http://bugzilla.opensuse.org/show_bug.cgi?id=1026978 Bug ID: 1026978 Summary: VUl-1: audiofile: multiple ubsan crashes Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Ref: http://seclists.org/oss-sec/2017/q1/515 ============================================== Description: audiofile is a C-based library for reading and writing audio files in many common formats. A fuzz on it discovered multiple crashes because of undefined behavior. The complete UBsan output: # sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]' /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:290:14: runtime error: index 256 out of bounds for type 'int16_t [256][2]' Reproducer: https://github.com/asarubbo/poc/blob/master/00191-audiofile-indexoob ########################################## # sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/sfcommands/sfconvert.c:327:42: runtime error: signed integer overflow: 65536 * 252936 cannot be represented in type 'int' Reproducer: https://github.com/asarubbo/poc/blob/master/00192-audiofile-signintoverflow-... ########################################## # sfconvert @@ out.mp3 format aiff /tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/modules/MSADPCM.cpp:115:27: runtime error: signed integer overflow: 5512570 * 409 cannot be represented in type 'int' Reproducer: https://github.com/asarubbo/poc/blob/master/00193-audiofile-signintoverflow-... ########################################## Affected version: 0.3.6 Fixed version: N/A Commit fix: N/A Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2017-02-20: bug discovered and reported to upstream 2017-02-20: blog post about the issue Note: These bugs were found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/02/20/audiofile-multiple-ubsan-crashes ============================================== https://software.opensuse.org/package/audiofile TW|42.{1,2}: 0.3.6 VUL-1 because: http://seclists.org/oss-sec/2017/q1/504 ======================================================== Hello all. I discovered multiple crashes in the audiofile library. The maintainer was informed privately, I didn't see reactions and all details are public on my blog. I posted them to the cveform too, but I didn't get response. I'll send update if something will change. -- Agostino Sarubbo Gentoo Linux Developer ======================================================== -- You are receiving this mail because: You are on the CC list for the bug.