soundtouch: heap-buffer-overflow READ [@soundtouch::PeakFinder::findCrossingLevel]

RESOLVED INVALID

Status

()

Core
Audio/Video: Playback
--
critical
RESOLVED INVALID
a year ago
8 months ago

People

(Reporter: tsmith, Unassigned)

Tracking

(4 keywords)

unspecified
crash, csectype-bounds, sec-other, testcase
Points:
---

Firefox Tracking Flags

(firefox-esr45 ?, firefox50 ?, firefox51 ?, firefox52 ?, firefox53 ?)

Details

Attachments

(1 attachment)

(Reporter)

Description

a year ago
Created attachment 8823371 [details]
test_case.wav

NOTE: This may not affect Firefox. This is marked as a security issue because it appears soundtouch has never been fuzzed. We want to avoid unwanted attention until we can get it fuzzed.

This was found while fuzzing version 1.9.2 of soundtouch.

The included test application soundstretch bundled in the source was used to find this issue.

The application was built with Address Sanitizer (ASan) with assertions disabled. (CFLAGS="-DNDEBUG" CXXFLAGS="-DNDEBUG")

Run with following command:
./soundstretch test_case.wav out.wav -pitch=-3 -bpm


==29492==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009994 at pc 0x7fd05380d739 bp 0x7ffce5134930 sp 0x7ffce5134928
READ of size 4 at 0x611000009994 thread T0
    #0 0x7fd05380d738 in soundtouch::PeakFinder::findCrossingLevel(float const*, float, int, int) const soundtouch/source/SoundTouch/PeakFinder.cpp:154:13
    #1 0x7fd05380d738 in soundtouch::PeakFinder::getPeakCenter(float const*, int) const soundtouch/source/SoundTouch/PeakFinder.cpp:212
    #2 0x7fd05380dd82 in soundtouch::PeakFinder::detectPeak(float const*, int, int) soundtouch/source/SoundTouch/PeakFinder.cpp:245:16
    #3 0x7fd05380bbde in soundtouch::BPMDetect::getBpm() soundtouch/source/SoundTouch/BPMDetect.cpp:364:15
    #4 0x4eed25 in detectBPM(WavInFile*, RunParameters*) soundtouch/source/SoundStretch/main.cpp:259:16
    #5 0x4eed25 in main soundtouch/source/SoundStretch/main.cpp:306
    #6 0x7fd05257882f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x41a108 in _start (soundtouch/soundstretch+0x41a108)

0x611000009994 is located 0 bytes to the right of 212-byte region [0x6110000098c0,0x611000009994)
allocated by thread T0 here:
    #0 0x4eb980 in operator new[](unsigned long) (soundtouch/soundstretch+0x4eb980)
    #1 0x7fd053806a3f in soundtouch::BPMDetect::BPMDetect(int, int) soundtouch/source/SoundTouch/BPMDetect.cpp:143:13

SUMMARY: AddressSanitizer: heap-buffer-overflow soundtouch/source/SoundTouch/PeakFinder.cpp:154:13 in soundtouch::PeakFinder::findCrossingLevel(float const*, float, int, int) const
Shadow bytes around the buggy address:
  0x0c227fff92e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff92f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9310: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c227fff9320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c227fff9330: 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c227fff9340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c227fff9360: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c227fff9370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c227fff9380: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29492==ABORTING
(Reporter)

Comment 1

a year ago
Please confirm that the affected code is not called in Firefox (required for sec rating)
Likely sec-moderate if it can be provoked in FF
status-firefox50: --- → ?
status-firefox51: --- → ?
status-firefox52: --- → ?
status-firefox53: --- → ?
status-firefox-esr45: --- → ?
We don't seem to have BMPDetect.cpp in our tree so I'm assuming this doesn't affect us
Keywords: sec-other

Comment 4

11 months ago
Again a invalid file that would have been rejected by Firefox (or any valid WAV player). This file, in particular, has a bitrate of 6467715456, a sample-rate of 808464432Hz, and 12336 channels, with an invalid format tag.
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → INVALID
Group: media-core-security
You need to log in before you can comment on or make changes to this bug.