[Secure-testing-team] Bug#530831: libsndfile1: Crafted files can trigger divide by zero
Sami Liedes
sliedes at cc.hut.fi
Thu May 28 06:26:19 UTC 2009
Package: libsndfile1
Version: 1.0.20-1
Severity: normal
Tags: security
Hi,
I have discovered six different SIGFPE crashes with crafted input
files in libsndfile. Triggering input files are attached.
The crashes are:
1) in htk.c:198 (htk_read_header), divisor sample_period can be 0.
2) in alaw.c:72 (alaw_init), divisor psf->blockwidth can be 0.
3) in ulaw.c:62 (ulaw_init), divisor psf->blockwidth can be 0.
4) in pcm.c:274 (pcm_init), divisor psf->blockwidth can be 0.
5) in float32.c:244 (float32_init), divisor psf->blockwidth can be 0.
6) in sds.c:279 (sds_read_header), psds->bitwidth can be 0, resulting
in divisor ((psds->bitwidth + 6) / 7) getting the value of 0.
Run for example sndfile-info (from the sndfile-programs package) with
one of these files as parameter to see the crash.
I don't know what the security impact is, but since I assume
libsndfile is used by lots of applications for data obtained from
untrusted sources, I thought I'd tag this security. In any case it
should be at most denial of service. Untag if you think it's not
securitywise important.
Sami
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.29.3 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libsndfile1 depends on:
ii libc6 2.9-13 GNU C Library: Shared libraries
ii libflac8 1.2.1-1.2 Free Lossless Audio Codec - runtim
ii libogg0 1.1.3-5 Ogg Bitstream Library
ii libvorbis0a 1.2.0.dfsg-4 The Vorbis General Audio Compressi
ii libvorbisenc2 1.2.0.dfsg-4 The Vorbis General Audio Compressi
libsndfile1 recommends no packages.
libsndfile1 suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.data
Type: application/octet-stream
Size: 50 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2.data
Type: application/octet-stream
Size: 50 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 3.data
Type: application/octet-stream
Size: 50 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4.data
Type: application/octet-stream
Size: 50 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0003.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 5.data
Type: application/octet-stream
Size: 50 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0004.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 6.data
Type: application/octet-stream
Size: 50 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment-0005.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20090528/5e515585/attachment.pgp>
More information about the Secure-testing-team
mailing list