'[oss-security] lame: stack-based buffer overflow in III_dequantize_sample (layer3.c)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] lame: stack-based buffer overflow in III_dequantize_sample (layer3.c)
From:       "Agostino Sarubbo" <ago () gentoo ! org>
Date:       2017-06-28 12:08:20
Message-ID: 128119.2550409-sendEmail () localhost
[Download RAW message or body]

------MIME delimiter for sendEmail-846790.42019798
Content-Type: text/plain;
        charset="UTF-8"
Content-Transfer-Encoding: 7bit

Description:
lame is a high quality MPEG Audio Layer III (MP3) encoder licensed under the LGPL.

Few notes before the details of this bug. Time ago a fuzz was done by Brian Carpenter and Jakub \
Wilk which posted the results on the debian  bugtracker. In cases like this, when upstream is \
not active and people do not post on the upstream bugzilla is easy discover duplicates, so I  \
downloaded all available testcases, and noone of the bug you will see on my blog is a duplicate \
of an existing issue. Upstream seems a bit  dead, latest release was into 2011, so this blog \
post will probably forwarded on the upstream bugtracker just for the record.

The complete ASan output of the issue:

# lame -f -V 9 $FILE out.wav
==30801==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe82a515a0 at pc \
0x7f56d24c9df7 bp 0x7ffe82a4ffb0 sp 0x7ffe82a4ffa8 WRITE of size 4 at 0x7ffe82a515a0 thread T0
    #0 0x7f56d24c9df6 in III_dequantize_sample \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c  #1 0x7f56d24a664f \
in decode_layer3_frame \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c:1738:17  #2 \
0x7f56d24733ca in decodeMP3_clipchoice \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:615:13  #3 \
0x7f56d2470c13 in decodeMP3 \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/interface.c:696:12  #4 \
                0x7f56d2431092 in decode1_headersB_clipchoice 
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:149:11
  #5 0x7f56d243694a in hip_decode1_headersB 
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:436:16
  #6 0x7f56d243694a in hip_decode1_headers \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/libmp3lame/mpglib_interface.c:379  \
#7 0x51e984 in lame_decode_fromfile \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:2089:11  #8 \
0x51e984 in read_samples_mp3 \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:877  #9 \
0x51e984 in get_audio_common \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:785  #10 \
0x51e4fa in get_audio \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/get_audio.c:688:16  #11 \
0x50f776 in lame_encoder_loop \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:456:17  #12 \
0x50f776 in lame_encoder \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:531  #13 \
0x50c43f in lame_main \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/lame_main.c:707:15  #14 \
0x510793 in c_main /var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:470:15
  #15 0x510793 in main \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/frontend/main.c:438  #16 \
0x7f56d1029680 in __libc_start_main \
/tmp/portage/sys-libs/glibc-2.23-r3/work/glibc-2.23/csu/../csu/libc-start.c:289  #17 0x41c998 \
in _init (/usr/bin/lame+0x41c998)

Address 0x7ffe82a515a0 is located in stack of thread T0 at offset 5024 in frame
    #0 0x7f56d24a548f in decode_layer3_frame \
/var/tmp/portage/media-sound/lame-3.99.5-r1/work/lame-3.99.5/mpglib/layer3.c:1659

  This frame has 4 object(s):
    [32, 344) 'scalefacs'
    [416, 5024) 'hybridIn' 0x1000505422b0: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000505422c0: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
  0x1000505422d0: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000505422e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000505422f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100050542300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==30801==ABORTING

Affected version:
3.99.5

Fixed version:
N/A

Commit fix:
N/A

Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.

CVE:
CVE-2017-9872

Reproducer:
https://github.com/asarubbo/poc/blob/master/00294-lame-stackoverflow-III_dequantize_sample

Timeline:
2017-06-01: bug discovered
2017-06-17: blog post about the issue
2017-06-25: CVE assigned

Note:
This bug was found with American Fuzzy Lop.

Permalink:
https://blogs.gentoo.org/ago/2017/06/17/lame-stack-based-buffer-overflow-in-iii_dequantize_sample-layer3-c/


--
Agostino Sarubbo
Gentoo Linux Developer


------MIME delimiter for sendEmail-846790.42019798--


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic