| Summary: | Heap-Buffer Overflow in MS_ADPCM_decode | ||
|---|---|---|---|
| Product: | SDL | Reporter: | Radue <epitectus.agamemon> |
| Component: | audio | Assignee: | Simon Hug <chli.hug> |
| Status: | RESOLVED FIXED | QA Contact: | Sam Lantinga <slouken> |
| Severity: | critical | ||
| Priority: | P2 | CC: | ppisar |
| Version: | HG 2.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Attachments: |
PoC
Fix |
||
This bug is still present in SDL2's revision control, so I'm assigning it there. --ryan. (In reply to Ryan C. Gordon from comment #1) > This bug is still present in SDL2's revision control, so I'm assigning it > there. > > --ryan. Also reported this in a different thread. https://bugzilla.libsdl.org/show_bug.cgi?id=4491 -- radu (In reply to Ryan C. Gordon from comment #1) > This bug is still present in SDL2's revision control, so I'm assigning it > there. > > --ryan. Assigned CVE-2019-7575 by MITRE. Created attachment 3609 [details]
Fix
Tagging a bunch of bugs with "target-2.0.10" so we have a clear list of things to address before a 2.0.10 release. Please note that "addressing" one of these bugs might mean deciding to defer on it until after 2.0.10, or resolving it as WONTFIX, etc. This is just here to tell us we should look at it carefully, and soon. If you have new information or feedback on this issue, this is a good time to add it to the conversation, as we're likely to be paying attention to this specific report in the next few days/weeks. Thanks! --ryan. This fix is in for SDL 1.2: https://hg.libsdl.org/SDL/rev/a936f9bd3e38 Simon, can you check to make sure your changes fix this in SDL 2.0? Thanks! The WAVE file (attachment 3599 [details]) specifies a 512 byte MS ADPCM block size with only 1 sample frame per block. Depending on the interpretation of the Microsoft specification, this makes this file invalid.
With the current tip, SDL_LoadWAV_RW rejects this file with "Invalid number of samples per MS ADPCM block (wSamplesPerBlock)" as it does not support only the one header sample frame (an MS ADPCM block header has two).
Great, thanks! |
Created attachment 3599 [details] PoC A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library. Asan output: ================================================================= ==9815==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61500000fedc at pc 0x7fbefacecd59 bp 0x7ffdc1718670 sp 0x7ffdc1718668 WRITE of size 1 at 0x61500000fedc thread T0 #0 0x7fbefacecd58 in MS_ADPCM_decode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:170:3 #1 0x7fbefacecd58 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:536 #2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7 #3 0x7fbef9a5e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8) 0x61500000fedc is located 0 bytes to the right of 476-byte region [0x61500000fd00,0x61500000fedc) allocated by thread T0 here: #0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2) #1 0x7fbefacea7ac in MS_ADPCM_decode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:131:24 #2 0x7fbefacea7ac in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:536 #3 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:170 MS_ADPCM_decode Shadow bytes around the buggy address: 0x0c2a7fff9f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff9f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff9fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff9fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c2a7fff9fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c2a7fff9fd0: 00 00 00 00 00 00 00 00 00 00 00[04]fa fa fa fa 0x0c2a7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c2a7fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==9815==ABORTING PoC: See attachment Reproducing steps: 1. Download SDL-1.2.15 library 2. ./configure with Asan enabled 3. ./make 4. sudo make install 5. cd examples 6. ./configure with Asan enabled 7. make 8. ./loopwave PoC