0x7fc8ab06b401 in WavpackOpenFileInput /home/hongxu/FOT/WavPack/src/open_filename.c:261:12                                                                                                                                              
    #3 0x517a4c in unpack_file /home/hongxu/FOT/WavPack/cli/wvunpack.c:1049:11                                                                                                                                                                 
    #4 0x51668b in main /home/hongxu/FOT/WavPack/cli/wvunpack.c:765:22                                                                                                                                                                         
    #5 0x7fc8a9c05b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310                                                                                                                                          

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hongxu/FOT/WavPack/src/open_utils.c:1215:19 in WavpackVerifySingleBlock                                                                                                                  
Shadow bytes around the buggy address:                                                                                                                                                                                                         
  0x0c0c7fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                              
  0x0c0c7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                              
  0x0c0c7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                              
  0x0c0c7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                              
  0x0c0c7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00                                                                                                                                                                              
=>0x0c0c7fff8000: fa fa fa fa 00 00 00 00 00 00[04]fa fa fa fa fa                                                                                                                                                                              
  0x0c0c7fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                              
  0x0c0c7fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                              
  0x0c0c7fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                              
  0x0c0c7fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                              
  0x0c0c7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                                                                                                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                                                                                                                                           
  Addressable:           00                                                                                                                                                                                                                    
  Partially addressable: 01 02 03 04 05 06 07                                                                                                                                                                                                  
  Heap left redzone:       fa                                                                                                                                                                                                                  
  Freed heap region:       fd                                                                                                                                                                                                                  
  Stack left redzone:      f1                                                                                                                                                                                                                  
  Stack mid redzone:       f2                                                                                                                                                                                                                  
  Stack right redzone:     f3                                                                                                                                                                                                                  
  Stack after return:      f5                                                                                                                                                                                                                  
  Stack use after scope:   f8                                                                                                                                                                                                                  
  Global redzone:          f9                                                                                                                                                                                                                  
  Global init order:       f6                                                                                                                                                                                                                  
  Poisoned by user:        f7                                                                                                                                                                                                                  
  Container overflow:      fc                                                                                                                                                                                                                  
  Array cookie:            ac                                                                                                                                                                                                                  
  Intra object redzone:    bb                                                                                                                                                                                                                  
  ASan internal:           fe                                                                                                                                                                                                                  
  Left alloca redzone:     ca                                                                                                                                                                                                                  
  Right alloca redzone:    cb                                                                                                                                                                                                                  
==10571==ABORTING

POCs: crashes.zip

dbry commented 5 years ago

Thanks for reporting this! Closing as fixed.

carnil commented 5 years ago

CVE-2018-19841 has been assigned for this issue.