heap buffer overflow in INT123_parse_new_id3
Brought to you by:
sobukus
Menu
▾
▴
1 Attachments
#254 heap buffer overflow in INT123_parse_new_id3
hjy@ubuntu:~$ mpg123 --version
mpg123 1.25.4
root@ubuntu:/home/hjy/Desktop# mpg123 -s test3
High Performance MPEG 1.0/2.0/2.5 Audio Player for Layers 1, 2 and 3
version 1.25.4; written and copyright by Michael Hipp and others
free software (LGPL) without any warranty but with best wishes
Terminal control enabled, press 'h' for listing of keys and functions.
Playing MPEG stream 1 of 1: test3 ...
==8620==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb4d00fb5 at pc 0x80c82a0 bp 0xbfdcddc8 sp 0xbfdcddbc
READ of size 1 at 0xb4d00fb5 thread T0
#0 0x80c829f in convert_latin1 src/libmpg123/id3.c:1010
#1 0x804bae9 in store_id3_text src/libmpg123/id3.c:284
#2 0x80d1a1b in process_text src/libmpg123/id3.c:373
#3 0x80d1a1b in INT123_parse_new_id3 src/libmpg123/id3.c:947
#4 0x8093b85 in handle_id3v2 src/libmpg123/parse.c:1071
#5 0x8093b85 in skip_junk src/libmpg123/parse.c:1152
#6 0x8093b85 in INT123_read_frame src/libmpg123/parse.c:525
#7 0x80fe752 in get_next_frame src/libmpg123/libmpg123.c:625
#8 0x80fe752 in mpg123_decode_frame_64 src/libmpg123/libmpg123.c:861
#9 0x80735b3 in play_frame src/mpg123.c:739
#10 0x804e821 in main src/mpg123.c:1363
#11 0xb701ba82 in libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
#12 0x8051836 (/usr/local/bin/mpg123+0x8051836)**
0xb4d00fb5 is located 0 bytes to the right of 37-byte region [0xb4d00f90,0xb4d00fb5)
allocated by thread T0 here:
#0 0xb724688a in __interceptor_malloc (/usr/lib/i386-linux-gnu/libasan.so.1+0x4e88a)
#1 0x80ce8d9 in INT123_parse_new_id3 src/libmpg123/id3.c:769
#2 0x8093b85 in handle_id3v2 src/libmpg123/parse.c:1071
#3 0x8093b85 in skip_junk src/libmpg123/parse.c:1152
#4 0x8093b85 in INT123_read_frame src/libmpg123/parse.c:525
#5 0x80fe752 in get_next_frame src/libmpg123/libmpg123.c:625
#6 0x80fe752 in mpg123_decode_frame_64 src/libmpg123/libmpg123.c:861
#7 0x80735b3 in play_frame src/mpg123.c:739
#8 0x804e821 in main src/mpg123.c:1363
#9 0xb701ba82 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-buffer-overflow src/libmpg123/id3.c:1010 convert_latin1
Shadow bytes around the buggy address:
0x369a01a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a01b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a01c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a01d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a01e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x369a01f0: fa fa 00 00 00 00[05]fa fa fa fd fd fd fd fd fa
0x369a0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a0210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a0220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a0230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x369a0240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==8620==ABORTING
Hm, I cannot reproduce … sure that's 1.25.4? How configure/built.
With 1.25.4, you should see this:
And the issue should be fixed already?!
Hello,I configure with afl-gcc ,the configure:
CC="afl-gcc" CFLAGS="-g -ggdb -fno-omit-frame-pointer -fsanitize=address" ./configure --disable-shared
It's not fixed.
My version is 1.25.4.
Run mpg123 -s test3.
Here are my all samples.You can choose any one file to run.They crashed with the same problem.
OK, thanks for the added detail. I still cannot repdoduce this with my GCC 6.3.0. Is the afl-gcc somewhat special? I guess I need to fire up an ubuntu install to see something.
I freshly downloaded the release from sf.net . As the diagnostic for this fires (the ‘Whoa!" message) just fine, I only can think of some kind of version mixup here. You also used the --disable-shared switch … I don't know why the diagnostic doesnot fire for you.
This vulnerability is a bit like that https://sourceforge.net/p/mpg123/bugs/252/
My test platform is ubuntu X86.I use the AFL to fuzz it. Maybe the sample is a bit of a problem.I think I should re-upload one.
This ist most weird. This sample, like the others yields the same reply for me:
Wait … your platform is ubuntu x86. 32 bit? One might test if that makes a difference.
Yes, probably the reason for the platform.
I can confirm now on a debian install on an x86 Atom system.
OK
So this is an integer overflow in the check added to fix this very bug. Naturally, it only occurs if your unsigned long is not more than 32 bits.
Does the attached patch fix it for you?
How do i incorporate diff into the code?
Just download the file and the apply the diff with the patch command inside the source tree:
OK,I have tested it and it has been fixed
Great, I'm pushing out a release. It's a more complete fix for the known CVE, then.
I modified the patch a bit to make more sense, also adding another case we did not trigger yet. It should work the same for yours.
I'll release soon-ish. Maybe you have time to confirm that it also still works for you. (updated patch, had some leftovers)
Last edit: Thomas Orgis 2017-08-08
Well,I can not trigger this bug.
That is a good thing, then;-) I'll do the release tonight. Thanks.
OK, released the fixed version 1.25.5 now. Thanks for reporting and testing.
I have assign a cve-id for this issue.(CVE-2017-12797,zhihua.yao@dbappsecurity.com.cn)
Last edit: hackyzh 2017-10-10