Date: Sat, 14 Feb 2015 13:30:32 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: CVE Request : Several Bugs Found on Libflac 1.3.1 and Libtta++-2.2 Hi, On Fri, 13 Feb 2015 21:44:10 +0800 Zhenghao Hu <zhenghaohuu@...il.com> wrote: > Several bugs found in the latest libflac and libtta codec fuzzing > with AFL ( http://lcamtuf.coredump.cx/afl/), working together with > Nie Sen, from K33nTeam. I think I haven't posted this here yet: Also recently fuzzed flac with afl and found something: https://git.xiph.org/?p=flac.git;a=commit;h=43ba7ad05f1656e885ce2f34a9a72494f45705ae https://sourceforge.net/p/flac/bugs/421/ Crashing sample is attached to the bug report. What happens is that flac does an malloc for the number of comments. If that fails due to an insane number of comments it'll fail, but it will still try to access the non-allocated memory. I think the upstream fix is not optimal - it limits the amount of allowed comments. That probably fixes this in most situations, but it still leaves problems, because it doesn't check for malloc failures. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ