Closed
Bug 1328340
Opened 7 years ago
Closed 7 years ago
soundtouch: heap-buffer-overflow READ [@soundtouch::PeakFinder::findCrossingLevel]
Categories
(Core :: Audio/Video: Playback, defect)
Core
Audio/Video: Playback
Tracking
()
People
(Reporter: tsmith, Unassigned)
Details
(4 keywords)
Attachments
(1 file)
46 bytes,
audio/wav
|
Details |
NOTE: This may not affect Firefox. This is marked as a security issue because it appears soundtouch has never been fuzzed. We want to avoid unwanted attention until we can get it fuzzed. This was found while fuzzing version 1.9.2 of soundtouch. The included test application soundstretch bundled in the source was used to find this issue. The application was built with Address Sanitizer (ASan) with assertions disabled. (CFLAGS="-DNDEBUG" CXXFLAGS="-DNDEBUG") Run with following command: ./soundstretch test_case.wav out.wav -pitch=-3 -bpm ==29492==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009994 at pc 0x7fd05380d739 bp 0x7ffce5134930 sp 0x7ffce5134928 READ of size 4 at 0x611000009994 thread T0 #0 0x7fd05380d738 in soundtouch::PeakFinder::findCrossingLevel(float const*, float, int, int) const soundtouch/source/SoundTouch/PeakFinder.cpp:154:13 #1 0x7fd05380d738 in soundtouch::PeakFinder::getPeakCenter(float const*, int) const soundtouch/source/SoundTouch/PeakFinder.cpp:212 #2 0x7fd05380dd82 in soundtouch::PeakFinder::detectPeak(float const*, int, int) soundtouch/source/SoundTouch/PeakFinder.cpp:245:16 #3 0x7fd05380bbde in soundtouch::BPMDetect::getBpm() soundtouch/source/SoundTouch/BPMDetect.cpp:364:15 #4 0x4eed25 in detectBPM(WavInFile*, RunParameters*) soundtouch/source/SoundStretch/main.cpp:259:16 #5 0x4eed25 in main soundtouch/source/SoundStretch/main.cpp:306 #6 0x7fd05257882f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291 #7 0x41a108 in _start (soundtouch/soundstretch+0x41a108) 0x611000009994 is located 0 bytes to the right of 212-byte region [0x6110000098c0,0x611000009994) allocated by thread T0 here: #0 0x4eb980 in operator new[](unsigned long) (soundtouch/soundstretch+0x4eb980) #1 0x7fd053806a3f in soundtouch::BPMDetect::BPMDetect(int, int) soundtouch/source/SoundTouch/BPMDetect.cpp:143:13 SUMMARY: AddressSanitizer: heap-buffer-overflow soundtouch/source/SoundTouch/PeakFinder.cpp:154:13 in soundtouch::PeakFinder::findCrossingLevel(float const*, float, int, int) const Shadow bytes around the buggy address: 0x0c227fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c227fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c227fff9330: 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c227fff9340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c227fff9360: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c227fff9370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c227fff9380: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==29492==ABORTING
Reporter | ||
Comment 1•7 years ago
|
||
Please confirm that the affected code is not called in Firefox (required for sec rating)
Comment 2•7 years ago
|
||
Likely sec-moderate if it can be provoked in FF
status-firefox50:
--- → ?
status-firefox51:
--- → ?
status-firefox52:
--- → ?
status-firefox53:
--- → ?
status-firefox-esr45:
--- → ?
Comment 3•7 years ago
|
||
We don't seem to have BMPDetect.cpp in our tree so I'm assuming this doesn't affect us
Keywords: sec-other
Comment 4•7 years ago
|
||
Again a invalid file that would have been rejected by Firefox (or any valid WAV player). This file, in particular, has a bitrate of 6467715456, a sample-rate of 808464432Hz, and 12336 channels, with an invalid format tag.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Updated•7 years ago
|
Group: media-core-security
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•