We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4491 - Heap-Buffer Overflow in SDL_LoadWAV_RW

Summary: Heap-Buffer Overflow in SDL_LoadWAV_RW

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	audio (show other bugs)
Version:	HG 2.0
Hardware:	x86_64 Linux

Importance:	P2 critical
Assignee:	Simon Hug
QA Contact:	Sam Lantinga

URL:
Keywords:

Duplicates (1):	4490 (view as bug list)
Depends on:
Blocks:

Reported:	2019-02-05 15:17 UTC by Radue
Modified:	2019-06-11 13:23 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
PoC (119.09 KB, audio/wav) 2019-02-05 15:17 UTC, Radue	Details
Fix (2.73 KB, patch) 2019-02-15 09:43 UTC, Petr Pisar	Details \| Diff
Fix (2.81 KB, patch) 2019-02-15 09:51 UTC, Petr Pisar	Details \| Diff
Fix for similar bug in InitIMA_ADPCM (2.36 KB, patch) 2019-02-15 10:11 UTC, Petr Pisar	Details \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Radue 2019-02-05 15:17:31 UTC

Created attachment 3597 [details]
PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

=================================================================
==3418==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000dff3 at pc 0x7f79928acd06 bp 0x7ffc61a2e870 sp 0x7ffc61a2e868                                                                                                     
READ of size 1 at 0x60400000dff3 thread T0
    #0 0x7f79928acd05 in InitMS_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:73:35
    #1 0x7f79928acd05 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:464
    #2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
    #3 0x7f799161e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)

0x60400000dff3 is located 1 bytes to the right of 34-byte region [0x60400000dfd0,0x60400000dff2)
allocated by thread T0 here:
    #0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
    #1 0x7f79928acea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:73 InitMS_ADPCM                                                                                                      
Shadow bytes around the buggy address:
  0x0c087fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa 00 00 00 00[02]fa
  0x0c087fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3418==ABORTING

PoC: See attachment
Reproducing steps: 

1. Download SDL-1.2.15 library
2. ./configure with Asan enabled
3. ./make
4. sudo make install
5. cd examples
6. ./configure with Asan enabled
7. make
8. ./loopwave PoC

Comment 1 Radue 2019-02-07 07:15:12 UTC

Assigned CVE-2019-7573 by MITRE.

Comment 2 Petr Pisar 2019-02-15 09:43:05 UTC

Created attachment 3619 [details]
Fix

Comment 3 Petr Pisar 2019-02-15 09:51:53 UTC

Created attachment 3620 [details]
Fix

The patch fixed both CVE-2019-7573 and CVE-2019-7576 (bug #4490). This attachment refers to both vulnerabilities.

Comment 4 Petr Pisar 2019-02-15 10:11:29 UTC

Created attachment 3621 [details]
Fix for similar bug in InitIMA_ADPCM

InitIMA_ADPCM() suffers from the same issue, yet it has not been reported or assigned a CVE identifier. This patch fixes the issue in InitIMA_ADPCM().

Comment 5 Petr Pisar 2019-02-15 12:04:49 UTC

Comment on attachment 3621 [details]
Fix for similar bug in InitIMA_ADPCM

This was actually reported in bug #4494 as CVE-2019-7578. I moved the patch there.

Comment 6 Sam Lantinga 2019-06-09 01:10:13 UTC

This is fixed, thanks!
https://hg.libsdl.org/SDL/rev/388987dff7bf
https://hg.libsdl.org/SDL/rev/f9a9d6c76b21

Comment 7 Petr Pisar 2019-06-10 07:40:09 UTC

The patch attached to hits bug report, that touches InitMS_ADPCM(), is still missing from SDL-1.2 branch.

Comment 8 Sam Lantinga 2019-06-10 15:53:32 UTC

*** Bug 4490 has been marked as a duplicate of this bug. ***

Comment 9 Sam Lantinga 2019-06-10 16:10:22 UTC

Ah, that's now committed, thanks!
https://hg.libsdl.org/SDL/rev/fcbecae42795

Comment 10 Sam Lantinga 2019-06-10 16:11:00 UTC

Simon, can you verify that your changes fix this issue as well?

Comment 11 Simon Hug 2019-06-10 21:00:06 UTC

The WAVE file (attachment 3597 [details]) seems to have its fmt chunk size shortened to 34.

With the current tip, SDL_LoadWAV_RW rejects this file with "Missing data chunk in WAVE file" as it can't find the data chunk because of the misalignment due to altered chunk size.

Comment 12 Sam Lantinga 2019-06-11 13:23:19 UTC

Great, thanks!

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.