Menu

#418 SIGESEGV while loading crafted FLAC

1.3.x
closed-fixed
nobody
None
5
2014-11-20
2014-11-18
Michele Spagnuolo
No

There is a memory violation while loading crafted FLAC files in the example decode C program:

Program received signal SIGSEGV, Segmentation fault.
write_callback (decoder=<optimized out>, frame=0x69aa20, buffer=0x69a548, client_data=0x69a010) at main.c:154
154             !write_little_endian_int16(f, (FLAC__int16)buffer[1][i])     /* right channel */
(gdb) bt
#0  write_callback (decoder=<optimized out>, frame=0x69aa20, buffer=0x69a548, client_data=0x69a010) at main.c:154
#1  0x0000000000412b38 in write_audio_frame_to_client_ (buffer=0x69a548, frame=0x69aa20, decoder=0x69a250) at stream_decoder.c:2967
#2  read_frame_ (decoder=0x69a250, got_a_frame=<optimized out>, do_full_decode=<optimized out>) at stream_decoder.c:2142
#3  0x00000000004231ba in FLAC__stream_decoder_process_until_end_of_stream (decoder=0x69a250) at stream_decoder.c:1101
#4  0x00000000004017d8 in main (argc=<optimized out>, argv=0x7fffffffe2b8) at main.c:101
#5  0x00007ffff7526ec5 in __libc_start_main (main=0x4014c0 <main>, argc=3, argv=0x7fffffffe2b8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe2a8) at libc-start.c:287
#6  0x0000000000401d2e in _start ()

FLAC file is attached.

Thanks! :)

Michele Spagnuolo, Google Security Team

1 Attachments
sigsegv_154.flac

Discussion

  • Erik

    Erik - 2014-11-20

    It seems this problem is restricted to the example decoder program and is not a problem in libFLAC. Is that correct?

     

  • Erik

    Erik - 2014-11-20
    • status: open --> closed-fixed
     

  • Erik

    Erik - 2014-11-20

    Fixed in:

    commit 61fba03236812ed4b384a917082405fc153448de
Author: Erik de Castro Lopo <erikd@mega-nerd.com>
Date:   Thu Nov 20 21:19:36 2014 +1100

examples/c/decode/file/main.c : Add extra error handling.

Michele Spagnuolo provided a file that initially had frames with two
channels but then had a frame with a single channel. This example
program only supports exactly two channels and previously had
insufficient validation.

Closes: https://sourceforge.net/p/flac/bugs/418/
Reported-by: Michele Spagnuolo,
             Google Security Team <mikispag@google.com>
     

  • Michele Spagnuolo

    Michele Spagnuolo - 2014-11-20

    Correct. Thanks a lot!

     

Log in to post a comment.