one heap buffer overflow in FilePOSIX::read in File.cpp

[92wyunchao]

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch. poc.zip

$uname -a Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86_64 GNU/Linux

$./sfconvert poc.wav output format wave asan:

==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38 WRITE of size 2 at 0x61a00001f708 thread T0

0 0x7f64fd42ee54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)

#1 0x7f64fd14b8cb in FilePOSIX::read(void*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126
#2 0x7f64fd150ed9 in readValue<short int> /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353
#3 0x7f64fd14fc48 in readSwap<short int> /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375
#4 0x7f64fd14ee93 in _AFfilehandle::readS16(short*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289
#6 0x7f64fd171751 in WAVEFile::readInit(_AFfilesetup*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733
#7 0x7f64fd18067e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195
#10 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x401568 in _start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region [0x61a00001f280,0x61a00001f708) allocated by thread T0 here:

0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)

#1 0x7f64fd14c4f1 in _AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80
#2 0x7f64fd18042e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195
#5 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ?? Shadow bytes around the buggy address: 0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c347fffbee0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe ==90086==ABORTING

[carnil]

This appears to have been assigned CVE-2020-18781.

[carnil]

It looks that the patch from https://github.com/mpruett/audiofile/issues/41 as proposed by https://github.com/antlarr/audiofile/commit/c48e4c6503f7dabd41f11d4c9c7b7f8960e7f2c0 fixes the issue.