[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 21:44:10 +0800
From: Zhenghao Hu <zhenghaohuu@...il.com>
To: oss-security@...ts.openwall.com
Cc: niesen@...ncloudtech.com
Subject: CVE Request : Several Bugs Found on Libflac 1.3.1 and Libtta++-2.2
Several bugs found in the latest libflac and libtta codec fuzzing with AFL (
http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
K33nTeam.
The input POC files can be found on
https://sourceforge.net/projects/pocfiles/files/
---------------------------------------------------------------------------------------------------------------------------------------
Libflac 1.3.1 SEGV in libFLAC.so
Run :
./flac -e -f -o ~/out.ogg t1.flac
Codes related :
src/libFLAC/stream_encoder.c line:2143
Function FLAC__stream_encoder_process()
for(channel = 0; channel < channels; channel++)
memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
&buffer[channel][j], sizeof(buffer[channel][0]) * n);
Reference:
http://xiph.org/flac/
---------------------------------------------------------------------------------------------------------------------------------------
Libflac 1.3.1 Codec Frontend Bug
Run :
./flac -e -f -o ~/out.ogg t2.flac
Code Related :
src/flac/encoder.c line:1878
Function EncoderSession_init_encoder()
else if(e->total_samples_to_encode !=
cs->tracks[cs->num_tracks-1].offset) {
Reference:
http://xiph.org/flac/
---------------------------------------------------------------------------------------------------------------------------------------
Libflac 1.3.1 Stack overflow
In Command-line flac encoder/decoder tool, bytes_to_read is not
properly checked against the size of ucbuffer, which causes a stack
overflow when performing fread in encoding.
Codes related to the crash are in src/flac/encode.c function
flac__encode_file()
const size_t bytes_to_read = (size_t)min(
encoder_session.fmt.iff.data_bytes,
(FLAC__uint64)CHUNK_OF_SAMPLES *
(FLAC__uint64)encoder_session.info.bytes_per_wide_sample
);
bytes_read = fread(ucbuffer.u8, sizeof(unsigned char), bytes_to_read,
infile);
POC:
./flac -e -f -o ~/test.flac ~/libflac_stack.wav
Reference:
http://xiph.org/flac/
---------------------------------------------------------------------------------------------------------------------------------------
Libtta++ 2.2 divide-by-0 error
In TTA consoole frontend tool, speciafically crafted wave_hdr would
result in a divide-by-zero error.
Problematic codes are as follows. In console/tta.cpp, function
compress()
smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample + 7)
/ 8));
...
...
info.samples = data_size / smp_size;
POC:
./tta -e ~/libtta_float.wav ~/test.tta
Reference:
http://sourceforge.net/projects/tta/
---------------------------------------------------------------------------------------------------------------------------------------
Libtta++ 2.2 tta_encoder class heap overflow
tta_encoder.fnum is not checked in tta_encoder::process_stream, which
causes a heap overflow when trying to write the seek_table indexed by fnum.
Codes related to the crash are in libtta.cpp , encoder::process_stream()
seek_table = (TTAuint64 *) tta_malloc(frames * sizeof(TTAuint64));
seek_table[fnum++] = fifo.count;
POC:
./tta -e ~/heap.wav ~/test.tta
Reference:
http://sourceforge.net/projects/tta/
---------------------------------------------------------------------------------------------------------------------------------------
Thanks!
--
Zhenghao Hu / K33nTeam
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
