Menu
▾
▴
#299 Invalid memory read via crafted .xa file
Hello,
I think i found a bug in read_samples() in xa.c in SoX 14.4.2 which causes a segfault by invalid memory read via crafted Maxis (.xa) file.
Program received signal SIGSEGV, Segmentation fault.
0x00005555556c0cbc in read_samples (ft=0x5555559d2610, buf=0x5555559d5630, len=8192) at xa.c:219
219 inByte = xa->buf[i];
(gdb) bt
0 0x00005555556c0cbc in read_samples (ft=0x5555559d2610, buf=0x5555559d5630, len=8192) at xa.c:219
1 0x000055555558d290 in sox_read (ft=0x5555559d2610, buf=<optimized out="">, len=8192) at formats.c:978</optimized>
2 0x00005555555835fd in sox_read_wide (max=<optimized out="">, buf=0x5555559d5630, ft=0x5555559d2610) at sox.c:490</optimized>
3 combiner_drain (effp=0x5555559d5450, obuf=0x5555559d5630, osamp=0x7fffffffddb8) at sox.c:552
4 0x00005555555b40fb in drain_effect (n=0, chain=<optimized out="">) at effects.c:352</optimized>
5 sox_flow_effects (chain=<optimized out="">, callback=0x555555578390 <update_status>, client_data=0x0) at effects.c:445</update_status></optimized>
6 0x0000555555569935 in process () at sox.c:1802
7 main (argc=<optimized out="">, argv=<optimized out="">) at sox.c:3008</optimized></optimized>
PoC:
00000000: 5841 0000 005f 5841 0000 0000 5841 0000 XA..._XA....XA..
00000010: 00fa 0000 fa00 1000 ........
This happens when convertig the poc.xa file to .wav.
This seems to be CVE-2017-18189, for which a fix is already pending merge.