Comments (5)
caused by allocate too large mem, and then alloc return 0
asan output
root@ubuntu:~/audiofile-santi/sfcommands/.libs# ./sfconvert /home/tim/poc output format voc
==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
==129695==If you don't like this behavior set allocator_may_return_null=1
==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
#0 0x7f48c8503c02 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
#1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
#2 0x7f48c8509342 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
#3 0x7f48c8441e46 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
#4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
#5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
#6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
#7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
from audiofile.
CVE-2019-13147 was assigned for this issue.
from audiofile.
For completeness, this is the stacktrace I get with the provided poc:
==6157==WARNING: AddressSanitizer failed to allocate 0xffffffff85858580 bytes
AddressSanitizer:DEADLYSIGNAL
=================================================================
==6157==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f68322200db bp 0x7f6824545800 sp 0x7ffd57f71660 T0)
==6157==The signal is caused by a WRITE memory access.
==6157==Hint: address points to the zero page.
#0 0x7f68322200db in ulaw2linear_buf(unsigned char const*, short*, int) /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:42:13
#1 0x7f68322200db in G711::runPull() /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:206:3
#2 0x7f6832212ec1 in afReadFrames /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/data.cpp:222:14
#3 0x4f42e1 in copyaudiodata /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/sfcommands/sfconvert.c:370:29
#4 0x4f3b57 in main /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/sfcommands/sfconvert.c:275:17
#5 0x7f6831f31676 in __libc_start_call_main /var/tmp/portage/sys-libs/glibc-2.37-r3/work/glibc-2.37/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7f6831f31734 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.37-r3/work/glibc-2.37/csu/../csu/libc-start.c:360:3
#7 0x41e780 (/usr/bin/sfconvert+0x41e780)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /var/tmp/portage/media-libs/audiofile-0.3.6-r5/work/audiofile-0.3.6/libaudiofile/modules/G711.cpp:42:13 in ulaw2linear_buf(unsigned char const*, short*, int)
==6157==ABORTING
Aborted
While the asan output complains about " failed to allocate" I confirm that under normal condition I get a Segmentation fault.
from audiofile.
Partial fix (symptom), nevertheless a fix:
commit 2f762fa2dd93fe2c66c59150d89ed15778274690
Author: Bastien Roucariès <[email protected]>
Date: Sat Nov 11 17:42:03 2023 +0000
Partial fix of CVE-2019-13147
This fix the symptom do not allow to allocate negative memory:
==129695==WARNING: AddressSanitizer failed to allocate 0xffffffffc2c00000 bytes
==129695==AddressSanitizer's allocator is terminating the process instead of returning 0
==129695==If you don't like this behavior set allocator_may_return_null=1
==129695==AddressSanitizer CHECK failed: ../../../../src/libsanitizer/sanitizer_common/sanitizer_allocator.cc:218 "((0)) != (0)" (0x0, 0x0)
#0 0x7f48c8503c02 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xe9c02)
#1 0x7f48c8522595 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x108595)
#2 0x7f48c8509342 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xef342)
#3 0x7f48c8441e46 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x27e46)
#4 0x7f48c84f8b1a in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb1a)
#5 0x558dc209af68 in copyaudiodata /home/tim/audiofile-santi/sfcommands/sfconvert.c:327
#6 0x558dc209a620 in main /home/tim/audiofile-santi/sfcommands/sfconvert.c:248
#7 0x7f48c7d38b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#8 0x558dc209ac79 in _start (/home/tim/audiofile-santi/sfcommands/.libs/sfconvert+0x1c79)
If negative bail out
diff --git a/sfcommands/sfconvert.c b/sfcommands/sfconvert.c
index 367f7a5..400d485 100644
--- a/sfcommands/sfconvert.c
+++ b/sfcommands/sfconvert.c
@@ -349,7 +349,8 @@ void printversion (void)
bool copyaudiodata (AFfilehandle infile, AFfilehandle outfile, int trackid)
{
int frameSize = afGetVirtualFrameSize(infile, trackid, 1);
-
+ if(frameSize <= 0)
+ return false;
int kBufferFrameCount = 65536;
int bufferSize;
while (multiplyCheckOverflow(kBufferFrameCount, frameSize, &bufferSize))
from audiofile.
Real fix is too many channel:
commit 18e39112376f488bf57ca6527d42afc644f06a94 (HEAD -> patch-queue/master)
Author: Bastien Roucariès <[email protected]>
Date: Sat Nov 11 17:43:19 2023 +0000
Partial fix of CVE-2019-13147
This is the fix of the POC. Do not allow too many channel
Now it fail with:
Audio File Library: invalid file with 1633771873 channels [error 15]
Could not open file 'poc' for reading.
diff --git a/libaudiofile/NeXT.cpp b/libaudiofile/NeXT.cpp
index c462dbe..01c967c 100644
--- a/libaudiofile/NeXT.cpp
+++ b/libaudiofile/NeXT.cpp
@@ -32,6 +32,7 @@
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "File.h"
#include "Setup.h"
@@ -122,6 +123,12 @@ status NeXTFile::readInit(AFfilesetup setup)
_af_error(AF_BAD_CHANNELS, "invalid file with 0 channels");
return AF_FAIL;
}
+ /* avoid overflow of INT for double size rate */
+ if (channelCount > (INT32_MAX / (sizeof(double))))
+ {
+ _af_error(AF_BAD_CHANNELS, "invalid file with %i channels", channelCount);
+ return AF_FAIL;
+ }
Track *track = allocateTrack();
if (!track)
from audiofile.
Related Issues (20)
- heap-based buffer overflow in ulaw2linear_buf (G711.cpp) HOT 2
- divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp) HOT 2
- heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h) HOT 5
- multiple ubsan crashes HOT 1
- heap-based buffer overflow in ulaw2linear_buf HOT 1
- Memory leak in AUpvnew
- heap-based buffer overflow in FilePOSIX::read
- NULL pointer dereference in ModuleState::setup, in ModuleState.cpp HOT 1
- A heap-buffer-overflow has occurred when running sfconvert HOT 1
- A heap-buffer-overflow has occurred when running sfconvert HOT 1
- New Release HOT 9
- out of bound heap access in SimpleModule.h HOT 1
- one heap buffer overflow in FilePOSIX::read in File.cpp HOT 2
- make[2]: *** No rule to make target 'afIdentifyNamedFD.3', needed by 'all-am'. Stop. HOT 2
- Memory-leak bug in printfileinfo, in printinfo.c HOT 2
- 0.3.6 + all up to b62c902d: test suite is failing when source code is configured with `--disable-static` and LTO is used
- 0.3.6 + all up to b62c902d: parallel documentation build fails
- audio artifacts when decoding AIFF-C
- Unary_function is deprecated since c++11 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audiofile.