Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Feb 2015 00:57:06 +0800
From: Zhenghao Hu <zhenghaohuu@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request : Several Bugs Found on Libflac 1.3.1
 and Libtta++-2.2

Almost Forgot.. Thanks for reminding.

https://sourceforge.net/p/flac/bugs/425/
https://sourceforge.net/p/tta/bugs/9/

On Mon, Feb 16, 2015 at 6:48 PM, Vasyl Kaigorodov <vkaigoro@...hat.com>
wrote:

> Hello Zhenghao,
>
> Were these issues reported upstream already?
> If so - could you please post the corresponding bug tracker urls here
> as well?
>
> Thanks.
> --
> Vasyl Kaigorodov | Red Hat Product Security
> PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
> On Fri, 13 Feb 2015, Zhenghao Hu wrote:
>
> > Several bugs found in the latest libflac and libtta codec fuzzing with
> AFL (
> > http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
> > K33nTeam.
> > The input POC files can be found on
> > https://sourceforge.net/projects/pocfiles/files/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libflac 1.3.1 SEGV in libFLAC.so
> >
> >   Run :
> >     ./flac -e -f -o ~/out.ogg t1.flac
> >
> >   Codes related :
> >     src/libFLAC/stream_encoder.c    line:2143
> >     Function FLAC__stream_encoder_process()
> >
> >       for(channel = 0; channel < channels; channel++)
> >
> >
> memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
> > &buffer[channel][j], sizeof(buffer[channel][0]) * n);
> >
> >     Reference:
> >         http://xiph.org/flac/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libflac 1.3.1 Codec Frontend Bug
> >
> >   Run :
> >     ./flac -e -f -o ~/out.ogg t2.flac
> >
> >   Code Related :
> >     src/flac/encoder.c        line:1878
> >     Function EncoderSession_init_encoder()
> >
> >         else if(e->total_samples_to_encode !=
> > cs->tracks[cs->num_tracks-1].offset) {
> >
> >   Reference:
> >         http://xiph.org/flac/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> > Libflac 1.3.1 Stack overflow
> >
> >     In Command-line flac encoder/decoder tool, bytes_to_read is not
> > properly checked against the size of ucbuffer, which causes a stack
> > overflow when performing fread in encoding.
> >
> >     Codes related to the crash are in src/flac/encode.c function
> > flac__encode_file()
> >
> >     const size_t bytes_to_read = (size_t)min(
> >
> >                   encoder_session.fmt.iff.data_bytes,
> >
> > (FLAC__uint64)CHUNK_OF_SAMPLES *
> > (FLAC__uint64)encoder_session.info.bytes_per_wide_sample
> >                                             );
> >     bytes_read = fread(ucbuffer.u8, sizeof(unsigned char), bytes_to_read,
> > infile);
> >
> >     POC:
> >         ./flac -e -f -o ~/test.flac ~/libflac_stack.wav
> >
> >     Reference:
> >         http://xiph.org/flac/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libtta++ 2.2 divide-by-0 error
> >
> >     In TTA consoole frontend tool, speciafically crafted wave_hdr would
> > result in a divide-by-zero error.
> >
> >     Problematic codes are as follows. In console/tta.cpp, function
> > compress()
> >
> >         smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample +
> 7)
> > / 8));
> >         ...
> >         ...
> >         info.samples = data_size / smp_size;
> >
> >     POC:
> >         ./tta -e ~/libtta_float.wav ~/test.tta
> >
> >     Reference:
> >         http://sourceforge.net/projects/tta/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libtta++ 2.2 tta_encoder class heap overflow
> >
> >     tta_encoder.fnum is not checked in tta_encoder::process_stream, which
> > causes a heap overflow when trying to write the seek_table indexed by
> fnum.
> >
> >     Codes related to the crash are in libtta.cpp ,
> encoder::process_stream()
> >
> >         seek_table = (TTAuint64 *) tta_malloc(frames *
> sizeof(TTAuint64));
> >
> >         seek_table[fnum++] = fifo.count;
> >
> >     POC:
> >         ./tta -e ~/heap.wav ~/test.tta
> >
> >     Reference:
> >         http://sourceforge.net/projects/tta/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Thanks!
> > --
> > Zhenghao Hu / K33nTeam
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ