soundtouch: divide by zero [@soundtouch::FIFOSampleBuffer::setChannels]

RESOLVED INVALID

Status

()

Core
Audio/Video: Playback
--
critical
RESOLVED INVALID
2 years ago
a year ago

People

(Reporter: tsmith, Unassigned)

Tracking

(4 keywords)

Trunk
crash, csectype-dos, sec-low, testcase
Points:
---

Firefox Tracking Flags

(firefox53 affected)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8823344 [details]
test_case.wav

NOTE: This is marked as a security issue because it appears soundtouch has never been fuzzed. We want to avoid unwanted attention until we can get it fuzzed.

This was found while fuzzing version 1.9.2 of soundtouch.

The included test application soundstretch bundled in the source was used to find this issue.

The application was built with Address Sanitizer (ASan) with assertions disabled. (CFLAGS="-DNDEBUG" CXXFLAGS="-DNDEBUG")

Run with following command:
./soundstretch test_case.wav out.wav -pitch=-3


ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000018d10 at pc 0x7fef7618625a bp 0x7ffeb1a72580 sp 0x7ffeb1a72578
READ of size 16 at 0x621000018d10 thread T0
    #0 0x7fef76186259 in soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&) soundtouch/source/SoundTouch/sse_optimized.cpp:124:17
    #1 0x7fef76175d82 in soundtouch::TDStretch::seekBestOverlapPositionFull(float const*) soundtouch/source/SoundTouch/TDStretch.cpp:305:16
    #2 0x7fef76175be9 in soundtouch::TDStretch::seekBestOverlapPosition(float const*) soundtouch/source/SoundTouch/TDStretch.cpp:258:16
    #3 0x7fef76177401 in soundtouch::TDStretch::processSamples() soundtouch/source/SoundTouch/TDStretch.cpp:659:18
    #4 0x7fef76170a6d in soundtouch::FIFOSamplePipe::moveSamples(soundtouch::FIFOSamplePipe&) soundtouch/source/SoundTouch/../../include/FIFOSamplePipe.h:88:9
    #5 0x7fef76170a6d in soundtouch::SoundTouch::putSamples(float const*, unsigned int) soundtouch/source/SoundTouch/SoundTouch.cpp:334
    #6 0x4ef8a0 in process(soundtouch::SoundTouch*, WavInFile*, WavOutFile*) soundtouch/source/SoundStretch/main.cpp:200:9
    #7 0x4ef8a0 in main soundtouch/source/SoundStretch/main.cpp:314
    #8 0x7fef74eeb82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #9 0x41a108 in _start (soundtouch/soundstretch+0x41a108)

0x621000018d10 is located 0 bytes to the right of 4112-byte region [0x621000017d00,0x621000018d10)
allocated by thread T0 here:
    #0 0x4eb980 in operator new[](unsigned long) (soundtouch/soundstretch+0x4eb980)
    #1 0x7fef7616ba1b in soundtouch::FIFOSampleBuffer::ensureCapacity(unsigned int) soundtouch/source/SoundTouch/FIFOSampleBuffer.cpp:174:25

SUMMARY: AddressSanitizer: heap-buffer-overflow soundtouch/source/SoundTouch/sse_optimized.cpp:124:17 in soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&)
Shadow bytes around the buggy address:
  0x0c427fffb150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb1a0: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==25678==ABORTING
(Reporter)

Comment 1

2 years ago
I attached the wrong log. Here is the correct one:

==27691==ERROR: AddressSanitizer: FPE on unknown address 0x7f01652d5135 (pc 0x7f01652d5135 bp 0x000000000000 sp 0x7ffc776ea2d0 T0)
    #0 0x7f01652d5134 in soundtouch::FIFOSampleBuffer::setChannels(int) soundtouch/source/SoundTouch/FIFOSampleBuffer.cpp:86:33
    #1 0x7f01652e0153 in soundtouch::TDStretch::setChannels(int) soundtouch/source/SoundTouch/TDStretch.cpp:594:5
    #2 0x4eefb1 in setup(soundtouch::SoundTouch*, WavInFile const*, RunParameters const*) soundtouch/source/SoundStretch/main.cpp:129:5
    #3 0x4eefb1 in main soundtouch/source/SoundStretch/main.cpp:310
    #4 0x7f016405482f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #5 0x41a108 in _start (soundtouch/soundstretch+0x41a108)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: FPE soundtouch/source/SoundTouch/FIFOSampleBuffer.cpp:86:33 in soundtouch::FIFOSampleBuffer::setChannels(int)
==27691==ABORTING
Maire - is SoundTouch used in your part of the tree?
Flags: needinfo?(mreavy)
Soundtouch is handled normally by padenot; many fuzzing issues in soundtouch don't affect mozilla code at all (functions we don't use, or not possible due to checking for parameter sanity in our code). I think soundtouch is usually put in the Playback bucket.  Paul?
Flags: needinfo?(mreavy) → needinfo?(padenot)
The cause for this is that the soundtouch program accepts invalid .wav files that are carefully parsed in gecko and rejected immediately.

Loading this in Firefox (any version that can play .wav file) and looking in the console shows that the media is considered invalid and does not start flowing through our pipeline.

There has been a number of bugs opened that look like this, and have been closed as invalid because this can't happen in Firefox. It has been reported upstream via private email to the maintainer, by our security team, but we haven't heard back.
Status: NEW → RESOLVED
Last Resolved: a year ago
Flags: needinfo?(padenot)
Resolution: --- → INVALID
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.