Menu

#479 Stack-based Buffer Overflow

Unknown
closed-fixed
nobody
1
2017-10-22
2017-09-06
No

A Stack-based Buffer Overflow vulnerability is triggered by supplying a malformed input mp3 file for resampling. Crash output:

~/$ ./lame -f -V 9 crashes/n\:000048 /dev/null
=================================================================
==7814==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc7977b540 at pc 0x000000510e7a bp 0x7ffc797790d0 sp 0x7ffc797790c8
WRITE of size 4 at 0x7ffc7977b540 thread T0
    #0 0x510e79  (/home/kirit/ver/an+0x510e79)
    #1 0x51030a  (/home/kirit/ver/an+0x51030a)
    #2 0x506856  (/home/kirit/ver/an+0x506856)
    #3 0x504c30  (/home/kirit/ver/an+0x504c30)
    #4 0x5076d9  (/home/kirit/ver/an+0x5076d9)
    #5 0x7f55bb5a93f0  (/lib/x86_64-linux-gnu/libc.so.6+0x203f0)
    #6 0x41c859  (/home/kirit/ver/an+0x41c859)

Address 0x7ffc7977b540 is located in stack of thread T0 at offset 9312 in frame
    #0 0x51082f  (/home/kirit/ver/an+0x51082f)

  This frame has 2 object(s):
    [32, 9248) 'insamp' <== Memory access at offset 9312 overflows this variable
    [9504, 14112) 'buf_tmp16'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/kirit/ver/an+0x510e79)
Shadow bytes around the buggy address:
  0x10000f2e7650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000f2e7660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000f2e7670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000f2e7680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000f2e7690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10000f2e76a0: f2 f2 f2 f2 f2 f2 f2 f2[f2]f2 f2 f2 f2 f2 f2 f2
  0x10000f2e76b0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x10000f2e76c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000f2e76d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000f2e76e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000f2e76f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7814==ABORTING

Running the application hooked with GDB gives the following output:

LAME 3.99.5 64bits (http://lame.sf.net)
Resampling:  input 0.1 kHz  output 8 kHz
Using polyphase lowpass filter, transition band:    32 Hz -   129 Hz
Encoding crashes/n:000048 to /dev/null
Encoding as 8 kHz j-stereo MPEG-2.5 Layer III VBR(q=9)
Error reading input file
*** stack smashing detected ***: /home/intel/ver/van terminated
Program received signal SIGABRT, Aborted.
1 Attachments

Discussion

  • Robert Hegemann

    Robert Hegemann - 2017-09-06

    This is already fixed in CVS.

     
  • Kirit Sankar Gupta

    Thanks Robert. Is there a CVE associated with this already for <3.99.5?

     
  • Kirit Sankar Gupta

      ==32054==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd89741920 at pc 0x00000051e1f6 bp 0x7ffd8973f030 sp 0x7ffd8973f028
       WRITE of size 4 at 0x7ffd89741920 thread T0
           #0 0x51e1f5 in unpack_read_samples /tmp/ramdisk/lame-3.99.5/frontend/get_audio.c:1205:20
           #1 0x51e1f5 in read_samples_pcm /tmp/ramdisk/lame-3.99.5/frontend/get_audio.c:1289
    
     
    • Robert Hegemann

      Robert Hegemann - 2017-10-06

      Your stack trace does not come from a version build from CVS head. It is not fixed in the 3..99 branch.

       
  • Henri Salo

    Henri Salo - 2017-10-06

    For me this gives following error:

    Unsupported number of channels: -254
    Can't init infile 'n000048'
    

    Tested with build from 2017-09-17 and 2017-10-06.

     
  • Robert Hegemann

    Robert Hegemann - 2017-10-22
    • status: open --> closed-fixed
     

Log in to post a comment.