[WavPack-devel] global buffer overread in read_code / read_words.c

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi,

The attacked .wv file will cause a global out of bounds read in wavpack.
These kinds of bugs can be detected with address sanitizer
(-fsanitize=address in cflags with gcc/clang).

I've pasted Address Sanitizer's error message below.

This is the code where this happens:

    bitcount = count_bits (maxcode);
#ifdef USE_BITMASK_TABLES
    extras = bitset [bitcount] - maxcode - 1;

It seems bitcoint can become 32, but the bitset array only has 32
elements (which means indexes 0-31 are valid).
I don't know the context of this code, so I don't know if the size of
bitset should be changed or if 32 is an invalid value for bitcoint and
should return an error.

This bug was found with the fuzzing tool american fuzzy lop.

==21791==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000005e1dc0 at pc 0x0000005bcb77 bp 0x7ffcd01fbf90 sp 0x7ffcd01fbf88
READ of size 4 at 0x0000005e1dc0 thread T0 #0 0x5bcb76 in
read_code /mnt/ram/wavpack-5.0.0/src/read_words.c:576:14 #1 0x5bb90a in
get_word /mnt/ram/wavpack-5.0.0/src/read_words.c:294:15 #2 0x58a1cf in
unpack_samples /mnt/ram/wavpack-5.0.0/src/unpack.c:114:32 #3 0x55dc25
in
WavpackUnpackSamples /mnt/ram/wavpack-5.0.0/src/unpack_utils.c:356:13
#4 0x50e2e7 in
unpack_audio /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1573:28 #5 0x50e2e7
in unpack_file /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1294 #6 0x5051c8
in main /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:769:22 #7 0x7f5830209690
in
__libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#8 0x4198f8 in _start (/mnt/ram/crashes/wvunpack+0x4198f8)

0x0000005e1dc0 is located 32 bytes to the left of global variable
'bitmask' defined in 'entropy_utils.c:37:16' (0x5e1de0) of size 128
0x0000005e1dc0 is located 0 bytes to the right of global variable
'bitset' defined in 'entropy_utils.c:26:16' (0x5e1d40) of size 128
SUMMARY: AddressSanitizer:
global-buffer-overflow /mnt/ram/wavpack-5.0.0/src/read_words.c:576:14
in read_code

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hb...
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42