oss-sec mailing list archives

Re: audiofile: heap-based buffer overflow in readValue (FileHandle.cpp)

From: Solar Designer <solar () openwall com>
Date: Tue, 14 Mar 2017 23:03:36 +0100

On Sun, Feb 26, 2017 at 11:46:23AM +0000, Agostino Sarubbo wrote:

==6051==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x0000004513de bp 
0x7ffc71379b20 sp 0x7ffc713792d0
WRITE of size 2 at 0x61a00001f708 thread T0
    #0 0x4513dd in read 
/tmp/portage/sys-devel/llvm-3.9.1/work/llvm-3.9.1.src/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:765
    #1 0x7fd944373b2c in bool readValue(File*, short*) 
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/FileHandle.cpp:353:12
    #2 0x7fd944373b2c in bool readSwap(File*, short*, int) 
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/FileHandle.cpp:375
    #3 0x7fd944373b2c in _init 
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/FileHandle.cpp:397
    #4 0x7fd94439ce2f in WAVEFile::parseFormat(Tag const&, unsigned int) 
/tmp/portage/media-libs/audiofile-0.3.6-r3/work/audiofile-0.3.6/libaudiofile/WAVE.cpp:289:5


Agostino asked the list moderators to post to this thread that the above
is CVE-2017-6828.

Alexander

Current thread:

audiofile: heap-based buffer overflow in readValue (FileHandle.cpp) Agostino Sarubbo (Feb 26)
- Re: audiofile: heap-based buffer overflow in readValue (FileHandle.cpp) Solar Designer (Mar 14)