FLAC-Free Lossless Audio Codec / Bugs / #432 Heap buffer overflow in FLAC__bitreader_read_rice_signed

#432 Heap buffer overflow in FLAC__bitreader_read_rice_signed_block

Milestone: 1.3.1

Status: closed

Owner: Erik

Labels: None

Priority: 5

Updated: 2015-09-26

Created: 2015-08-19

Creator: Michele Spagnuolo

Private: No

There is a read heap buffer overflow in 1.3.1 while loading a specially crafted FLAC file (attached).

==1025523==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500000e900 at pc 0x00000050341e bp 0x7fffdc3b9670 sp 0x7fffdc3b9668
READ of size 4 at 0x62500000e900 thread T0
    #0 0x50341d in FLAC__bitreader_read_rice_signed_block flac/src/src/libFLAC/bitreader.c:834:8
    #1 0x4fc599 in read_residual_partitioned_rice_ flac/src/src/libFLAC/stream_decoder.c:2765:8
    #2 0x4fb484 in read_subframe_lpc_ flac/src/src/libFLAC/stream_decoder.c:2676:8
    #3 0x4f7b1f in read_subframe_ flac/src/src/libFLAC/stream_decoder.c:2518:7
    #4 0x4e7892 in read_frame_ flac/src/src/libFLAC/stream_decoder.c:2061:7
    #5 0x4e924e in FLAC__stream_decoder_process_until_end_of_stream flac/src/src/libFLAC/stream_decoder.c:1101:9
    #6 0x4dd20b in main flac/src/examples/c/decode/file/main.c:102:8

0x62500000e900 is located 0 bytes to the right of 8192-byte region [0x62500000c900,0x62500000e900)
allocated by thread T0 here:
    #0 0x4c940b in __interceptor_malloc llvm/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x4fcfbb in FLAC__bitreader_init flac/src/src/libFLAC/bitreader.c:239:15
    #2 0x4dff05 in init_stream_internal_ flac/src/src/libFLAC/stream_decoder.c:429:6
    #3 0x4e089b in init_FILE_internal_ flac/src/src/libFLAC/stream_decoder.c:545:9
    #4 0x4e0c7b in init_file_internal_ flac/src/src/libFLAC/stream_decoder.c:614:9
    #5 0x4e0ab4 in FLAC__stream_decoder_init_file flac/src/src/libFLAC/stream_decoder.c:626:9
    #6 0x4dd055 in main flac/src/examples/c/decode/file/main.c:94:16

1 Attachments

asan_heap-oob_50341e_368_cov_3957612862_106-invalid-streaminfo.flac

Discussion

Erik - 2015-08-21

Pretty sure this is already fixed in Git.

I compiled FLAC (from git) with AddressSanitizer and ran it on the file you provided. The FLAC executable printed some error messages and exited, but there were no ASan errror messages.

Are you willing to try the git version? Its here: https://git.xiph.org/flac.git/

However, I have run the git version of FLAC under American Fuzzy Lop and everything I found has long since been fixed.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Erik - 2015-08-21

Also what command line are you using? In AFL I've been using:

src/flac/flac -d -f -o /tmp/fuzz.wav @@
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Michele Spagnuolo - 2015-08-21

My apologies Erik, it does not reproduce in git HEAD indeed. I was testing last release, 1.3.1. I will test against HEAD next time.

I am currently fuzzing using example_c_decode_file as a target - it's cool you are using AFL, I am using a distributed fuzzer.

Thanks,
Miki

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Erik - 2015-09-26

status: open --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Heap buffer overflow in FLAC__bitreader_read_rice_signed_block

Group

Searches

Help

#432 Heap buffer overflow in FLAC__bitreader_read_rice_signed_block

Discussion