Bug ID 1036967
Summary VUL-1: libmad: heap-based buffer overflow in mad_bit_skip (bit.c)
Classification openSUSE
Product openSUSE Distribution
Version Leap 42.2
Hardware Other
OS Other
Status NEW
Severity Normal
Priority P5 - None
Component Security
Assignee security-team@suse.de
Reporter mikhail.kasimov@gmail.com
QA Contact qa-bugs@suse.de
Found By ---
Blocker --- 

Created attachment 723244 [details]
00211-libmad-heapoverflow-mad_bit_skip_reproducer

Ref:
https://blogs.gentoo.org/ago/2017/04/30/libmad-heap-based-buffer-overflow-in-mad_bit_skip-bit-c/
===========================================================
Description:
libmad stays for ���M���peg ���A���udio ���D���ecoder library.

There is an heap overflow discovered through madplay.

The complete ASan output:

# madplay -v -i -o raw:out $FILE
==12603==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x61200000c09f at pc 0x7f72d6aa05c0 bp 0x7fff03e32040 sp 0x7fff03e32038
READ of size 1 at 0x61200000c09f thread T0
    #0 0x7f72d6aa05bf in mad_bit_skip
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/bit.c:130:21
    #1 0x7f72d6b032ad in III_huffdecode
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:953:3
    #2 0x7f72d6b032ad in III_decode
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2403
    #3 0x7f72d6af1a8e in mad_layer_III
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2648:13
    #4 0x7f72d6ab584d in mad_frame_decode
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/frame.c:453:7
    #5 0x7f72d6ada4e4 in run_sync
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:404:11
    #6 0x7f72d6ad8c59 in mad_decoder_run
/tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/decoder.c:557:12
    #7 0x5277a1 in decode
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1862:12
    #8 0x5277a1 in play_one
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:1951
    #9 0x5277a1 in play_all
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2041
    #10 0x5215a2 in player_run
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/player.c:2768:14
    #11 0x50c46c in main
/tmp/portage/media-sound/madplay-0.15.2b-r1/work/madplay-0.15.2b/madplay.c:816:7
    #12 0x7f72d599d78f in __libc_start_main
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289
    #13 0x41aa78 in _init (/usr/bin/madplay+0x41aa78)

Affected version:
0.15.1b

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
N/A

Reproducer:
https://github.com/asarubbo/poc/blob/master/00211-libmad-heapoverflow-mad_bit_skip

Timeline:
2017-01-01: bug discovered and reported to upstream
2017-04-30: blog post about the issue

Note:
This bug was found with American Fuzzy Lop.

Permalink:

    libmad: heap-based buffer overflow in mad_bit_skip (bit.c)
===========================================================

(open-)SUSE: https://software.opensuse.org/package/libmad

0.15.1b (TW, 42.{1,2}, multimedia:libs repo)

You are receiving this mail because: