Menu

#142 potential buffer overflow in audiolib.c

None
closed-fixed
Bernhard Praschinger
None
5
2021-08-27
2021-08-17
Wooseok Kang
No

Hi, I found some buffer overflow vulnerability in audiolib.c.

In line 717, the program gets 'audio_dev_name' from an environment variable, and call system_error when fail to open file.

audio_dev_name = getenv("LAV_AUDIO_DEV");
if(!audio_dev_name) audio_dev_name = "/dev/dsp";

if(audio_capt)
  fd=open(audio_dev_name, O_RDONLY, 0);
else
  fd=open(audio_dev_name, O_RDWR,   0);

if (fd<0) system_error(audio_dev_name,fd,1);

In system_error, there are sprintf calls to build an error string with no length check. Since the size of error_string is fixed to 4096, if a malicious attack manipulates environment variable with a large string, stack buffer overflow can occur.

if(use_strerror)
  sprintf((char*)shmemptr->error_string, "Error %s - %s",str,strerror(errno));
else
  sprintf((char*)shmemptr->error_string, "Error %s",str);

Discussion

  • Bernhard Praschinger

    Bernhard Praschinger - 2021-08-27
    • status: open --> closed-fixed
    • assigned_to: Bernhard Praschinger
    • Group: -->
     

  • Bernhard Praschinger

    Bernhard Praschinger - 2021-08-27

    Hallo,

    there is now a fix in the SVN that addresses that problem:
    https://sourceforge.net/p/mjpeg/Code/3496/

    Take a look at it, lookes good for me and adresses the problem,

     

Log in to post a comment.