Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 16 Feb 2015 11:48:12 +0100
From: Vasyl Kaigorodov <vkaigoro@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request : Several Bugs Found on Libflac 1.3.1
 and Libtta++-2.2

Hello Zhenghao,

Were these issues reported upstream already?
If so - could you please post the corresponding bug tracker urls here
as well?

Thanks.
-- 
Vasyl Kaigorodov | Red Hat Product Security
PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
On Fri, 13 Feb 2015, Zhenghao Hu wrote:

> Several bugs found in the latest libflac and libtta codec fuzzing with AFL (
> http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
> K33nTeam.
> The input POC files can be found on
> https://sourceforge.net/projects/pocfiles/files/
> 
> ---------------------------------------------------------------------------------------------------------------------------------------
> 
> Libflac 1.3.1 SEGV in libFLAC.so
> 
>   Run :
>     ./flac -e -f -o ~/out.ogg t1.flac
> 
>   Codes related :
>     src/libFLAC/stream_encoder.c    line:2143
>     Function FLAC__stream_encoder_process()
> 
>       for(channel = 0; channel < channels; channel++)
> 
> memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
> &buffer[channel][j], sizeof(buffer[channel][0]) * n);
> 
>     Reference:
>         http://xiph.org/flac/
> 
> ---------------------------------------------------------------------------------------------------------------------------------------
> 
> Libflac 1.3.1 Codec Frontend Bug
> 
>   Run :
>     ./flac -e -f -o ~/out.ogg t2.flac
> 
>   Code Related :
>     src/flac/encoder.c        line:1878
>     Function EncoderSession_init_encoder()
> 
>         else if(e->total_samples_to_encode !=
> cs->tracks[cs->num_tracks-1].offset) {
> 
>   Reference:
>         http://xiph.org/flac/
> 
> ---------------------------------------------------------------------------------------------------------------------------------------
> Libflac 1.3.1 Stack overflow
> 
>     In Command-line flac encoder/decoder tool, bytes_to_read is not
> properly checked against the size of ucbuffer, which causes a stack
> overflow when performing fread in encoding.
> 
>     Codes related to the crash are in src/flac/encode.c function
> flac__encode_file()
> 
>     const size_t bytes_to_read = (size_t)min(
> 
>                   encoder_session.fmt.iff.data_bytes,
> 
> (FLAC__uint64)CHUNK_OF_SAMPLES *
> (FLAC__uint64)encoder_session.info.bytes_per_wide_sample
>                                             );
>     bytes_read = fread(ucbuffer.u8, sizeof(unsigned char), bytes_to_read,
> infile);
> 
>     POC:
>         ./flac -e -f -o ~/test.flac ~/libflac_stack.wav
> 
>     Reference:
>         http://xiph.org/flac/
> 
> ---------------------------------------------------------------------------------------------------------------------------------------
> 
> Libtta++ 2.2 divide-by-0 error
> 
>     In TTA consoole frontend tool, speciafically crafted wave_hdr would
> result in a divide-by-zero error.
> 
>     Problematic codes are as follows. In console/tta.cpp, function
> compress()
> 
>         smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample + 7)
> / 8));
>         ...
>         ...
>         info.samples = data_size / smp_size;
> 
>     POC:
>         ./tta -e ~/libtta_float.wav ~/test.tta
> 
>     Reference:
>         http://sourceforge.net/projects/tta/
> 
> ---------------------------------------------------------------------------------------------------------------------------------------
> 
> Libtta++ 2.2 tta_encoder class heap overflow
> 
>     tta_encoder.fnum is not checked in tta_encoder::process_stream, which
> causes a heap overflow when trying to write the seek_table indexed by fnum.
> 
>     Codes related to the crash are in libtta.cpp , encoder::process_stream()
> 
>         seek_table = (TTAuint64 *) tta_malloc(frames * sizeof(TTAuint64));
> 
>         seek_table[fnum++] = fifo.count;
> 
>     POC:
>         ./tta -e ~/heap.wav ~/test.tta
> 
>     Reference:
>         http://sourceforge.net/projects/tta/
> 
> ---------------------------------------------------------------------------------------------------------------------------------------
> 
> Thanks!
> --
> Zhenghao Hu / K33nTeam

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ