[WavPack-devel] heap out of bounds read in unreorder_channels / wvunpack.c

[Hanno B. <ha...@hb...>]

Hi,

Attached file will cause a buffer overread that can be detected with
address sanitizer. Found with afl.

ASAN stack trace:
==27842==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f13e2fff800 at pc 0x00000051195a bp 0x7ffdac9d9330 sp 0x7ffdac9d9328
READ of size 4 at 0x7f13e2fff800 thread T0
    #0 0x511959 in unreorder_channels /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:2142:27
    #1 0x511959 in unpack_dsd_audio /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1715
    #2 0x511959 in unpack_file /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1292
    #3 0x5051d8 in main /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:769:22
    #4 0x7f13e5a98690 in __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #5 0x4198f8 in _start (/mnt/ram/wavpack-5.0.0/cli/wvunpack+0x4198f8)

0x7f13e2fff800 is located 0 bytes to the right of 4177920-byte region [0x7f13e2c03800,0x7f13e2fff800)
allocated by thread T0 here:
    #0 0x4c9d68 in __interceptor_malloc (/mnt/ram/wavpack-5.0.0/cli/wvunpack+0x4c9d68)
    #1 0x50bdae in unpack_dsd_audio /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1703:19
    #2 0x50bdae in unpack_file /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:1292
    #3 0x5051d8 in main /mnt/ram/wavpack-5.0.0/cli/wvunpack.c:769:22
    #4 0x7f13e5a98690 in
    __libc_start_main /var/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hb...
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42