Reported in version: 1.2.15
Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-05 15:05:21 +0000, Radue wrote:
Created attachment 3596
PoC
A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.
Asan output:
==980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff3 at pc 0x7f58fc7949b4 bp 0x7fff74db7390 sp 0x7fff74db7388
READ of size 1 at 0x60300000eff3 thread T0
0 0x7f58fc7949b3 in InitMS_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64:38
# 1 0x7f58fc7949b3 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:464
# 2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
# 3 0x7f58fb50682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
# 4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)
0x60300000eff3 is located 1 bytes to the right of 18-byte region [0x60300000efe0,0x60300000eff2)
allocated by thread T0 here:
0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
# 1 0x7f58fc794ea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25
SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64 InitMS_ADPCM
Shadow bytes around the buggy address:
0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00[02]fa
0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==980==ABORTING
PoC: See attachment
Reproducing steps:
Download SDL-1.2.15 library
./configure with Asan enabled
./make
sudo make install
cd examples
./configure with Asan enabled
make
./loopwave PoC
On 2019-02-07 07:18:05 +0000, Radue wrote:
Assigned CVE-2019-7576 by MITRE.
On 2019-02-15 09:49:36 +0000, Petr Pisar wrote:
This is a very similar bug to CVE-2019-7573 reported in bug # 4491. A fix for both issues is attached there.
On 2019-06-10 15:53:32 +0000, Sam Lantinga wrote:
I believe this is fixed, thanks!
This bug has been marked as a duplicate of bug 4491
This bug report was migrated from our old Bugzilla tracker.
These attachments are available in the static archive:
Reported in version: 1.2.15 Reported for operating system, platform: Linux, x86_64
Comments on the original bug report:
On 2019-02-05 15:05:21 +0000, Radue wrote:
On 2019-02-07 07:18:05 +0000, Radue wrote:
On 2019-02-15 09:49:36 +0000, Petr Pisar wrote:
On 2019-06-10 15:53:32 +0000, Sam Lantinga wrote: