Bug 1499600

Summary: NULL Pointer Dereference vulneribility in libextract when get flac meta from libFlac
Product: [Fedora] Fedora Reporter: Leon <leon.zhao.7>
Component: libextractorAssignee: Gwyn Ciesla <gwync>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 27CC: gwync, sheltren
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: libextractor-1.6-1.fc26 libextractor-1.6-1.fc25 libextractor-1.6-1.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-30 16:18:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
POC file that crashing libextract none

Description Leon 2017-10-09 03:21:06 UTC 
Created attachment 1336094 [details]
POC file that crashing libextract

Description of problem:
libextract get a null pointer from libFlac

Version-Release number of selected component (if applicable):
libextract v1.4
libFlac v1.3.2

How reproducible:
./extract -i $POC

Steps to Reproduce:
The output with address sanitizer enabled
./extract -i extract-flac_metadata-344.crash 
Keywords for file extract-flac_metadata-344.crash:
resource type - 44100 Hz, 2 channels
ASAN:SIGSEGV
=================================================================
==30641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb791b19479 bp 0x7ffc62c98f50 sp 0x7ffc62c98df0 T0)
    #0 0x7fb791b19478 in flac_metadata /root/libextractor-1.4/src/plugins/flac_extractor.c:344
    #1 0x7fb7918d1f31 in read_metadata_ /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1511
    #2 0x7fb7918d676f in FLAC__stream_decoder_process_until_end_of_metadata /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1054
    #3 0x7fb791b198e5 in EXTRACTOR_flac_extract_method /root/libextractor-1.4/src/plugins/flac_extractor.c:475
    #4 0x7fb797e4c792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577
    #5 0x7fb797e4cb98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655
    #6 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977
    #7 0x7fb797a8782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/libextractor-1.4/src/plugins/flac_extractor.c:344 flac_metadata
==30641==ABORTING

gdb output and backtrace
Starting program: /opt/asan/bin/extract -i extract-flac_metadata-344.crash 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-flac_metadata-344.crash:
resource type - 44100 Hz, 2 channels
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344
344                 while ( ('=' != *eq) && ('\0' != *eq) &&
(gdb) p eq
$1 = 0x0
(gdb) bt
#0  0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344
#1  0x00007ffff06d1f32 in read_metadata_ (decoder=decoder@entry=0x60200000cc90) at stream_decoder.c:1511
#2  0x00007ffff06d6770 in FLAC__stream_decoder_process_until_end_of_metadata (decoder=0x60200000cc90) at stream_decoder.c:1054
#3  0x00007ffff09198e6 in EXTRACTOR_flac_extract_method (ec=0x7fffffffa060) at flac_extractor.c:475
#4  0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577
#5  0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520, filename=0x60800000be59 "extract-flac_metadata-344.crash", data=0x0, size=0, 
    proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655
#6  0x00000000004044ca in main (argc=3, argv=0x7fffffffe4c8) at extract.c:977
(gdb) l
339               {
340                 entry = &vc->comments[count];
341                 eq = (const char*) entry->entry;
342                 len = entry->length;
343                 ilen = 0;
344                 while ( ('=' != *eq) && ('\0' != *eq) &&
345                         (ilen < len) )
346                   {
347                     eq++;
348                     ilen++;
(gdb)

Actual results:
crash

Expected results:
crash

Additional info:
This vulnerability is detected Zhao Liang, Huawei Weiran Labs
Comment 1 Fedora Update System 2017-10-20 13:00:37 UTC 
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
Comment 2 Fedora Update System 2017-10-20 13:01:00 UTC 
libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
Comment 3 Fedora Update System 2017-10-20 13:01:15 UTC 
libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
Comment 4 Fedora Update System 2017-10-21 19:29:34 UTC 
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
Comment 5 Fedora Update System 2017-10-22 02:25:39 UTC 
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
Comment 6 Fedora Update System 2017-10-22 03:25:00 UTC 
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
Comment 7 Fedora Update System 2017-10-30 16:18:18 UTC 
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2017-10-30 16:28:22 UTC 
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2017-11-11 02:59:49 UTC 
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.