We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 4507 - Heap buffer overflow in ConvertSint24ToSint32

Summary: Heap buffer overflow in ConvertSint24ToSint32

Status:	RESOLVED FIXED

Alias:	None

Product:	SDL
Classification:	Unclassified
Component:	audio (show other bugs)
Version:	2.0.9
Hardware:	x86_64 Linux

Importance:	P2 critical
Assignee:	Simon Hug
QA Contact:	Sam Lantinga

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-02-16 04:43 UTC by Geeknik Labs
Modified:	2019-06-11 13:26 UTC (History)
CC List:	0 users

See Also:

Attachments
POC (76 bytes, audio/x-wav) 2019-02-16 04:43 UTC, Geeknik Labs	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Geeknik Labs 2019-02-16 04:43:19 UTC

Created attachment 3628 [details]
POC

The attached WAV file triggers a heap buffer overflow in SDL 2.0.9 using the fuzzing harness from https://www.ixiacom.com/company/blog/how-use-fuzzing-security-research.

==15811==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000054 at pc 0x7efe72bc9cec bp 0x7ffed4e3b1b0 sp 0x7ffed4e3b1a8
READ of size 1 at 0x602000000054 thread T0
    #0 0x7efe72bc9ceb in ConvertSint24ToSint32 /root/SDL2-2.0.9/src/audio/SDL_wave.c:431:57
    #1 0x7efe72bc9ceb in SDL_LoadWAV_RW_REAL /root/SDL2-2.0.9/src/audio/SDL_wave.c:642
    #2 0x4f7c7d in main /root/tmp/harness_sdl.c:28:8
    #3 0x7efe719552e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #4 0x41da49 in _start (/root/tmp/harness_sdl+0x41da49)

0x602000000054 is located 0 bytes to the right of 4-byte region [0x602000000050,0x602000000054)
allocated by thread T0 here:
    #0 0x4c91ff in realloc /b/swarming/w/ir/kitchen-workdir/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:165:3
    #1 0x7efe72cb46c0 in SDL_realloc_REAL /root/SDL2-2.0.9/src/stdlib/SDL_malloc.c:5359:11
    #2 0x7efe72bc91e9 in ConvertSint24ToSint32 /root/SDL2-2.0.9/src/audio/SDL_wave.c:414:28
    #3 0x7efe72bc91e9 in SDL_LoadWAV_RW_REAL /root/SDL2-2.0.9/src/audio/SDL_wave.c:642
    #4 0x4f7c7d in main /root/tmp/harness_sdl.c:28:8

Comment 1 Sam Lantinga 2019-06-10 15:59:39 UTC

Simon, can you verify that your changes fix this issue?

Comment 2 Simon Hug 2019-06-10 21:02:27 UTC

The WAVE file (attachment 3628 [details]) specifies a 1 byte block size for 24-bit PCM. data chunk is 5 bytes long.

With the current tip, SDL_LoadWAV_RW rejects this file with "Unsupported block alignment" as it expects a multiple of 3 for the block size (bits-per-samples * channels / 8).

Comment 3 Sam Lantinga 2019-06-11 13:26:17 UTC

Great, thanks!

We are currently migrating Bugzilla to GitHub issues.Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.