search

tildearrow / furnace

a multi-system chiptune tracker compatible with DefleMask modules
GNU General Public License v2.0
2.67k stars 210 forks source link

[BUG] Heap Buffer Overflow in DivEngine::nextTick #1100

Closed 0xdd96 closed 1 year ago

0xdd96 commented 1 year ago

To Reproduce

Environment

poc: poc

Steps to reproduce the behavior:

CFLAGS="-g -O0" CXXFLAGS="-g -O0" cmake ..
make
run sudo ./furnace -console -vgmout out.vgm $POC

Expected behavior

user@c3ae4d510abb:$ sudo ./furnace -console -vgmout out.vgm $POC
[debug] registering systems...
[info] creating config path element /root/.config ...
[info] creating config path element /root/.config/furnace ...
[debug] config path: /root/.config/furnace
[info] Furnace version dev155.
[debug] opening config for read: /root/.config/furnace/furnace.cfg
[trace] trying: /root/.config/furnace/furnace.cfg
[trace] fopen(): No such file or directory
[trace] trying: /root/.config/furnace/furnace.cfg.1
[trace] fopen(): No such file or directory
[trace] trying: /root/.config/furnace/furnace.cfg.2
[trace] fopen(): No such file or directory
[trace] trying: /root/.config/furnace/furnace.cfg.3
[trace] fopen(): No such file or directory
[trace] trying: /root/.config/furnace/furnace.cfg.4
[trace] fopen(): No such file or directory
[debug] config does not exist
[info] creating default config.
[debug] opening config for write: /root/.config/furnace/furnace.cfg
[debug] config file written successfully.
[info] loading module...
[debug] trying zlib...
[debug] zlib inflate: incorrect header check
[debug] not zlib. loading as raw...
[info] module version 9 (0x09)
[info] _;\_e:_l_]_/'[r&g888888888C88888:888 8<888 by
[info] reading module data...
[trace] 111
[info] reading pattern matrix (1 * 5 = 5)...
[trace] 116
[info] reading instruments (1)...
[debug] 0 name:
[debug] ALG 0 FB 1 FMS 1 AMS 1 OPS 4
[debug] OP0: AM 1 AR 1 DAM 1 DR 1 DVB 1 EGT 103 KSL 135 MULT 135 RR 135 SL 135 SUS 135 TL 135 VIB 135 WS 135 RS 135 DT 135 D2R 135 SSG-EG 135
[debug] OP1: AM 135 AR 135 DAM 135 DR 135 DVB 135 EGT 135 KSL 135 MULT 0 RR 128 SL 1 SUS 123 TL 244 VIB 249 WS 221 RS 0 DT 0 D2R 4 SSG-EG 0
[debug] OP2: AM 134 AR 48 DAM 21 DR 127 DVB 255 EGT 226 KSL 126 MULT 242 RR 69 SL 243 SUS 146 TL 67 VIB 80 WS 157 RS 105 DT 101 D2R 70 SSG-EG 147
[debug] OP3: AM 58 AR 255 DAM 127 DR 94 DVB 241 EGT 52 KSL 175 MULT 180 RR 153 SL 21 SUS 153 TL 225 VIB 185 WS 182 RS 1 DT 221 D2R 177 SSG-EG 222
[trace] 16d
[info] reading patterns (5 channels, 1 orders)...
[debug] 0 fx rows: 1
[debug] 1 fx rows: 1
[debug] 2 fx rows: 1
[debug] 3 fx rows: 1
[debug] 4 fx rows: 1
[info] reading samples (0)...
[warning] premature end of song (we are at 1aa, but size is 1b0)
[info] initializing audio.
[debug] listing devices.
[debug] got port count.
[trace] no MIDI input device selected.
[trace] no MIDI output device selected.
[debug] rendering samples...
[trace] Midi panic sent
[info] loop point: 0 0
[debug] writing extended header...
[debug] writing chip volumes (1)...
[trace] - 81b30014
[trace] playSub() called
[trace] goal: 0 goalRow: 0
[trace] playSub() took 142_s
[trace] scheduling stop
[trace] end of orders reached
[info] registering order change 0 on 0
[debug] writing stream command ffffffff:0 with stream ID 255
[debug] writing stream command ffff0002:0 with stream ID 0
Stack trace (most recent call last):/s
#5    Object "[0xffffffffffffffff]", at 0xffffffffffffffff, in
#4    Object "./furnace/build-trace/furnace", at 0x55555587c54d, in _start
#3    Object "/lib/x86_64-linux-gnu/libc.so.6", at 0x7ffff7971082, in __libc_start_main
#2    Object "./furnace/build-trace/furnace", at 0x555555bbdf0c, in main
#1    Object "./furnace/build-trace/furnace", at 0x555555a3d189, in DivEngine::saveVGM(bool*, bool, int, bool, bool, int)
#0    Object "./furnace/build-trace/furnace", at 0x5555559fd8e8, in DivEngine::nextTick(bool, bool)
Segmentation fault (Address not mapped to object [0x5555572031d8])
Segmentation fault

Here is some debug info in gdb, hope it helps:


Thread 1 "furnace" received signal SIGSEGV, Segmentation fault.
0x00005555559fd8e8 in DivEngine::nextTick (this=0x555556de4040 <e>, noAccum=false, inhibitLowLat=true) at furnace/src/engine/playback.cpp:1404
1404                  dispatchCmd(DivCommand(DIV_CMD_PITCH,i,chan[i].pitch+(((chan[i].vibratoDepth*vibTable[chan[i].vibratoPos]*chan[i].vibratoFine)>>4)/15)));

(gdb) p &vibTable
$7 = (short (*)[64]) 0x555556df1478 <e+54328>

(gdb) p chan[i].vibratoPos
$8 = 2133680

(gdb) p vibTable[chan[i].vibratoPos]
Cannot access memory at address 0x5555572031d8
``
tildearrow commented 1 year ago

It appears the entire 16-bit effect was being read and the vibrato rate exceeded 64! I have fixed it now.