search

ddiakopoulos / libnyquist

:microphone: Cross platform C++11 library for decoding audio (mp3, wav, ogg, opus, flac, etc)
BSD 2-Clause "Simplified" License
539 stars 66 forks source link

Segmentation fault in FlacDecoderInternal::s_writeCallback when nqr::NyquistIO::Load a bad .flac file #70

Open bladchan opened 2 years ago

bladchan commented 2 years ago

Hi,

I am running some experiments for AFLAPI and it has found a segmentation fault in FlacDecoderInternal::s_writeCallback when nqr::NyquistIO::Load a bad .flac file. This bug may allows attackers to cause DoS, so I report it here.

Environment: Ubuntu 20.04 + g++ 9.6.0

Test target: https://github.com/ddiakopoulos/libnyquist/blob/master/examples/src/Main.cpp

Poc: segv1.zip

To reproduce:

  1. Complie the hole project with ASAN
  2. Complie the example with ASAN: 
    ubuntu@ubuntu:~/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src$ g++ -fsanitize=address -o example Main.cpp.o AudioDevice.cpp.o -llibnyquist -lrtaudio
  3. Run: 
    $ ./example ./segv1.flac

    ASAN says:

    
ubuntu@ubuntu:~/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src$ ./example segv1.flac 
[rtaudio] Found: 3 device(s)
Device: 0 - hw:Ensoniq AudioPCI,0
Device: 1 - hw:Ensoniq AudioPCI,1
Device: 2 - default

AddressSanitizer:DEADLYSIGNAL

==1646422==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7efc7260ec30 bp 0x7ffd0d1b4a80 sp 0x7ffd0d1b41e8 T0) ==1646422==The signal is caused by a READ memory access. ==1646422==Hint: address points to the zero page.

0 0x7efc7260ec2f (/lib/x86_64-linux-gnu/libc.so.6+0xbbc2f)

#1 0x7efc72b4a37e in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
#2 0x563605538c2d in FlacDecoderInternal::s_writeCallback(FLAC__StreamDecoder const*, FLAC__Frame const*, int const* const*, void*) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:164
#3 0x5636055ac8ae in write_audio_frame_to_client_ /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:2972
#4 0x56360559e1ac in read_frame_ /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:2146
#5 0x56360558cf7b in FLAC__stream_decoder_process_until_end_of_stream /home/ubuntu/test/libnyquist/third_party/FLAC/src/stream_decoder.c:1101
#6 0x5636055373b3 in FlacDecoderInternal::FlacDecoderInternal(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:66
#7 0x5636055361f0 in nqr::FlacDecoder::LoadFromPath(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/FlacDecoder.cpp:247
#8 0x5636054e7e4d in nqr::NyquistIO::Load(nqr::AudioData*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/test/libnyquist/src/Common.cpp:47
#9 0x5636054cfaed in main /home/ubuntu/test/libnyquist/examples/src/Main.cpp:34
#10 0x7efc72577082 in __libc_start_main ../csu/libc-start.c:308
#11 0x5636054cf6dd in _start (/home/ubuntu/test/libnyquist/build/CMakeFiles/libnyquist-examples.dir/examples/src/example+0x826dd)

AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/x86_64-linux-gnu/libc.so.6+0xbbc2f) ==1646422==ABORTING


**Impact:**
An attacker can exploit this vulnerability by submitting a malicious elf file that exploits this bug which will result in a Denial of Service attack.