[Secure-testing-team] Bug#878808: sox: CVE-2017-15372: stack-buffer-overflow src/adpcm.c:126 in lsx_ms_adpcm_block_expand_i
Salvatore Bonaccorso
carnil at debian.org
Mon Oct 16 19:49:51 UTC 2017
Source: sox
Version: 14.4.1-5
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for sox.
CVE-2017-15372[0]:
| There is a stack-based buffer overflow in the
| lsx_ms_adpcm_block_expand_i function of adpcm.c in Sound eXchange (SoX)
| 14.4.2. A Crafted input will lead to a denial of service attack during
| conversion of an audio file.
With an ASAN build and
./src/sox ~/01-stack-overflow out.snd
=================================================================
==4852==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff9b73d8a4 at pc 0x7fae2c9b322d bp 0x7fff9b73d7e0 sp 0x7fff9b73d7d8
WRITE of size 2 at 0x7fff9b73d8a4 thread T0
#0 0x7fae2c9b322c in lsx_ms_adpcm_block_expand_i src/adpcm.c:126
#1 0x7fae2c9b672b in AdpcmReadBlock src/wav.c:176
#2 0x7fae2c9bd5b0 in read_samples src/wav.c:1029
#3 0x7fae2c88e1fb in sox_read src/formats.c:973
#4 0x406096 in sox_read_wide src/sox.c:490
#5 0x406a6e in combiner_drain src/sox.c:552
#6 0x7fae2c8c1fe1 in drain_effect src/effects.c:318
#7 0x7fae2c8c2ffe in sox_flow_effects src/effects.c:387
#8 0x4122da in process src/sox.c:1794
#9 0x41b386 in main src/sox.c:3012
#10 0x7fae2bd622e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#11 0x402f49 in _start (/root/sox-14.4.1/src/.libs/sox+0x402f49)
Address 0x7fff9b73d8a4 is located in stack of thread T0 at offset 68 in frame
#0 0x7fae2c9b3063 in lsx_ms_adpcm_block_expand_i src/adpcm.c:112
This frame has 1 object(s):
[32, 64) 'state' <== Memory access at offset 68 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/adpcm.c:126 in lsx_ms_adpcm_block_expand_i
Shadow bytes around the buggy address:
0x1000736dfac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000736dfad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000736dfae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000736dfaf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000736dfb00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x1000736dfb10: 00 00 00 00[f3]f3 f3 f3 00 00 00 00 00 00 00 00
0x1000736dfb20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000736dfb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000736dfb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000736dfb50: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
0x1000736dfb60: f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f3 f3 f3 f3 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4852==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-15372
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15372
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1500553
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 01-stack-overflow
Type: audio/x-wav
Size: 4095 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171016/92d59528/attachment.wav>
More information about the Secure-testing-team
mailing list