SoX - Sound eXchange / Bugs / #325 Integer Overflow in sox-fmt.c

#325 Integer Overflow in sox-fmt.c

Status: closed-fixed

Owner: nobody

Labels: None

Priority: 5

Updated: 2020-02-07

Created: 2019-06-28

Creator: Hendra Gunadi

Private: No

There are 2 issues here:
1. In sox-fmt.c function startread, there is no check on the value passed to the value of comment_bytes. If the value of comment_bytes is on the boundary of overflow, it results in "comment_bytes + 1" to be 0, hence calling lsx_calloc will give null pointer.
2. Further, there is no check that this returned buffer can be null. Passing the null buffer down the line will trigger a segmentation fault when the program tried to use the buffer to store the result of fread (in formats_i.c on function lsx_readbuf).

Attached is a sample of the input file. The command to trigger the bug is --single-threaded <file> -t aiff /dev/null channels 1 rate 16k fade 3 norm. An information about the binary: 32 bit, limited to 800MB memory, under Linux Ubuntu 16.04, compiled with libmad only.</file>

The output of SoX with -V -V enabled:
time: Oct 3 2018 08:02:13
uname: <removed> #178-Ubuntu SMP Tue Jun 11 08:30:22 UTC 2019 x86_64
compiler: gcc 4.2.1 Compatible Clang 7.0.0 (branches/release_70)
arch: 1248 48 44 L </removed>

1 Attachments

sox-fmt_56_integer_overflow.mp3

Discussion

Judy Hsiao - 2020-02-04

Fix sox-14.4.2 NULL pointer dereference on lsx_readbuf in formats_i.c by
doing a prior check that it is a valid pointer before passing into lsx_calloc.

===
This my first patch, and I also posted here: https://sourceforge.net/p/sox/patches/118/

Please help to instruct how to make it happen, thanks!

0001-Fix-CVE-2019-13590.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mans Rullgard - 2020-02-04

status: open --> closed-fixed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Judy Hsiao - 2020-02-06

Hi, I would really appreciate it if you could share more detail with me.
I am trying to fix the CVE bug: https://vomit.googleplex.com/advisory?id=CVE/CVE-2019-13590

I also correct my commit msg from" before passing into lsx_readchars." to " before passing into lsx_calloc", if this is the reason you thought the fix is invalid.
Thanks alot!

==
Fix sox-14.4.2 NULL pointer dereference on lsx_readbuf in formats_i.c by
doing a prior check that it is a valid pointer before passing into lsx_readchars.

0001-Fix-CVE-2019-13590.patch

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mans Rullgard - 2020-02-06

I have already fixed it. That's what the "closed-fixed" status means.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Judy Hsiao - 2020-02-07

Thanks for answering.
One more question would you mind if me create a patch from your commit and submit it to gentoo git hub? Or you'd prefer to do by your self ?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Integer Overflow in sox-fmt.c

Searches

Help

#325 Integer Overflow in sox-fmt.c

Discussion