#319 Integer Overflow resulting in Heap-Buffer-Overflow in effect_i_dsp.c

[Hendra Gunadi]

In effect_i_dsp.c line 367, there is no check on the value passed to malloc (num_taps x sizeof(double). When the result overflows, it can trigger heap-buffer-overflow due to allocated memory that is smaller than expected. Attached is a sample of the input file. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. An information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>

[Richard Shaw]

Tracking for Fedora:

https://bugzilla.redhat.com/show_bug.cgi?id=1678286

[Hendra Gunadi]

If it is helpful, it has been assigned CVE-2019-8354

[Emilio Pozuelo Monfort]

Hi,

While backporting this fix to an older release, I found that the test file attached here was making sox crash before the fix was applied, with the same backtrace as was mentioned in the RedHat tracking bug: https://bugzilla.redhat.com/show_bug.cgi?id=1678284#c2

After a lot of digging I found that commits ce8b321c and a69f6b2b are the ones fixing that crash. Unfortunately that is a large rewrite, difficult to backport:

13 files changed, 598 insertions(+), 549 deletions(-)

It looks like the u120_1 function was removed in that commit, and the FUNCTION macro was reworked. I'm not sure if those are the relevant bits that fixed that crash. I'm also not sure what a minimal fix would be, not being familiar with this code. Probably a safety check could be added somewhere to avoid writing out of bounds. If you could point me in the right direction that'd be great.

[Mans Rullgard]

I would advise against using old releases. Nobody knows what other bugs might be lurking there.

[zezinhoZ]

Thanks for fixing the CVE. As a Mageia distro packager I wonder why there has been no release since 2015, the patchset for sox is getting crazy long, isn't it?