Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 14 Feb 2015 13:30:32 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request : Several Bugs Found on Libflac
 1.3.1 and Libtta++-2.2

Hi,

On Fri, 13 Feb 2015 21:44:10 +0800
Zhenghao Hu <zhenghaohuu@...il.com> wrote:

> Several bugs found in the latest libflac and libtta codec fuzzing
> with AFL ( http://lcamtuf.coredump.cx/afl/), working together with
> Nie Sen, from K33nTeam.

I think I haven't posted this here yet: Also recently fuzzed flac
with afl and found something:

https://git.xiph.org/?p=flac.git;a=commit;h=43ba7ad05f1656e885ce2f34a9a72494f45705ae
https://sourceforge.net/p/flac/bugs/421/

Crashing sample is attached to the bug report.

What happens is that flac does an malloc for the number of comments. If
that fails due to an insane number of comments it'll fail, but it will
still try to access the non-allocated memory.

I think the upstream fix is not optimal - it limits the amount of
allowed comments. That probably fixes this in most situations, but it
still leaves problems, because it doesn't check for malloc
failures.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ