Source: sox Version: 14.4.1-5 Severity: important Tags: security upstream Hi,
the following vulnerability was published for sox. CVE-2017-15372[0]: | There is a stack-based buffer overflow in the | lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange (SoX) | 14.4.2. A Crafted input will lead to a denial of service attack during | conversion of an audio file. With an ASAN build and ./src/sox ~/01-stack-overflow out.snd ================================================================= ==4852==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9b73d8a4 at pc 0x7fae2c9b322d bp 0x7fff9b73d7e0 sp 0x7fff9b73d7d8 WRITE of size 2 at 0x7fff9b73d8a4 thread T0 #0 0x7fae2c9b322c in lsx_ms_adpcm_block_expand_i src/adpcm.c:126 #1 0x7fae2c9b672b in AdpcmReadBlock src/wav.c:176 #2 0x7fae2c9bd5b0 in read_samples src/wav.c:1029 #3 0x7fae2c88e1fb in sox_read src/formats.c:973 #4 0x406096 in sox_read_wide src/sox.c:490 #5 0x406a6e in combiner_drain src/sox.c:552 #6 0x7fae2c8c1fe1 in drain_effect src/effects.c:318 #7 0x7fae2c8c2ffe in sox_flow_effects src/effects.c:387 #8 0x4122da in process src/sox.c:1794 #9 0x41b386 in main src/sox.c:3012 #10 0x7fae2bd622e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #11 0x402f49 in _start (/root/sox-14.4.1/src/.libs/sox+0x402f49) Address 0x7fff9b73d8a4 is located in stack of thread T0 at offset 68 in frame #0 0x7fae2c9b3063 in lsx_ms_adpcm_block_expand_i src/adpcm.c:112 This frame has 1 object(s): [32, 64) 'state' <== Memory access at offset 68 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow src/adpcm.c:126 in lsx_ms_adpcm_block_expand_i Shadow bytes around the buggy address: 0x1000736dfac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000736dfad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000736dfae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000736dfaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000736dfb00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 =>0x1000736dfb10: 00 00 00 00[f3]f3 f3 f3 00 00 00 00 00 00 00 00 0x1000736dfb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000736dfb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000736dfb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000736dfb50: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 0x1000736dfb60: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==4852==ABORTING If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-15372 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15372 [1] https://bugzilla.redhat.com/show_bug.cgi?id=1500553 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
01-stack-overflow
Description: Wave audio