Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereference vulnerability in ic_predict (libfaad/ic_predict.c:96) #25

Closed
fantasy7082 opened this issue Dec 17, 2018 · 3 comments
Closed

Null pointer dereference vulnerability in ic_predict (libfaad/ic_predict.c:96) #25

fantasy7082 opened this issue Dec 17, 2018 · 3 comments

Comments

@fantasy7082
Copy link

Hi, i found a null pointer dereference bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. It crashed in function ic_predict .the details are below(ASAN):

./faad faad_res/005-null-point-ic_predict_96 -o out.wav
 *********** Ahead Software MPEG-4 AAC Decoder V2.8.8 ******************

 Build: Dec 13 2018
 Copyright 2002-2004: Ahead Software AG
 http://www.audiocoding.com
 bug tracking: https://sourceforge.net/p/faac/bugs/
 Floating point version

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License.

 **************************************************************************

faad_res/005-null-point-ic_predict_96 file info:
ADTS, 0.021 sec, 219 kbps, 96000 Hz

  ---------------------
 | Config:  2 Ch       |
  ---------------------
 | Ch |    Position    |
  ---------------------
 | 00 | Center front   |
 | 01 | Center back    |
  ---------------------

ASAN:SIGSEGVfaad_res/005-null-point-ic_predict_96.
=================================================================
==7073==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f440069b99e bp 0x7ffe0d2d4b70 sp 0x7ffe0d2d49f0 T0)
    #0 0x7f440069b99d in ic_predict /root/faad2_asan/libfaad/ic_predict.c:96
    #1 0x7f440069cbc0 in ic_prediction /root/faad2_asan/libfaad/ic_predict.c:252
    #2 0x7f44006d0a14 in reconstruct_channel_pair /root/faad2_asan/libfaad/specrec.c:1189
    #3 0x7f44006d8823 in channel_pair_element /root/faad2_asan/libfaad/syntax.c:759
    #4 0x7f44006d6cbf in decode_cpe /root/faad2_asan/libfaad/syntax.c:402
    #5 0x7f44006d7398 in raw_data_block /root/faad2_asan/libfaad/syntax.c:448
    #6 0x7f44006919c3 in aac_frame_decode /root/faad2_asan/libfaad/decoder.c:990
    #7 0x7f4400691566 in NeAACDecDecode /root/faad2_asan/libfaad/decoder.c:821
    #8 0x40f8ae in decodeAACfile /root/faad2_asan/frontend/main.c:679
    #9 0x411dd4 in faad_main /root/faad2_asan/frontend/main.c:1323
    #10 0x411fe5 in main /root/faad2_asan/frontend/main.c:1366
    #11 0x7f44002c982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x401aa8 in _start (/usr/local/faad-asan/bin/faad+0x401aa8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/faad2_asan/libfaad/ic_predict.c:96 ic_predict
==7073==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/005-null-point-ic_predict_96
@nluedtke
Copy link

This was assigned CVE-2018-20195.

@hlef
Copy link
Contributor

hlef commented Aug 20, 2019

Not reproducible on master anymore, fixed by 466b01d.

This is the same issue as #26, different path, so this can be closed.

@fabiangreffrath
Copy link
Collaborator

It's a pleasure.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabiangreffrath @hlef @nluedtke @fantasy7082