Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 21:44:10 +0800
From: Zhenghao Hu <zhenghaohuu@...il.com>
To: oss-security@...ts.openwall.com
Cc: niesen@...ncloudtech.com
Subject: CVE Request : Several Bugs Found on Libflac 1.3.1 and Libtta++-2.2

Several bugs found in the latest libflac and libtta codec fuzzing with AFL (
http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
K33nTeam.
The input POC files can be found on
https://sourceforge.net/projects/pocfiles/files/

---------------------------------------------------------------------------------------------------------------------------------------

Libflac 1.3.1 SEGV in libFLAC.so

  Run :
    ./flac -e -f -o ~/out.ogg t1.flac

  Codes related :
    src/libFLAC/stream_encoder.c    line:2143
    Function FLAC__stream_encoder_process()

      for(channel = 0; channel < channels; channel++)

memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
&buffer[channel][j], sizeof(buffer[channel][0]) * n);

    Reference:
        http://xiph.org/flac/

---------------------------------------------------------------------------------------------------------------------------------------

Libflac 1.3.1 Codec Frontend Bug

  Run :
    ./flac -e -f -o ~/out.ogg t2.flac

  Code Related :
    src/flac/encoder.c        line:1878
    Function EncoderSession_init_encoder()

        else if(e->total_samples_to_encode !=
cs->tracks[cs->num_tracks-1].offset) {

  Reference:
        http://xiph.org/flac/

---------------------------------------------------------------------------------------------------------------------------------------
Libflac 1.3.1 Stack overflow

    In Command-line flac encoder/decoder tool, bytes_to_read is not
properly checked against the size of ucbuffer, which causes a stack
overflow when performing fread in encoding.

    Codes related to the crash are in src/flac/encode.c function
flac__encode_file()

    const size_t bytes_to_read = (size_t)min(

                  encoder_session.fmt.iff.data_bytes,

(FLAC__uint64)CHUNK_OF_SAMPLES *
(FLAC__uint64)encoder_session.info.bytes_per_wide_sample
                                            );
    bytes_read = fread(ucbuffer.u8, sizeof(unsigned char), bytes_to_read,
infile);

    POC:
        ./flac -e -f -o ~/test.flac ~/libflac_stack.wav

    Reference:
        http://xiph.org/flac/

---------------------------------------------------------------------------------------------------------------------------------------

Libtta++ 2.2 divide-by-0 error

    In TTA consoole frontend tool, speciafically crafted wave_hdr would
result in a divide-by-zero error.

    Problematic codes are as follows. In console/tta.cpp, function
compress()

        smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample + 7)
/ 8));
        ...
        ...
        info.samples = data_size / smp_size;

    POC:
        ./tta -e ~/libtta_float.wav ~/test.tta

    Reference:
        http://sourceforge.net/projects/tta/

---------------------------------------------------------------------------------------------------------------------------------------

Libtta++ 2.2 tta_encoder class heap overflow

    tta_encoder.fnum is not checked in tta_encoder::process_stream, which
causes a heap overflow when trying to write the seek_table indexed by fnum.

    Codes related to the crash are in libtta.cpp , encoder::process_stream()

        seek_table = (TTAuint64 *) tta_malloc(frames * sizeof(TTAuint64));

        seek_table[fnum++] = fifo.count;

    POC:
        ./tta -e ~/heap.wav ~/test.tta

    Reference:
        http://sourceforge.net/projects/tta/

---------------------------------------------------------------------------------------------------------------------------------------

Thanks!
--
Zhenghao Hu / K33nTeam

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ