| Summary: | Heap-Buffer Overflow in SDL_LoadWAV_RW (InitMS_ADPCM) | ||
|---|---|---|---|
| Product: | SDL_sound | Reporter: | Radue <epitectus.agamemon> |
| Component: | everything | Assignee: | Ryan C. Gordon <icculus> |
| Status: | RESOLVED DUPLICATE | QA Contact: | Ryan C. Gordon <icculus> |
| Severity: | critical | ||
| Priority: | P2 | CC: | ppisar, slouken |
| Version: | unspecified | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Attachments: | PoC | ||
Assigned CVE-2019-7576 by MITRE. This is a very similar bug to CVE-2019-7573 reported in bug #4491. A fix for both issues is attached there. |
Created attachment 3596 [details] PoC A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library. Asan output: ==980==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff3 at pc 0x7f58fc7949b4 bp 0x7fff74db7390 sp 0x7fff74db7388 READ of size 1 at 0x60300000eff3 thread T0 #0 0x7f58fc7949b3 in InitMS_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64:38 #1 0x7f58fc7949b3 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:464 #2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7 #3 0x7f58fb50682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8) 0x60300000eff3 is located 1 bytes to the right of 18-byte region [0x60300000efe0,0x60300000eff2) allocated by thread T0 here: #0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2) #1 0x7f58fc794ea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:64 InitMS_ADPCM Shadow bytes around the buggy address: 0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00[02]fa 0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==980==ABORTING PoC: See attachment Reproducing steps: 1. Download SDL-1.2.15 library 2. ./configure with Asan enabled 3. ./make 4. sudo make install 5. cd examples 6. ./configure with Asan enabled 7. make 8. ./loopwave PoC