A Stack-based Buffer Overflow vulnerability is triggered by supplying a malformed input mp3 file for resampling. Crash output:
~/$ ./lame -f -V 9 crashes/n\:000048 /dev/null
=================================================================
==7814==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7977b540 at pc 0x000000510e7a bp 0x7ffc797790d0 sp 0x7ffc797790c8
WRITE of size 4 at 0x7ffc7977b540 thread T0
#0 0x510e79 (/home/kirit/ver/an+0x510e79)
#1 0x51030a (/home/kirit/ver/an+0x51030a)
#2 0x506856 (/home/kirit/ver/an+0x506856)
#3 0x504c30 (/home/kirit/ver/an+0x504c30)
#4 0x5076d9 (/home/kirit/ver/an+0x5076d9)
#5 0x7f55bb5a93f0 (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
#6 0x41c859 (/home/kirit/ver/an+0x41c859)
Address 0x7ffc7977b540 is located in stack of thread T0 at offset 9312 in frame
#0 0x51082f (/home/kirit/ver/an+0x51082f)
This frame has 2 object(s):
[32, 9248) 'insamp' <== Memory access at offset 9312 overflows this variable
[9504, 14112) 'buf_tmp16'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/kirit/ver/an+0x510e79)
Shadow bytes around the buggy address:
0x10000f2e7650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f2e7660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f2e7670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f2e7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f2e7690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000f2e76a0: f2 f2 f2 f2 f2 f2 f2 f2[f2]f2 f2 f2 f2 f2 f2 f2
0x10000f2e76b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
0x10000f2e76c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f2e76d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f2e76e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10000f2e76f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7814==ABORTING
Running the application hooked with GDB gives the following output:
LAME 3.99.5 64bits (http://lame.sf.net) Resampling: input 0.1 kHz output 8 kHz Using polyphase lowpass filter, transition band: 32 Hz - 129 Hz Encoding crashes/n:000048 to /dev/null Encoding as 8 kHz j-stereo MPEG-2.5 Layer III VBR(q=9) Error reading input file *** stack smashing detected ***: /home/intel/ver/van terminated Program received signal SIGABRT, Aborted.
This is already fixed in CVS.
Thanks Robert. Is there a CVE associated with this already for <3.99.5?
==32054==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd89741920 at pc 0x00000051e1f6 bp 0x7ffd8973f030 sp 0x7ffd8973f028 WRITE of size 4 at 0x7ffd89741920 thread T0 #0 0x51e1f5 in unpack_read_samples /tmp/ramdisk/lame-3.99.5/frontend/get_audio.c:1205:20 #1 0x51e1f5 in read_samples_pcm /tmp/ramdisk/lame-3.99.5/frontend/get_audio.c:1289Your stack trace does not come from a version build from CVS head. It is not fixed in the 3..99 branch.
For me this gives following error:
Tested with build from 2017-09-17 and 2017-10-06.