oss-sec mailing list archives
libaacplus: signed integer overflow, left shift and assertion failure
From: "Agostino Sarubbo" <ago () gentoo org>
Date: Mon, 10 Apr 2017 07:19:35 +0000
Description: libaacplus is a HE-AAC+ v2 library, based on the reference implementation. While fuzzing it I found some crashes. Upstream was poked on 2017-03-12, but no response from him. # aacplusenc $FILE out.aac 24000 s au_channel.h:31:91: runtime error: signed integer overflow: 2147483647 + 8 cannot be represented in type 'int' Affected version: 2.0.2 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00254-libaacplus-signedintoverflow CVE: CVE-2017-7603 ############################################## # aacplusenc $FILE out.aac 24000 s au_channel.h:31:83: runtime error: left shift of 241 by 24 places cannot be represented in type 'int' Affected version: 2.0.2 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00255-libaacplus-leftshift CVE: CVE-2017-7604 ############################################## # aacplusenc $FILE out.aac 24000 s aacplusenc: aacplusenc.c:67: aacplusEncHandle aacplusEncOpen(unsigned long, unsigned int, unsigned long *, unsigned long *): Assertion `numChannels <= MAX_CHANNELS' failed. Affected version: 2.0.2 Fixed version: N/A Commit fix: N/A Reproducer: https://github.com/asarubbo/poc/blob/master/00256-libaacplus-assertion-failure CVE: CVE-2017-7605 ############################################## Credit: These bugs were discovered by Agostino Sarubbo of Gentoo. Timeline: 2017-03-12: bug discovered and poked upstream about 2017-04-01: blog post about the issue 2017-04-09: CVE assigned Note: This bug was found with American Fuzzy Lop. Permalink: https://blogs.gentoo.org/ago/2017/04/01/libaacplus-signed-integer-overflow-left-shift-and-assertion-failure -- Agostino Sarubbo Gentoo Linux Developer
Current thread:
- libaacplus: signed integer overflow, left shift and assertion failure Agostino Sarubbo (Apr 10)