oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

libmad: assertion failure in layer3.c

From: "Agostino Sarubbo" <ago () gentoo org>
Date: Mon, 1 May 2017 11:39:43 +0000
Description:
libmad stays for “M”peg “A”udio “D”ecoder library.

The same testcase provided in the article: libmad: heap-based buffer overflow in mad_layer_III (layer3.c) is able to 
show an assertion failure if libmad was compiled with debug 
(–enable-debugging).

The complete output of the failure:

# madplay -v -i -o raw:out $FILE
madplay: /tmp/portage/media-libs/libmad-0.15.1b-r8/work/libmad-0.15.1b/layer3.c:2633: mad_layer_III: Assertion 
`stream->md_len + md_len - si.main_data_begin <= MAD_BUFFER_MDLEN' 
failed.

Affected version:
0.15.1b

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-8372

Reproducer:
https://github.com/asarubbo/poc/blob/master/00213-libmad-heapoverflow-mad_layer_III

Timeline:
2017-01-01: bug discovered and reported to upstream
2017-04-30: blog post about the issue
2017-05-01: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/04/30/libmad-assertion-failure-in-layer3-c/

--
Agostino Sarubbo
Gentoo Linux Developer
Previous By Date Next
Previous By Thread Next

Current thread: