Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 17 Feb 2015 00:57:06 +0800
From: Zhenghao Hu <zhenghaohuu@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request : Several Bugs Found on Libflac 1.3.1
 and Libtta++-2.2

Almost Forgot.. Thanks for reminding.

https://sourceforge.net/p/flac/bugs/425/
https://sourceforge.net/p/tta/bugs/9/

On Mon, Feb 16, 2015 at 6:48 PM, Vasyl Kaigorodov <vkaigoro@...hat.com>
wrote:

> Hello Zhenghao,
>
> Were these issues reported upstream already?
> If so - could you please post the corresponding bug tracker urls here
> as well?
>
> Thanks.
> --
> Vasyl Kaigorodov | Red Hat Product Security
> PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
> On Fri, 13 Feb 2015, Zhenghao Hu wrote:
>
> > Several bugs found in the latest libflac and libtta codec fuzzing with
> AFL (
> > http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
> > K33nTeam.
> > The input POC files can be found on
> > https://sourceforge.net/projects/pocfiles/files/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libflac 1.3.1 SEGV in libFLAC.so
> >
> >   Run :
> >     ./flac -e -f -o ~/out.ogg t1.flac
> >
> >   Codes related :
> >     src/libFLAC/stream_encoder.c    line:2143
> >     Function FLAC__stream_encoder_process()
> >
> >       for(channel = 0; channel < channels; channel++)
> >
> >
> memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
> > &buffer[channel][j], sizeof(buffer[channel][0]) * n);
> >
> >     Reference:
> >         http://xiph.org/flac/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libflac 1.3.1 Codec Frontend Bug
> >
> >   Run :
> >     ./flac -e -f -o ~/out.ogg t2.flac
> >
> >   Code Related :
> >     src/flac/encoder.c        line:1878
> >     Function EncoderSession_init_encoder()
> >
> >         else if(e->total_samples_to_encode !=
> > cs->tracks[cs->num_tracks-1].offset) {
> >
> >   Reference:
> >         http://xiph.org/flac/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> > Libflac 1.3.1 Stack overflow
> >
> >     In Command-line flac encoder/decoder tool, bytes_to_read is not
> > properly checked against the size of ucbuffer, which causes a stack
> > overflow when performing fread in encoding.
> >
> >     Codes related to the crash are in src/flac/encode.c function
> > flac__encode_file()
> >
> >     const size_t bytes_to_read = (size_t)min(
> >
> >                   encoder_session.fmt.iff.data_bytes,
> >
> > (FLAC__uint64)CHUNK_OF_SAMPLES *
> > (FLAC__uint64)encoder_session.info.bytes_per_wide_sample
> >                                             );
> >     bytes_read = fread(ucbuffer.u8, sizeof(unsigned char), bytes_to_read,
> > infile);
> >
> >     POC:
> >         ./flac -e -f -o ~/test.flac ~/libflac_stack.wav
> >
> >     Reference:
> >         http://xiph.org/flac/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libtta++ 2.2 divide-by-0 error
> >
> >     In TTA consoole frontend tool, speciafically crafted wave_hdr would
> > result in a divide-by-zero error.
> >
> >     Problematic codes are as follows. In console/tta.cpp, function
> > compress()
> >
> >         smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample +
> 7)
> > / 8));
> >         ...
> >         ...
> >         info.samples = data_size / smp_size;
> >
> >     POC:
> >         ./tta -e ~/libtta_float.wav ~/test.tta
> >
> >     Reference:
> >         http://sourceforge.net/projects/tta/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Libtta++ 2.2 tta_encoder class heap overflow
> >
> >     tta_encoder.fnum is not checked in tta_encoder::process_stream, which
> > causes a heap overflow when trying to write the seek_table indexed by
> fnum.
> >
> >     Codes related to the crash are in libtta.cpp ,
> encoder::process_stream()
> >
> >         seek_table = (TTAuint64 *) tta_malloc(frames *
> sizeof(TTAuint64));
> >
> >         seek_table[fnum++] = fifo.count;
> >
> >     POC:
> >         ./tta -e ~/heap.wav ~/test.tta
> >
> >     Reference:
> >         http://sourceforge.net/projects/tta/
> >
> >
> ---------------------------------------------------------------------------------------------------------------------------------------
> >
> > Thanks!
> > --
> > Zhenghao Hu / K33nTeam
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.