Closed retpoline closed 2 years ago
Hi @retpoline - thanks for this report! Is this an issue you're only seeing with our modified version of faad, or is this something we inherited from upstream? Or which has been fixed upstreams already?
Please attach the test file to this report.
Fixed. Thanks for reporting the issue.
(gdb) run -o nocrash.wav crash.m4a
Starting program: faad -o nocrash.wav crash.m4a
*********** Ahead Software MPEG-4 AAC Decoder V2.7 ******************
Patched for Squeezebox Server:
* ALAC decoder integrated
* Seeking support with -j and -e switches
* STDIN support
* utgg win32 STDOUT patch
* Source at https://github.com/ralph-irving/faad2
Build: Feb 5 2022
Copyright 2002-2004: Ahead Software AG
http://www.audiocoding.com
Floating point version
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License.
**************************************************************************
file info:
LC AAC 35.492 secs, 2 ch, 44100 Hz
Error decoding file.
[Inferior 1 (process 20540) exited normally]
Hi @retpoline - thanks for this report! Is this an issue you're only seeing with our modified version of faad, or is this something we inherited from upstream? Or which has been fixed upstreams already?
Please attach the test file to this report.
Should affect both. See the ufilo.io link for the repro, but it looks like the issue has been fixed now.
Thanks, both of you!
Hi folks,
An interesting crash was found while fuzz testing of the faad binary which can be triggered via a malformed AAC file. Although this malformed file only crashes the program as-is, it could potentially be crafted further and create a security issue where these kinds of files would be able compromise the process's memory through taking advantage of affordances given by memory corruption. It's recommend to harden the code to prevent these kinds of bugs as it could greatly mitigate such this issue and even future bugs.
Download the repro file (~1.3mb): https://ufile.io/bhp0iun8
debug log