Created attachment 1336093 [details] POC file that crashing extract Description of problem: In 'EXTRACTOR_wav_extract_method' function of wav_extractor.c, the program does not check the value of sample_rate, with a crafted file, the sample_rate can be set to zero. Version-Release number of selected component (if applicable): v1.4 How reproducible: ./extract -i $poc Steps to Reproduce: the output of gdb Reading symbols from /opt/asan/bin/extract...done. (gdb) set args -i extract-wav_extractor-119.dos (gdb) run Starting program: /opt/asan/bin/extract -i extract-wav_extractor-119.dos [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Keywords for file extract-wav_extractor-119.dos: Program received signal SIGFPE, Arithmetic exception. 0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070) at wav_extractor.c:119 119 : (samples / sample_rate) * 1000, (gdb) p sample_rate $1 = 0 (gdb) bt #0 0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070) at wav_extractor.c:119 #1 0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577 #2 0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520, filename=0x60800000be59 "extract-wav_extractor-119.dos", data=0x0, size=0, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655 #3 0x00000000004044ca in main (argc=3, argv=0x7fffffffe4d8) at extract.c:977 (gdb) l 114 snprintf (scratch, 115 sizeof (scratch), 116 "%u ms, %d Hz, %s", 117 (samples < sample_rate) 118 ? (samples * 1000 / sample_rate) 119 : (samples / sample_rate) * 1000, 120 sample_rate, (1 == channels) ? _("mono") : _("stereo")); 121 if (0 != ec->proc (ec->cls, 122 "wav", 123 EXTRACTOR_METATYPE_RESOURCE_TYPE, (gdb) Actual results: crash(Floating point exception) Expected results: crash(Floating point exception) Additional info: This vulnerability is detected Zhao Liang, Huawei Weiran Labs
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.