Bug#889559: wavpack: heap buffer overflow while running wavpack

Sebastian Ramacher Sun, 04 Feb 2018 12:03:41 -0800

Hi

On 2018-02-04 23:35:47, Joonun Jang wrote:
> Package: wavpack
> Version: 5.1.0-2
> Severity: important
> Tags: security
> 
> heap buffer overflow running wavpack with "-y poc.wav" option


Thanks for filing this. It's probably easier to file those directly upstream at
https://github.com/dbry/WavPack. I have forwarded the other two bug reports
there.

Cheers

> 
> Running 'wavpack -y poc.wav' with the attached file raises heap buffer 
> overflow
> which may allow a remote attacker to cause unspecified impact including 
> denial-of-service attack
> I expected the program to terminate without segfault, but the program crashes 
> as follow
> 
> june@june:~/temp/report/wavpack/00009776$ 
> ../../binary/wavpack-5.1.0/cli/.libs/wavpack -y poc.wav
> 
>  WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
>  Copyright (c) 1998 - 2017 David Bryant.  All Rights Reserved.
> 
> creating 
> poc.wv,=================================================================
> ==3834==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x60200000ef91 at pc 0x7ffff6e8105b bp 0x7fffffffb2e0 sp 0x7fffffffaa90
> READ of size 2 at 0x60200000ef91 thread T0
>     #0 0x7ffff6e8105a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a)
>     #1 0x55555557ad85 in ParseDsdiffHeaderConfig 
> /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:171
>     #2 0x555555567c3a in pack_file 
> /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
>     #3 0x555555565e5e in main 
> /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
>     #4 0x7ffff65902b0 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
>     #5 0x5555555609a9 in _start 
> (/home/june/temp/report/binary/wavpack-5.1.0/cli/.libs/wavpack+0xc9a9)
> 
> 0x60200000ef91 is located 0 bytes to the right of 1-byte region 
> [0x60200000ef90,0x60200000ef91)
> allocated by thread T0 here:
>     #0 0x7ffff6effd28 in malloc 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
>     #1 0x55555557ac4a in ParseDsdiffHeaderConfig 
> /home/june/temp/report/binary/wavpack-5.1.0/cli/dsdiff.c:156
>     #2 0x555555567c3a in pack_file 
> /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1774
>     #3 0x555555565e5e in main 
> /home/june/temp/report/binary/wavpack-5.1.0/cli/wavpack.c:1270
>     #4 0x7ffff65902b0 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
> 
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x4305a)
> Shadow bytes around the buggy address:
>   0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c047fff9df0: fa fa[01]fa fa fa fd fd fa fa 03 fa fa fa 00 fa
>   0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
>   Left alloca redzone:     ca
>   Right alloca redzone:    cb
> ==3834==ABORTING
> 
> This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
> 
> -- System Information:
> Debian Release: 9.3
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
> (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages wavpack depends on:
> ii  libc6        2.24-11+deb9u1
> ii  libwavpack1  5.1.0-2
> 
> wavpack recommends no packages.
> 
> wavpack suggests no packages.
> 
> -- no debconf information


> _______________________________________________
> pkg-multimedia-maintainers mailing list
> pkg-multimedia-maintain...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-multimedia-maintainers


-- 
Sebastian Ramacher

signature.asc
Description: PGP signature

Bug#889559: wavpack: heap buffer overflow while running wavpack

Reply via email to