Bug 1499600 - NULL Pointer Dereference vulneribility in libextract when get flac meta from libFlac
Summary: NULL Pointer Dereference vulneribility in libextract when get flac meta from...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: libextractor
Version: 27
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-09 03:21 UTC by Leon
Modified: 2017-11-11 02:59 UTC (History)
2 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2017-10-30 16:18:18 UTC


Attachments (Terms of Use)
POC file that crashing libextract (63.76 KB, application/octet-stream)
2017-10-09 03:21 UTC, Leon
no flags Details

Description Leon 2017-10-09 03:21:06 UTC
Created attachment 1336094 [details]
POC file that crashing libextract

Description of problem:
libextract get a null pointer from libFlac

Version-Release number of selected component (if applicable):
libextract v1.4
libFlac v1.3.2

How reproducible:
./extract -i $POC

Steps to Reproduce:
The output with address sanitizer enabled
./extract -i extract-flac_metadata-344.crash 
Keywords for file extract-flac_metadata-344.crash:
resource type - 44100 Hz, 2 channels
ASAN:SIGSEGV
=================================================================
==30641==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fb791b19479 bp 0x7ffc62c98f50 sp 0x7ffc62c98df0 T0)
    #0 0x7fb791b19478 in flac_metadata /root/libextractor-1.4/src/plugins/flac_extractor.c:344
    #1 0x7fb7918d1f31 in read_metadata_ /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1511
    #2 0x7fb7918d676f in FLAC__stream_decoder_process_until_end_of_metadata /root/flac-1.3.2/src/libFLAC/stream_decoder.c:1054
    #3 0x7fb791b198e5 in EXTRACTOR_flac_extract_method /root/libextractor-1.4/src/plugins/flac_extractor.c:475
    #4 0x7fb797e4c792 in do_extract /root/libextractor-1.4/src/main/extractor.c:577
    #5 0x7fb797e4cb98 in EXTRACTOR_extract /root/libextractor-1.4/src/main/extractor.c:655
    #6 0x4044c9 in main /root/libextractor-1.4/src/main/extract.c:977
    #7 0x7fb797a8782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #8 0x4017c8 in _start (/opt/asan/bin/extract+0x4017c8)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/libextractor-1.4/src/plugins/flac_extractor.c:344 flac_metadata
==30641==ABORTING

gdb output and backtrace
Starting program: /opt/asan/bin/extract -i extract-flac_metadata-344.crash 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-flac_metadata-344.crash:
resource type - 44100 Hz, 2 channels
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344
344                 while ( ('=' != *eq) && ('\0' != *eq) &&
(gdb) p eq
$1 = 0x0
(gdb) bt
#0  0x00007ffff0919479 in flac_metadata (decoder=0x60200000cc90, metadata=0x7fffffff9db0, client_data=0x7fffffffa060) at flac_extractor.c:344
#1  0x00007ffff06d1f32 in read_metadata_ (decoder=decoder@entry=0x60200000cc90) at stream_decoder.c:1511
#2  0x00007ffff06d6770 in FLAC__stream_decoder_process_until_end_of_metadata (decoder=0x60200000cc90) at stream_decoder.c:1054
#3  0x00007ffff09198e6 in EXTRACTOR_flac_extract_method (ec=0x7fffffffa060) at flac_extractor.c:475
#4  0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0, ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:577
#5  0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520, filename=0x60800000be59 "extract-flac_metadata-344.crash", data=0x0, size=0, 
    proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at extractor.c:655
#6  0x00000000004044ca in main (argc=3, argv=0x7fffffffe4c8) at extract.c:977
(gdb) l
339               {
340                 entry = &vc->comments[count];
341                 eq = (const char*) entry->entry;
342                 len = entry->length;
343                 ilen = 0;
344                 while ( ('=' != *eq) && ('\0' != *eq) &&
345                         (ilen < len) )
346                   {
347                     eq++;
348                     ilen++;
(gdb)

Actual results:
crash

Expected results:
crash

Additional info:
This vulnerability is detected Zhao Liang, Huawei Weiran Labs

Comment 1 Fedora Update System 2017-10-20 13:00:37 UTC
libextractor-1.6-1.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa

Comment 2 Fedora Update System 2017-10-20 13:01:00 UTC
libextractor-1.6-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16

Comment 3 Fedora Update System 2017-10-20 13:01:15 UTC
libextractor-1.6-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b

Comment 4 Fedora Update System 2017-10-21 19:29:34 UTC
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-611d7cc98b

Comment 5 Fedora Update System 2017-10-22 02:25:39 UTC
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4a42419c16

Comment 6 Fedora Update System 2017-10-22 03:25:00 UTC
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-8cca61e2fa

Comment 7 Fedora Update System 2017-10-30 16:18:18 UTC
libextractor-1.6-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2017-10-30 16:28:22 UTC
libextractor-1.6-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2017-11-11 02:59:49 UTC
libextractor-1.6-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.