Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 10 Apr 2017 07:19:35 +0000
From: "Agostino Sarubbo" <ago@...too.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: libaacplus: signed integer overflow, left shift and assertion failure

Description:
libaacplus is a HE-AAC+ v2 library, based on the reference implementation.

While fuzzing it I found some crashes. Upstream was poked on 2017-03-12, but no response from him.

# aacplusenc $FILE out.aac 24000 s
au_channel.h:31:91: runtime error: signed integer overflow: 2147483647 + 8 cannot be represented in type 'int'
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00254-libaacplus-signedintoverflow
CVE:
CVE-2017-7603

##############################################

# aacplusenc $FILE out.aac 24000 s
au_channel.h:31:83: runtime error: left shift of 241 by 24 places cannot be represented in type 'int'
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00255-libaacplus-leftshift
CVE:
CVE-2017-7604

##############################################

# aacplusenc $FILE out.aac 24000 s
aacplusenc: aacplusenc.c:67: aacplusEncHandle aacplusEncOpen(unsigned long, unsigned int, unsigned long *, unsigned long *): Assertion `numChannels <= MAX_CHANNELS' failed.
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00256-libaacplus-assertion-failure
CVE:
CVE-2017-7605

##############################################

Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.

Timeline:
2017-03-12: bug discovered and poked upstream about
2017-04-01: blog post about the issue
2017-04-09: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/04/01/libaacplus-signed-integer-overflow-left-shift-and-assertion-failure

--
Agostino Sarubbo
Gentoo Linux Developer


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ