We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4494 - Heap-Buffer Overflow in InitIMA_ADPCM

Summary: Heap-Buffer Overflow in InitIMA_ADPCM

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	audio (show other bugs)
Version:	HG 2.0
Hardware:	x86_64 Linux

Importance:	P2 critical
Assignee:	Ryan C. Gordon
QA Contact:	Sam Lantinga

URL:
Keywords:	target-2.0.10

Depends on:
Blocks:

Reported:	2019-02-06 13:46 UTC by Radue
Modified:	2019-06-09 01:08 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
PoC (80 bytes, audio/wav) 2019-02-06 13:46 UTC, Radue	Details
Fix (2.28 KB, patch) 2019-02-15 12:01 UTC, Petr Pisar	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Radue 2019-02-06 13:46:19 UTC

Created attachment 3600 [details]
PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

=================================================================
==21669==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60300000eff3 at pc 0x7f9b29ba4aa6 bp 0x7ffe5fb98810 sp 0x7ffe5fb98808                                                                                                    
READ of size 1 at 0x60300000eff3 thread T0
    #0 0x7f9b29ba4aa5 in InitIMA_ADPCM /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:241:39
    #1 0x7f9b29ba4aa5 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:472
    #2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
    #3 0x7f9b2891682f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)

0x60300000eff3 is located 1 bytes to the right of 18-byte region [0x60300000efe0,0x60300000eff2)
allocated by thread T0 here:
    #0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
    #1 0x7f9b29ba4ea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:241 InitIMA_ADPCM                                                                                                    
Shadow bytes around the buggy address:
  0x0c067fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c067fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00[02]fa
  0x0c067fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c067fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21669==ABORTING

PoC: See attachment
Reproducing steps: 

1. Download SDL-1.2.15 library
2. ./configure with Asan enabled
3. ./make
4. sudo make install
5. cd examples
6. ./configure with Asan enabled
7. make
8. ./loopwave PoC

Comment 1 Ryan C. Gordon 2019-02-06 14:30:23 UTC

This bug is still present in SDL2's revision control, so I'm assigning it there.

--ryan.

Comment 2 Radue 2019-02-07 07:19:22 UTC

(In reply to Ryan C. Gordon from comment #1)
> This bug is still present in SDL2's revision control, so I'm assigning it
> there.
> 
> --ryan.

Assigned CVE-2019-7578 by MITRE.

Comment 3 Petr Pisar 2019-02-15 12:01:12 UTC

Created attachment 3623 [details]
Fix

Comment 4 Ryan C. Gordon 2019-05-18 18:48:54 UTC

Tagging a bunch of bugs with "target-2.0.10" so we have a clear list of things to address before a 2.0.10 release.

Please note that "addressing" one of these bugs might mean deciding to defer on it until after 2.0.10, or resolving it as WONTFIX, etc. This is just here to tell us we should look at it carefully, and soon.

If you have new information or feedback on this issue, this is a good time to add it to the conversation, as we're likely to be paying attention to this specific report in the next few days/weeks.

Thanks!

--ryan.

Comment 5 Sam Lantinga 2019-06-09 01:08:31 UTC

This is fixed, thanks!
https://hg.libsdl.org/SDL/rev/388987dff7bf
https://hg.libsdl.org/SDL/rev/f9a9d6c76b21

Comment 6 Sam Lantinga 2019-06-09 01:08:43 UTC

Closing...

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.