![]() |
|
Date: Mon, 16 Feb 2015 11:48:12 +0100
From: Vasyl Kaigorodov <vkaigoro@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request : Several Bugs Found on Libflac 1.3.1
and Libtta++-2.2
Hello Zhenghao,
Were these issues reported upstream already?
If so - could you please post the corresponding bug tracker urls here
as well?
Thanks.
--
Vasyl Kaigorodov | Red Hat Product Security
PGP: 0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
On Fri, 13 Feb 2015, Zhenghao Hu wrote:
> Several bugs found in the latest libflac and libtta codec fuzzing with AFL (
> http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
> K33nTeam.
> The input POC files can be found on
> https://sourceforge.net/projects/pocfiles/files/
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Libflac 1.3.1 SEGV in libFLAC.so
>
> Run :
> ./flac -e -f -o ~/out.ogg t1.flac
>
> Codes related :
> src/libFLAC/stream_encoder.c line:2143
> Function FLAC__stream_encoder_process()
>
> for(channel = 0; channel < channels; channel++)
>
> memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
> &buffer[channel][j], sizeof(buffer[channel][0]) * n);
>
> Reference:
> http://xiph.org/flac/
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Libflac 1.3.1 Codec Frontend Bug
>
> Run :
> ./flac -e -f -o ~/out.ogg t2.flac
>
> Code Related :
> src/flac/encoder.c line:1878
> Function EncoderSession_init_encoder()
>
> else if(e->total_samples_to_encode !=
> cs->tracks[cs->num_tracks-1].offset) {
>
> Reference:
> http://xiph.org/flac/
>
> ---------------------------------------------------------------------------------------------------------------------------------------
> Libflac 1.3.1 Stack overflow
>
> In Command-line flac encoder/decoder tool, bytes_to_read is not
> properly checked against the size of ucbuffer, which causes a stack
> overflow when performing fread in encoding.
>
> Codes related to the crash are in src/flac/encode.c function
> flac__encode_file()
>
> const size_t bytes_to_read = (size_t)min(
>
> encoder_session.fmt.iff.data_bytes,
>
> (FLAC__uint64)CHUNK_OF_SAMPLES *
> (FLAC__uint64)encoder_session.info.bytes_per_wide_sample
> );
> bytes_read = fread(ucbuffer.u8, sizeof(unsigned char), bytes_to_read,
> infile);
>
> POC:
> ./flac -e -f -o ~/test.flac ~/libflac_stack.wav
>
> Reference:
> http://xiph.org/flac/
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Libtta++ 2.2 divide-by-0 error
>
> In TTA consoole frontend tool, speciafically crafted wave_hdr would
> result in a divide-by-zero error.
>
> Problematic codes are as follows. In console/tta.cpp, function
> compress()
>
> smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample + 7)
> / 8));
> ...
> ...
> info.samples = data_size / smp_size;
>
> POC:
> ./tta -e ~/libtta_float.wav ~/test.tta
>
> Reference:
> http://sourceforge.net/projects/tta/
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Libtta++ 2.2 tta_encoder class heap overflow
>
> tta_encoder.fnum is not checked in tta_encoder::process_stream, which
> causes a heap overflow when trying to write the seek_table indexed by fnum.
>
> Codes related to the crash are in libtta.cpp , encoder::process_stream()
>
> seek_table = (TTAuint64 *) tta_malloc(frames * sizeof(TTAuint64));
>
> seek_table[fnum++] = fifo.count;
>
> POC:
> ./tta -e ~/heap.wav ~/test.tta
>
> Reference:
> http://sourceforge.net/projects/tta/
>
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> Thanks!
> --
> Zhenghao Hu / K33nTeam
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.