oss-sec mailing list archives
Re: Re: CVE request: libsndfile 1.0.25 heap overflow
From: gauri () tut by
Date: Thu, 05 Nov 2015 17:30:14 +0100
Hello list. 03.11.2015, 21:02, "cve-assign () mitre org" <cve-assign () mitre org>:
Unrelated, but I recently reported an out of bounds triggered by the test suite of libsndfile and got no reply: http://permalink.gmane.org/gmane.comp.audio.libsndfile.devel/681Out of bounds reads in psf_strlcpy_crlf when running test suiteAddressSanitizer: global-buffer-overflow ... READ of size 1Use CVE-2015-8075.
I have followed up on this to spot the root cause of what has been assigned CVE-2015-8075; as recommended by Hanno, I am sharing my results with the wider audience. The `test_psf_strlcpy_crlf()` routine, as it is presented [1] in version 1.0.25, is incorrect in that it supplies an invalid argument value to the function `psf_strlcpy_crlf()` being tested: the last argument `srcmax` receives `sizeof(src)`, which is the size of the pointer `src`, and not the source string length it points to, as might have been anticipated by the author. Since the reporter tested a 64-bit build, `srcmax` gets passed 8, but the string is 7 bytes long. This triggers OOB access detected by address sanitizer, just like in the original report. At this point, it seems CVE-2015-8075 has to be rejected as there is no vulnerability, only a poorly written test case which doesn't see any action except when running `make check`. Note: Apparently, the vendor has attempted to fix the test [2], but it seems like `srcmax` is getting `sizeof(char)` instead of `sizeof(char *)` now. The test remains invalid, although due to a different reason. Cheers, Z. References: [1] https://github.com/erikd/libsndfile/blob/f66e21e0b1f1b52b544dabb5ba4fa89fa6f62a30/src/test_strncpy_crlf.c [2] https://github.com/erikd/libsndfile/blob/495c2877e1c841fbb420383551547d2ca60533c6/src/test_strncpy_crlf.c
Current thread:
- CVE request: libsndfile 1.0.25 heap overflow Martin Prpic (Nov 03)
- Re: CVE request: libsndfile 1.0.25 heap overflow Hanno Böck (Nov 03)
- Re: CVE request: libsndfile 1.0.25 heap overflow cve-assign (Nov 03)
- Re: Re: CVE request: libsndfile 1.0.25 heap overflow gauri (Nov 05)
- Re: CVE request: libsndfile 1.0.25 heap overflow cve-assign (Nov 03)
- Re: CVE request: libsndfile 1.0.25 heap overflow cve-assign (Nov 03)
- Re: CVE request: libsndfile 1.0.25 heap overflow Hanno Böck (Nov 03)