Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference vulnerability in ifilter_bank(libfaad/filtbank.c:223) #24

Closed
fantasy7082 opened this issue Dec 17, 2018 · 2 comments · Fixed by #38
Closed

Null pointer dereference vulnerability in ifilter_bank(libfaad/filtbank.c:223) #24

fantasy7082 opened this issue Dec 17, 2018 · 2 comments · Fixed by #38
Assignees

Comments

@fantasy7082
Copy link

Hi, i found a null pointer dereference bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It crashed in function ifilter_bank.the details are below(ASAN):

./faad faad_res/004-null-point-filtbank_223 -o out.wav
 *********** Ahead Software MPEG-4 AAC Decoder V2.8.8 ******************

 Build: Dec 13 2018
 Copyright 2002-2004: Ahead Software AG
 http://www.audiocoding.com
 bug tracking: https://sourceforge.net/p/faac/bugs/
 Floating point version

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License.

 **************************************************************************

faad_res/004-null-point-filtbank_223 file info:
ADTS, 0.043 sec, 37 kbps, 48000 Hz

  ---------------------
 | Config: 43 Ch       |
  ---------------------
 | Ch |    Position    |
  ---------------------
 | 00 | Left front     |
 | 01 | Right front    |
 | 02 | Unknown        |
 | 03 | Unknown        |
 | 04 | Unknown        |
 | 05 | Unknown        |
 | 06 | Unknown        |
 | 07 | Unknown        |
 | 08 | Unknown        |
 | 09 | Unknown        |
 | 10 | Unknown        |
 | 11 | Unknown        |
 | 12 | Unknown        |
 | 13 | Unknown        |
 | 14 | Unknown        |
 | 15 | Unknown        |
 | 16 | Unknown        |
 | 17 | Unknown        |
 | 18 | Unknown        |
 | 19 | Unknown        |
 | 20 | Unknown        |
 | 21 | Unknown        |
 | 22 | Unknown        |
 | 23 | Unknown        |
 | 24 | Unknown        |
 | 25 | Unknown        |
 | 26 | Unknown        |
 | 27 | Unknown        |
 | 28 | Unknown        |
 | 29 | Unknown        |
 | 30 | Unknown        |
 | 31 | Unknown        |
 | 32 | Unknown        |
 | 33 | Unknown        |
 | 34 | Unknown        |
 | 35 | Unknown        |
 | 36 | Unknown        |
 | 37 | Unknown        |
 | 38 | Unknown        |
 | 39 | Unknown        |
 | 40 | Unknown        |
 | 41 | Unknown        |
 | 42 | Unknown        |
  ---------------------

ASAN:SIGSEGVfaad_res/004-null-point-filtbank_223.
=================================================================
==7068==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f82e567eeeb bp 0x7ffe62c6dc40 sp 0x7ffe62c6bb50 T0)
    #0 0x7f82e567eeea in ifilter_bank /root/faad2_asan/libfaad/filtbank.c:223
    #1 0x7f82e56b7d3e in reconstruct_single_channel /root/faad2_asan/libfaad/specrec.c:1014
    #2 0x7f82e56c0e28 in single_lfe_channel_element /root/faad2_asan/libfaad/syntax.c:631
    #3 0x7f82e56bf354 in decode_sce_lfe /root/faad2_asan/libfaad/syntax.c:351
    #4 0x7f82e56c02da in raw_data_block /root/faad2_asan/libfaad/syntax.c:441
    #5 0x7f82e567a9c3 in aac_frame_decode /root/faad2_asan/libfaad/decoder.c:990
    #6 0x7f82e567a566 in NeAACDecDecode /root/faad2_asan/libfaad/decoder.c:821
    #7 0x40f8ae in decodeAACfile /root/faad2_asan/frontend/main.c:679
    #8 0x411dd4 in faad_main /root/faad2_asan/frontend/main.c:1323
    #9 0x411fe5 in main /root/faad2_asan/frontend/main.c:1366
    #10 0x7f82e52b282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #11 0x401aa8 in _start (/usr/local/faad-asan/bin/faad+0x401aa8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/faad2_asan/libfaad/filtbank.c:223 ifilter_bank
==7068==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/004-null-point-filtbank_223

@hlef
Copy link
Contributor

hlef commented Aug 18, 2019

Reproducible on the latest master.

This is roughly the same issue as #32. Applying my patch suggestion fixes this issue as well.

@fabiangreffrath I will PR it once the current batch of security fixes has been reviewed/merged.

@hlef
Copy link
Contributor

hlef commented Aug 18, 2019

For the record, this was assigned CVE-2018-20199.

hlef added a commit to hlef/faad2 that referenced this issue Aug 19, 2019
Parametric Stereo (PS) can arrive at any moment in input files. PS
changes the number of output channels and therefore requires more
allocated memory in various structures from hDecoder.

The current faad2 code attempts to perform allocation surgery in
hDecoder to recover from this. This works well when there is only one
frame channel, else it creates large number of memory corruption
issues.

If there is more than one input channel, return cleanly with error
code. It would be nice to handle this, but this is likely to be a lot
of work and is beyond the scope of a security fix.

This commit addresses CVE-2018-20360 and CVE-2018-20199 (fixes knik0#32,
fixes knik0#24).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants