NULL pointer dereference bug in ulaw2linear_buf, in G711.cpp about audiofile HOT 5 OPEN

mpruett commented on September 6, 2024

NULL pointer dereference bug in ulaw2linear_buf, in G711.cpp

from audiofile.

Comments (5)

cuanduo commented on September 6, 2024

caused by allocate too large mem, and then alloc return 0

asan output

root@ubuntu:~/audiofile-santi/sfcommands/.libs# ./sfconvert /home/tim/poc output format voc
==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
==129695==If you don't like this behavior set allocator_may_return_null=1
==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
    #0 0x7f48c8503c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
    #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
    #2 0x7f48c8509342  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
    #3 0x7f48c8441e46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
    #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
    #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
    #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
    #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)

from audiofile.

carnil commented on September 6, 2024

CVE-2019-13147 was assigned for this issue.

from audiofile.

asarubbo commented on September 6, 2024

For completeness, this is the stacktrace I get with the provided poc:

==6157==WARNING: AddressSanitizer failed to allocate 0xffffffff85858580 bytes
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6157==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f68322200db bp 0x7f6824545800 sp 0x7ffd57f71660 T0)
==6157==The signal is caused by a WRITE memory access.
==6157==Hint: address points to the zero page.
    #0 0x7f68322200db in ulaw2linear_buf(unsigned char const*, short*, int) /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:42:13
    #1 0x7f68322200db in G711::runPull() /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:206:3
    #2 0x7f6832212ec1 in afReadFrames /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14
    #3 0x4f42e1 in copyaudiodata /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/sfcommands/sfconvert.c:370:29
    #4 0x4f3b57 in main /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/sfcommands/sfconvert.c:275:17
    #5 0x7f6831f31676 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.37-r3/work/glibc-2.37/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #6 0x7f6831f31734 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.37-r3/work/glibc-2.37/csu/../csu/libc-start.c:360:3
    #7 0x41e780  (/usr/bin/sfconvert+0x41e780)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:42:13 in ulaw2linear_buf(unsigned char const*, short*, int)
==6157==ABORTING
Aborted

While the asan output complains about " failed to allocate" I confirm that under normal condition I get a Segmentation fault.

from audiofile.

bastien-roucaries commented on September 6, 2024

Partial fix (symptom), nevertheless a fix:

commit 2f762fa2dd93fe2c66c59150d89ed15778274690
Author: Bastien Roucariès <[email protected]>
Date:   Sat Nov 11 17:42:03 2023 +0000

    Partial fix of CVE-2019-13147
    
    This fix the symptom do not allow to allocate negative memory:
    ==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
    ==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
    ==129695==If you don't like this behavior set allocator_may_return_null=1
    ==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
        #0 0x7f48c8503c02  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
        #1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
        #2 0x7f48c8509342  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
        #3 0x7f48c8441e46  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
        #4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
        #5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
        #6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
        #7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
        #8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
    
    If negative bail out

diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
index 367f7a5..400d485 100644
--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
@@ -349,7 +349,8 @@ void printversion (void)
 bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
 {
        int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
-
+       if(frameSize <= 0)
+               return false;
        int kBufferFrameCount = 65536;
        int bufferSize;
        while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))

from audiofile.

bastien-roucaries commented on September 6, 2024

Real fix is too many channel:

commit 18e39112376f488bf57ca6527d42afc644f06a94 (HEAD -> patch-queue/master)
Author: Bastien Roucariès <[email protected]>
Date:   Sat Nov 11 17:43:19 2023 +0000

    Partial fix of CVE-2019-13147
    
    This is the fix of the POC. Do not allow too many channel
    
    Now it fail with:
    Audio File Library: invalid file with 1633771873 channels [error 15]
    Could not open file 'poc' for reading.

diff --git a/libaudiofile/NeXT.cpp b/libaudiofile/NeXT.cpp
index c462dbe..01c967c 100644
--- a/libaudiofile/NeXT.cpp
+++ b/libaudiofile/NeXT.cpp
@@ -32,6 +32,7 @@
 #include <stdint.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 
 #include "File.h"
 #include "Setup.h"
@@ -122,6 +123,12 @@ status NeXTFile::readInit(AFfilesetup setup)
                _af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
                return AF_FAIL;
        }
+       /* avoid overflow of INT for double size rate */
+       if (channelCount > (INT32_MAX / (sizeof(double))))
+       {
+               _af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount);
+               return AF_FAIL;
+       }
 
        Track *track = allocateTrack();
        if (!track)

from audiofile.

NULL pointer dereference bug in ulaw2linear_buf, in G711.cpp about audiofile HOT 5 OPEN

Comments (5)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent