Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 13 Feb 2015 21:44:10 +0800
From: Zhenghao Hu <zhenghaohuu@...il.com>
To: oss-security@...ts.openwall.com
Cc: niesen@...ncloudtech.com
Subject: CVE Request : Several Bugs Found on Libflac 1.3.1 and Libtta++-2.2

Several bugs found in the latest libflac and libtta codec fuzzing with AFL (
http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
K33nTeam.
The input POC files can be found on
https://sourceforge.net/projects/pocfiles/files/

---------------------------------------------------------------------------------------------------------------------------------------

Libflac 1.3.1 SEGV in libFLAC.so

  Run :
    ./flac -e -f -o ~/out.ogg t1.flac

  Codes related :
    src/libFLAC/stream_encoder.c    line:2143
    Function FLAC__stream_encoder_process()

      for(channel = 0; channel < channels; channel++)

memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
&buffer[channel][j], sizeof(buffer[channel][0]) * n);

    Reference:
        http://xiph.org/flac/

---------------------------------------------------------------------------------------------------------------------------------------

Libflac 1.3.1 Codec Frontend Bug

  Run :
    ./flac -e -f -o ~/out.ogg t2.flac

  Code Related :
    src/flac/encoder.c        line:1878
    Function EncoderSession_init_encoder()

        else if(e->total_samples_to_encode !=
cs->tracks[cs->num_tracks-1].offset) {

  Reference:
        http://xiph.org/flac/

---------------------------------------------------------------------------------------------------------------------------------------
Libflac 1.3.1 Stack overflow

    In Command-line flac encoder/decoder tool, bytes_to_read is not
properly checked against the size of ucbuffer, which causes a stack
overflow when performing fread in encoding.

    Codes related to the crash are in src/flac/encode.c function
flac__encode_file()

    const size_t bytes_to_read = (size_t)min(

                  encoder_session.fmt.iff.data_bytes,

(FLAC__uint64)CHUNK_OF_SAMPLES *
(FLAC__uint64)encoder_session.info.bytes_per_wide_sample
                                            );
    bytes_read = fread(ucbuffer.u8, sizeof(unsigned char), bytes_to_read,
infile);

    POC:
        ./flac -e -f -o ~/test.flac ~/libflac_stack.wav

    Reference:
        http://xiph.org/flac/

---------------------------------------------------------------------------------------------------------------------------------------

Libtta++ 2.2 divide-by-0 error

    In TTA consoole frontend tool, speciafically crafted wave_hdr would
result in a divide-by-zero error.

    Problematic codes are as follows. In console/tta.cpp, function
compress()

        smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample + 7)
/ 8));
        ...
        ...
        info.samples = data_size / smp_size;

    POC:
        ./tta -e ~/libtta_float.wav ~/test.tta

    Reference:
        http://sourceforge.net/projects/tta/

---------------------------------------------------------------------------------------------------------------------------------------

Libtta++ 2.2 tta_encoder class heap overflow

    tta_encoder.fnum is not checked in tta_encoder::process_stream, which
causes a heap overflow when trying to write the seek_table indexed by fnum.

    Codes related to the crash are in libtta.cpp , encoder::process_stream()

        seek_table = (TTAuint64 *) tta_malloc(frames * sizeof(TTAuint64));

        seek_table[fnum++] = fifo.count;

    POC:
        ./tta -e ~/heap.wav ~/test.tta

    Reference:
        http://sourceforge.net/projects/tta/

---------------------------------------------------------------------------------------------------------------------------------------

Thanks!
--
Zhenghao Hu / K33nTeam

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.