libtta++ 2.2 bugs
Brought to you by:
xald
Menu
▾
▴
#9 libtta++ 2.2 bugs
Hi,
I'm recently fuzzing with AFL (http://lcamtuf.coredump.cx/afl/) and got a few crashes.
I posted it a few days ago on oss-security mailing list. Hope this didn't cause you any trouble.
The input POC files can be found on https://sourceforge.net/projects/pocfiles/files/
Libtta++ 2.2 divide-by-0 error
In TTA consoole frontend tool, speciafically crafted wave_hdr would result in a divide-by-zero error.
Problematic codes are as follows. In console/tta.cpp, function compress()
smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample + 7) / 8));
...
...
info.samples = data_size / smp_size;
POC:
./tta -e ~/libtta_float.wav ~/test.tta
Libtta++ 2.2 tta_encoder class heap overflow
tta_encoder.fnum is not checked in tta_encoder::process_stream, which causes a heap overflow when trying to write the seek_table indexed by fnum.
Codes related to the crash are in libtta.cpp , encoder::process_stream()
seek_table = (TTAuint64 *) tta_malloc(frames * sizeof(TTAuint64));
seek_table[fnum++] = fifo.count;
POC:
./tta -e ~/heap.wav ~/test.tta
Hi, Thanks for your report.
fixed: divide-by-0 corrupted WAV header error
fixed: bug that can cause a heap overflow error (unaligned memory allocation in tta console application)
Please use libtta version 2.3.