Bug 1193442

Summary: flac: BSS buffer overflow in flac__encode_file()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jrusnack, mlichvar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-26 09:43:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1193445    
Bug Blocks: 1193444    

Description Vasyl Kaigorodov 2015-02-17 10:54:58 UTC 
It was reported [1] that in command-line flac encoder/decoder tool, bytes_to_read is not properly checked against the size of ucbuffer, which causes a stack overflow when performing fread in encoding.

Codes related to the crash are in src/flac/encode.c, function flac__encode_file()

PoC file can be found here: http://sourceforge.net/projects/pocfiles/files/libflac_stack.wav/download

[1]: http://sourceforge.net/p/flac/bugs/425/
Comment 1 Vasyl Kaigorodov 2015-02-17 10:57:14 UTC 
Created flac tracking bugs for this issue:

Affects: fedora-all [bug 1193445]
Comment 3 Tomas Hoger 2015-02-26 15:45:06 UTC 
This is a buffer overflow in flac__encode_file() (in older versions, similar code is in flac__encode_wav() and flac__encode_aif()).  The buffer is static BSS based buffer.  Overflow is caught by FORTIFY_SOURCE which mitigates impact to program abort.  The flaw is in the flac command line tool rather than libFLAC library.

Fixed upstream in:
https://git.xiph.org/?p=flac.git;a=commitdiff;h=c06a44969c1145242a22f75fc8fb2e8b54c55303

Affects the currently latest upstream version 1.3.1.