[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] vorbis-tools oggenc vulnerability
From: "qflb.wu" <qflb.wu () dbappsecurity ! com ! cn>
Date: 2017-07-30 9:56:50
Message-ID: 2cb4328d.e49.15d92ed4a9c.Coremail.qflb.wu () dbappsecurity ! com ! cn
[Download RAW message or body]
[Attachment #2 (text/plain)]
vorbis-tools oggenc vulnerability
================
Author : qflb.wu
===============
Introduction:
=============
The Vorbis Tools package contains command-line tools useful for encoding, playing or editing \
files using the Ogg CODEC.
Affected version:
=====
1.4.0
Vulnerability Description:
==========================
the wav_open function in oggenc/audio.c in vorbis-tools 1.4.0 can cause a denial of \
service(memory allocation error) via a crafted wav file.
./oggenc vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav -o out
==68126==WARNING: AddressSanitizer failed to allocate 0xffffffffffffbc00 bytes
==68126==AddressSanitizer's allocator is terminating the process instead of returning 0
==68126==If you don't like this behavior set allocator_may_return_null=1
==68126==AddressSanitizer CHECK failed: \
/build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_allocator.cc:149 \
"((0)) != (0)" (0x0, 0x0) #0 0x46d41f in __asan::AsanCheckFailed(char const*, int, char \
const*, unsigned long long, unsigned long long) \
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x46d41f) #1 0x472c81 in \
__sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) \
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x472c81) #2 0x4719c0 in \
__sanitizer::AllocatorReturnNull() \
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4719c0) #3 0x4674b6 in \
__interceptor_malloc (/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x4674b6) #4 0x492896 \
in wav_open /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:573 #5 0x496d8e in \
open_audio_file /home/a/Downloads/vorbis-tools-1.4.0/oggenc/audio.c:86 #6 0x485d0a in main \
/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc.c:256 #7 0x7f6d9f8dcec4 \
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #8 0x47d55c in _start \
(/home/a/Downloads/vorbis-tools-1.4.0/oggenc/oggenc+0x47d55c)
-----------------
wav->channel_permute = malloc(wav->channels * sizeof(int));
if (wav->channels <= 8)
/* Where we know the mappings, use them. */
memcpy(wav->channel_permute, wav_permute_matrix[wav->channels-1],
sizeof(int) * wav->channels);
else
/* Use a default 1-1 mapping */
for (i=0; i < wav->channels; i++)
wav->channel_permute[i] = i;
return 1;
Andthe code didn't check the return of malloc.
POC:
vorbis-tools_1.4.0_oggenc_memory_allocation_error.wav
CVE:
CVE-2017-11331
===============================
qflb.wu () dbappsecurity com cn
["poc.zip" (application/x-zip-compressed)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic