Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-underflow in function calculate_gain(libfaad/sbr_hfadj.c:1311) #20

Closed
fantasy7082 opened this issue Dec 17, 2018 · 2 comments

Comments

@fantasy7082
Copy link

Hi, i found a stack-buffer-overflow bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8, the details are below(ASAN):

./faad faad_res/006-stack-buffer-underflow-sbr_hfadj_1311 -o out.wav
 *********** Ahead Software MPEG-4 AAC Decoder V2.8.8 ******************

 Build: Dec 13 2018
 Copyright 2002-2004: Ahead Software AG
 http://www.audiocoding.com
 bug tracking: https://sourceforge.net/p/faac/bugs/
 Floating point version

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License.

 **************************************************************************

faad_res/006-stack-buffer-underflow-sbr_hfadj_1311 file info:
ADTS, 0.256 sec, 42 kbps, 48000 Hz

  ---------------------
 | Config:  2 Ch       |
  ---------------------
 | Ch |    Position    |
  ---------------------
 | 00 | Left front     |
 | 01 | Right front    |
  ---------------------

=================================================================
==7026==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7fff630132fc at pc 0x7fedefda0e74 bp 0x7fff63012ef0 sp 0x7fff63012ee0
WRITE of size 4 at 0x7fff630132fc thread T0
    #0 0x7fedefda0e73 in calculate_gain /root/faad2_asan/libfaad/sbr_hfadj.c:1311
    #1 0x7fedefd9e392 in hf_adjustment /root/faad2_asan/libfaad/sbr_hfadj.c:83
    #2 0x7fedefdbc725 in sbr_process_channel /root/faad2_asan/libfaad/sbr_dec.c:363
    #3 0x7fedefdbe7fa in sbrDecodeSingleFramePS /root/faad2_asan/libfaad/sbr_dec.c:637
    #4 0x7fedefd66b54 in reconstruct_single_channel /root/faad2_asan/libfaad/specrec.c:1071
    #5 0x7fedefd6ee28 in single_lfe_channel_element /root/faad2_asan/libfaad/syntax.c:631
    #6 0x7fedefd6d354 in decode_sce_lfe /root/faad2_asan/libfaad/syntax.c:351
    #7 0x7fedefd6e2da in raw_data_block /root/faad2_asan/libfaad/syntax.c:441
    #8 0x7fedefd289c3 in aac_frame_decode /root/faad2_asan/libfaad/decoder.c:990
    #9 0x7fedefd28566 in NeAACDecDecode /root/faad2_asan/libfaad/decoder.c:821
    #10 0x40f8ae in decodeAACfile /root/faad2_asan/frontend/main.c:679
    #11 0x411dd4 in faad_main /root/faad2_asan/frontend/main.c:1323
    #12 0x411fe5 in main /root/faad2_asan/frontend/main.c:1366
    #13 0x7fedef96082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x401aa8 in _start (/usr/local/faad-asan/bin/faad+0x401aa8)

Address 0x7fff630132fc is located in stack of thread T0 at offset 12 in frame
    #0 0x7fedefd9dd8e in hf_adjustment /root/faad2_asan/libfaad/sbr_hfadj.c:60

  This frame has 1 object(s):
    [32, 2972) 'adj'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-underflow /root/faad2_asan/libfaad/sbr_hfadj.c:1311 calculate_gain
Shadow bytes around the buggy address:
  0x10006c5fa600: 00 00 00 00 00 00 00 00 04 f4 f4 f4 f2 f2 f2 f2
  0x10006c5fa610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c5fa620: 00 00 00 00 00 00 00 00 04 f4 f4 f4 f2 f2 f2 f2
  0x10006c5fa630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c5fa640: 00 00 00 00 00 00 00 00 04 f4 f4 f4 f3 f3 f3 f3
=>0x10006c5fa650: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1[f1]
  0x10006c5fa660: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c5fa670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c5fa680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c5fa690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10006c5fa6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==7026==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/006-stack-buffer-underflow-sbr_hfadj_1311

@hlef
Copy link
Contributor

hlef commented May 5, 2019

This issue was assigned CVE-2018-20197.

Exact same issue as #21, slightly different path.

@fabiangreffrath : in any case, also fixed by 6b4a7cd.

@fabiangreffrath
Copy link
Collaborator

Closing, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants