Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 21 Sep 2017 06:27:15 +0000
From: 连一汉 <lianyihan@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: CVE-2017-14160: libvorbis-1.3.5 bark_noise_hybridmp() integer signedness bug

Hi,

I’m a security researcher of Qihoo 360 GearTeam.
My partner Zhibin Hu and I found a vulnerability of libvorbis-1.3.5.
And we have applied for CVE-2017-14160 of this vulnerability.
================== test command ====================

ffmpeg �Ci poc.mp4 �Cy 1.mkv
// libvorbis-1.3.5 has been compiled into ffmpeg static.

================= needed version ====================

I compile it as https://github.com/google/oss-fuzz/blob/master/projects/ffmpeg/build.sh

This is the problem of libvorbis-1.3.5, and I tried libvorbis in ubuntu repo, it could also trigger this vul or bug.

=================== crash info ======================

(gdb) bt
#0  0x0000000001f95afd in bark_noise_hybridmp (n=256, b=0x32cd940, f=0x32e5010, noise=0x32f7ed0, offset=140, fixed=-1) at psy.c:630

#1  0x0000000001f95430 in _vp_noisemask (p=0x32aa820, logmdct=0x32e5010, logmask=0x32f7ed0) at psy.c:705
#2  0x0000000001facac9 in mapping0_forward (vb=0x329cfb0) at mapping0.c:417
#3  0x0000000001f92c9e in vorbis_analysis (vb=0x329cfb0, op=0x0) at analysis.c:46
#4  0x0000000000bc2725 in libvorbis_encode_frame (avctx=0x329ca00, avpkt=0x32ab540, frame=0x32e4400, got_packet_ptr=0x7fffffffdbf4) at libavcodec/libvorbisenc.c:311
#5  0x00000000009e5717 in avcodec_encode_audio2 (avctx=0x329ca00, avpkt=0x32ab540, frame=0x32e4400, got_packet_ptr=0x7fffffffdbf4)at libavcodec/encode.c:198
#6  0x00000000009e62d8 in do_encode (avctx=0x329ca00, frame=0x32e4400, got_packet=0x7fffffffdbf4) at libavcodec/encode.c:375

#7  0x00000000009e6224 in avcodec_send_frame (avctx=0x329ca00, frame=0x32e4400) at libavcodec/encode.c:421
#8  0x0000000000438ef5 in do_audio_out (of=0x3299560, ost=0x329c7a0, frame=0x32e4400) at ffmpeg.c:921
#9  0x0000000000436c5b in reap_filters (flush=0) at ffmpeg.c:1515
#10 0x000000000042dc30 in transcode_step () at ffmpeg.c:4553
#11 0x000000000042bc49 in transcode () at ffmpeg.c:4597
#12 0x000000000042b092 in main (argc=5, argv=0x7fffffffe678) at ffmpeg.c:4803

(gdb) l
625
626         lo = b[i] >> 16;
627         hi = b[i] & 0xffff;
628         if(hi>=n)break;
629
630         tN = N[hi] - N[lo];
631         tX = X[hi] - X[lo];
632         tXX = XX[hi] - XX[lo];
633         tY = Y[hi] - Y[lo];
634         tXY = XY[hi] - XY[lo];
(gdb) p hi
$4 = 0
(gdb) p lo
$5 = 49656                                                                 // !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
(gdb) p i
$6 = 259

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.