|
From: Hanno Böck <ha...@hb...> - 2016-12-20 14:14:00
|
Hi,
The attached file will generate an out of bounds read access in the
function WriteCaffHeader / caff.c.
This can be detected by compiling wavpack with address sanitizer. Found
with the fuzzer afl.
Here's the asan stack trace:
==27682==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ea2 at pc 0x00000052803d bp 0x7ffdc5b92b70 sp 0x7ffdc5b92b68
READ of size 1 at 0x611000009ea2 thread T0
#0 0x52803c in WriteCaffHeader /mnt/ram/wavpack-5.0.0/cli/caff.c:699:61
#1 0x50b618 in unpack_file /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1281:19
#2 0x5051d8 in main /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:769:22
#3 0x7fe29038a690 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
#4 0x4198f8 in _start (/mnt/ram/wavpack-5.0.0/cli/wvunpack+0x4198f8)
0x611000009ea2 is located 1 bytes to the right of 225-byte region [0x611000009dc0,0x611000009ea1)
allocated by thread T0 here:
#0 0x4c9d68 in __interceptor_malloc (/mnt/ram/wavpack-5.0.0/cli/wvunpack+0x4c9d68)
#1 0x525967 in WriteCaffHeader /mnt/ram/wavpack-5.0.0/cli/caff.c:558:41
#2 0x50b618 in unpack_file /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1281:19
#3 0x5051d8 in main /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:769:22
#4 0x7fe29038a690 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
--
Hanno Böck
https://hboeck.de/
mail/jabber: ha...@hb...
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
|