We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4496 - Heap-Buffer Overflow in SDL_LoadWAV_RW (IMA_ADPCM_decode)

Summary: Heap-Buffer Overflow in SDL_LoadWAV_RW (IMA_ADPCM_decode)

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	audio (show other bugs)
Version:	HG 1.2
Hardware:	x86_64 Linux

Importance:	P2 critical
Assignee:	Simon Hug
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-07 04:17 UTC by Radue
Modified:	2019-06-11 13:24 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
PoC (6.10 KB, audio/wav) 2019-02-07 04:17 UTC, Radue	Details
Fix (2.58 KB, patch) 2019-02-14 14:58 UTC, Petr Pisar	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Radue 2019-02-07 04:17:28 UTC

Created attachment 3602 [details]
PoC

A heap buffer overflow vulnerability was discovered in SDL-1.2.15 library.

Asan output:

=================================================================
==23116==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61200000bfcd at pc 0x7fb733c1cdea bp 0x7ffc5475fa70 sp 0x7ffc5475fa68
READ of size 1 at 0x61200000bfcd thread T0
    #0 0x7fb733c1cde9 in IMA_ADPCM_decode /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:358:24
    #1 0x7fb733c1cde9 in SDL_LoadWAV_RW /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:542
    #2 0x4db938 in main /home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave.c:76:7
    #3 0x7fb73298e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #4 0x4352f8 in _start (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4352f8)

0x61200000bfcd is located 0 bytes to the right of 269-byte region [0x61200000bec0,0x61200000bfcd)
allocated by thread T0 here:
    #0 0x4bc2c2 in malloc (/home/radu/apps/sdl_player_lib/SDL-1.2.15/test/loopwave+0x4bc2c2)
    #1 0x7fb733c1cea1 in ReadChunk /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:584:25

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/radu/apps/sdl_player_lib/SDL-1.2.15/build/../src/audio/SDL_wave.c:358 IMA_ADPCM_decode
Shadow bytes around the buggy address:
  0x0c247fff97a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff97e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff97f0: 00 00 00 00 00 00 00 00 00[05]fa fa fa fa fa fa
  0x0c247fff9800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23116==ABORTING


PoC: See attachment
Reproducing steps: 

1. Download SDL-1.2.15 library
2. ./configure with Asan enabled
3. ./make
4. sudo make install
5. cd examples
6. ./configure with Asan enabled
7. make
8. ./loopwave PoC

Comment 1 Radue 2019-02-07 07:16:22 UTC

Assigned CVE-2019-7574 by MITRE.

Comment 2 Petr Pisar 2019-02-14 14:58:34 UTC

Created attachment 3610 [details]
Fix

Comment 3 Sam Lantinga 2019-06-10 15:52:20 UTC

Fixed, thanks!
https://hg.libsdl.org/SDL/rev/a6e3d2f5183e

This code has been rewritten in SDL 2.0, can you verify that this issue has been fixed there?
http://www.libsdl.org/tmp/SDL-2.0.zip

Comment 4 Simon Hug 2019-06-10 21:01:34 UTC

The WAVE file (attachment 3602 [details]) specifies a 1 byte IMA ADPCM block size with  57120 sample frames per block. Pretty good compression, if it would work like that. Also seems to have the MS ADPCM coefficients attached in the fmt chunk.

With the current tip, SDL_LoadWAV_RW rejects this file with "Invalid IMA ADPCM block size (nBlockAlign)" as it detects that the block size is just too small.

Comment 5 Sam Lantinga 2019-06-11 13:24:52 UTC

Great, thanks!

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.