We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4506

Summary: Heap buffer overflow in SDL_LoadWAV_RW_REAL
Product: SDL Reporter: Geeknik Labs <geeknik>
Component: audioAssignee: Simon Hug <chli.hug>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: critical    
Priority: P2    
Version: 2.0.9   
Hardware: x86_64   
OS: Linux   
Attachments: POC

Description Geeknik Labs 2019-02-15 20:53:31 UTC 
Created attachment 3626 [details]
POC

The attached WAV file triggers a heap buffer overflow in SDL 2.0.9 using the fuzzing harness from https://www.ixiacom.com/company/blog/how-use-fuzzing-security-research. 

==19916==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000001e at pc 0x7f447ac95517 bp 0x7ffe1649bff0 sp 0x7ffe1649bfe8
READ of size 2 at 0x60200000001e thread T0
    #0 0x7f447ac95516 in SDL_LoadWAV_RW_REAL /root/SDL2-2.0.9/src/audio/SDL_wave.c
    #1 0x4f7c7d in main /root/tmp/harness_sdl.c:28:8
    #2 0x7f4479a212e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #3 0x41da49 in _start (/root/tmp/harness_sdl+0x41da49)

0x60200000001e is located 6 bytes to the right of 8-byte region [0x602000000010,0x602000000018)
allocated by thread T0 here:
    #0 0x4c8de3 in malloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f447ad80580 in SDL_malloc_REAL /root/SDL2-2.0.9/src/stdlib/SDL_malloc.c:5328:11
    #2 0x7f447ac92067 in ReadChunk /root/SDL2-2.0.9/src/audio/SDL_wave.c:682:29
    #3 0x7f447ac92067 in SDL_LoadWAV_RW_REAL /root/SDL2-2.0.9/src/audio/SDL_wave.c:498
    #4 0x4f7c7d in main /root/tmp/harness_sdl.c:28:8

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/SDL2-2.0.9/src/audio/SDL_wave.c in SDL_LoadWAV_RW_REAL
Comment 1 Sam Lantinga 2019-06-10 15:56:15 UTC 
This code has been rewritten for SDL 2.0.10, can you verify that this issue has been fixed there?
http://www.libsdl.org/tmp/SDL-2.0.zip
Comment 2 Sam Lantinga 2019-06-10 16:01:50 UTC 
Simon, can you verify that your changes fix this issue?
Comment 3 Simon Hug 2019-06-10 21:01:55 UTC 
The WAVE file (attachment 3626 [details]) is heavily truncated. No more chunks after the unusually small fmt chunk.

With the current tip, SDL_LoadWAV_RW rejects this file with "Missing data chunk in WAVE file" as there's no data chunk.
Comment 4 Sam Lantinga 2019-06-11 13:25:11 UTC 
Great, thanks!