'Re: [oss-security] CVE Request : Several Bugs Found on Libflac 1.3.1 and Libtta++-2.2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request : Several Bugs Found on Libflac 1.3.1 and Libtta++-2.2
From:       Zhenghao Hu <zhenghaohuu () gmail ! com>
Date:       2015-02-25 12:39:42
Message-ID: CAELuwWRm7Y8FwE9PUynTO_YDgS21janCX4z-nhUoFC+zten3hA () mail ! gmail ! com
[Download RAW message or body]


Now all fixed! So... can i get a CVE please?

http://sourceforge.net/p/flac/bugs/425/#3fd8
http://sourceforge.net/p/tta/bugs/9/#10f7

On Tue, Feb 17, 2015 at 12:57 AM, Zhenghao Hu <zhenghaohuu@gmail.com> wrote:

> Almost Forgot.. Thanks for reminding.
> 
> https://sourceforge.net/p/flac/bugs/425/
> https://sourceforge.net/p/tta/bugs/9/
> 
> 
> On Mon, Feb 16, 2015 at 6:48 PM, Vasyl Kaigorodov <vkaigoro@redhat.com>
> wrote:
> 
> > Hello Zhenghao,
> > 
> > Were these issues reported upstream already?
> > If so - could you please post the corresponding bug tracker urls here
> > as well?
> > 
> > Thanks.
> > --
> > Vasyl Kaigorodov | Red Hat Product Security
> > PGP:  0xABB6E828 A7E0 87FF 5AB5 48EB 47D0 2868 217B F9FC ABB6 E828
> > On Fri, 13 Feb 2015, Zhenghao Hu wrote:
> > 
> > > Several bugs found in the latest libflac and libtta codec fuzzing with
> > AFL (
> > > http://lcamtuf.coredump.cx/afl/), working together with Nie Sen, from
> > > K33nTeam.
> > > The input POC files can be found on
> > > https://sourceforge.net/projects/pocfiles/files/
> > > 
> > > 
> > ---------------------------------------------------------------------------------------------------------------------------------------
> > 
> > > 
> > > Libflac 1.3.1 SEGV in libFLAC.so
> > > 
> > > Run :
> > > ./flac -e -f -o ~/out.ogg t1.flac
> > > 
> > > Codes related :
> > > src/libFLAC/stream_encoder.c    line:2143
> > > Function FLAC__stream_encoder_process()
> > > 
> > > for(channel = 0; channel < channels; channel++)
> > > 
> > > 
> > memcpy(&encoder->private_->integer_signal[channel][encoder->private_->current_sample_number],
> > 
> > > &buffer[channel][j], sizeof(buffer[channel][0]) * n);
> > > 
> > > Reference:
> > > http://xiph.org/flac/
> > > 
> > > 
> > ---------------------------------------------------------------------------------------------------------------------------------------
> > 
> > > 
> > > Libflac 1.3.1 Codec Frontend Bug
> > > 
> > > Run :
> > > ./flac -e -f -o ~/out.ogg t2.flac
> > > 
> > > Code Related :
> > > src/flac/encoder.c        line:1878
> > > Function EncoderSession_init_encoder()
> > > 
> > > else if(e->total_samples_to_encode !=
> > > cs->tracks[cs->num_tracks-1].offset) {
> > > 
> > > Reference:
> > > http://xiph.org/flac/
> > > 
> > > 
> > ---------------------------------------------------------------------------------------------------------------------------------------
> > 
> > > Libflac 1.3.1 Stack overflow
> > > 
> > > In Command-line flac encoder/decoder tool, bytes_to_read is not
> > > properly checked against the size of ucbuffer, which causes a stack
> > > overflow when performing fread in encoding.
> > > 
> > > Codes related to the crash are in src/flac/encode.c function
> > > flac__encode_file()
> > > 
> > > const size_t bytes_to_read = (size_t)min(
> > > 
> > > encoder_session.fmt.iff.data_bytes,
> > > 
> > > (FLAC__uint64)CHUNK_OF_SAMPLES *
> > > (FLAC__uint64)encoder_session.info.bytes_per_wide_sample
> > > );
> > > bytes_read = fread(ucbuffer.u8, sizeof(unsigned char),
> > bytes_to_read,
> > > infile);
> > > 
> > > POC:
> > > ./flac -e -f -o ~/test.flac ~/libflac_stack.wav
> > > 
> > > Reference:
> > > http://xiph.org/flac/
> > > 
> > > 
> > ---------------------------------------------------------------------------------------------------------------------------------------
> > 
> > > 
> > > Libtta++ 2.2 divide-by-0 error
> > > 
> > > In TTA consoole frontend tool, speciafically crafted wave_hdr would
> > > result in a divide-by-zero error.
> > > 
> > > Problematic codes are as follows. In console/tta.cpp, function
> > > compress()
> > > 
> > > smp_size = (wave_hdr.num_channels * ((wave_hdr.bits_per_sample
> > + 7)
> > > / 8));
> > > ...
> > > ...
> > > info.samples = data_size / smp_size;
> > > 
> > > POC:
> > > ./tta -e ~/libtta_float.wav ~/test.tta
> > > 
> > > Reference:
> > > http://sourceforge.net/projects/tta/
> > > 
> > > 
> > ---------------------------------------------------------------------------------------------------------------------------------------
> > 
> > > 
> > > Libtta++ 2.2 tta_encoder class heap overflow
> > > 
> > > tta_encoder.fnum is not checked in tta_encoder::process_stream,
> > which
> > > causes a heap overflow when trying to write the seek_table indexed by
> > fnum.
> > > 
> > > Codes related to the crash are in libtta.cpp ,
> > encoder::process_stream()
> > > 
> > > seek_table = (TTAuint64 *) tta_malloc(frames *
> > sizeof(TTAuint64));
> > > 
> > > seek_table[fnum++] = fifo.count;
> > > 
> > > POC:
> > > ./tta -e ~/heap.wav ~/test.tta
> > > 
> > > Reference:
> > > http://sourceforge.net/projects/tta/
> > > 
> > > 
> > ---------------------------------------------------------------------------------------------------------------------------------------
> > 
> > > 
> > > Thanks!
> > > --
> > > Zhenghao Hu / K33nTeam
> > 
> 
> 



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic