oss-sec mailing list archives
mpg321: Out-of-bounds Write
From: Ren Kimura <rkx1209dev () gmail com>
Date: Fri, 7 Dec 2018 22:16:59 -0500
Hi. mpg321 is a free command-line mp3 player that is commonly available on many Linux distributions. For example, in ubuntu you can download the latest mpg321 by "apt-get install mpg321." latest mpg321 0.3.2, in scan() in mad.c calculate the number of frames using bit rate. If crafted mp3 whose bit rate equal 0 is taken, sampling time become INF value due to floating point division by 0. As a result, the frame number become a very large (1<<63), leading out of bounds write, memory corruption at mad.c:285. note. frames buffer have been allocated only 8-byte at mpg321.c:990. I'll request a CVE ID from MITRE. ASAN crash traces: Playing MPEG stream from mpg321_0.3.2_memory_corruption.mp3 ... ================================================================= ==18648==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000d8 at pc 0x555555566c18 bp 0x7fffffffb3$ 0 sp 0x7fffffffb3c0 WRITE of size 8 at 0x6020000000d8 thread T0 #0 0x555555566c17 in read_header /home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mad.c:285 #1 0x7ffff64c0594 (/usr/lib/x86_64-linux-gnu/libmad.so.0+0x5594) #2 0x7ffff64c0b82 in mad_decoder_run (/usr/lib/x86_64-linux-gnu/libmad.so.0+0x5b82) #3 0x5555555607fb in main /home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mpg321.c:1092 #4 0x7ffff5b43b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #5 0x555555562779 in _start (/home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mpg321-asan+0xe779) 0x6020000000d8 is located 0 bytes to 0x6020000000d8 is located 0 bytes to the right of 8-byte region [0x6020000000d0,0x6020000000d8) allocated by thread T0 here: #0 0x7ffff6ef8b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x555555561b51 in main /home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mpg321.c:990 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/rkx/Programming/OSS/research/results/2/mpg321-0.3.2/mad.c:285 in read_header Shadow bytes around the buggy address: 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff8000: fa fa 06 fa fa fa 06 fa fa fa 01 fa fa fa 00 00 =>0x0c047fff8010: fa fa 00 00 fa fa 06 fa fa fa 00[fa]fa fa 00 00 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Ren Kimura
Attachment:
mpg321_0.3.2_memory_corruption.mp3
Description:
Current thread:
- mpg321: Out-of-bounds Write Ren Kimura (Dec 08)
- Re: mpg321: Out-of-bounds Write Matthew Fernandez (Dec 08)
- Re: mpg321: Out-of-bounds Write Ren Kimura (Dec 10)
- Message not available
- Re: mpg321: Out-of-bounds Write Ren Kimura (Dec 10)
- Message not available