Bug 1500554 - It is a heap-buffer-overflow in ImaExpandS (in ima_rw.c:126)
Summary: It is a heap-buffer-overflow in ImaExpandS (in ima_rw.c:126)
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sox
Version: 26
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Jiri Kucera
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-11 02:15 UTC by Liu Zhu
Modified: 2018-01-23 21:44 UTC (History)
5 users (show)

Fixed In Version: sox-14.4.2.0-14.fc26 sox-14.4.2.0-14.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-23 21:17:51 UTC


Attachments (Terms of Use)
poc_file (3.46 KB, audio/x-wav)
2017-10-11 02:15 UTC, Liu Zhu
no flags Details

Description Liu Zhu 2017-10-11 02:15:44 UTC
Created attachment 1336958 [details]
poc_file

Version-Release number of selected component (if applicable):
SoX v14.4.2

How reproducible:
./sox crash_sample/02-heap-buffer-over tt.snd
=================================================================
==20977==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000006852 at pc 0x00000052caf3 bp 0x7ffd183bb2d0 sp 0x7ffd183bb2c0
WRITE of size 2 at 0x619000006852 thread T0
    #0 0x52caf2 in ImaExpandS /root/sox_ASAN/src/ima_rw.c:126
    #1 0x52cb62 in lsx_ima_block_expand_i /root/sox_ASAN/src/ima_rw.c:142
    #2 0x50c7b3 in ImaAdpcmReadBlock /root/sox_ASAN/src/wav.c:141
    #3 0x5134eb in read_samples /root/sox_ASAN/src/wav.c:1131
    #4 0x4df41a in sox_read /root/sox_ASAN/src/formats.c:978
    #5 0x40d473 in sox_read_wide /root/sox_ASAN/src/sox.c:490
    #6 0x40de4a in combiner_drain /root/sox_ASAN/src/sox.c:552
    #7 0x424af0 in drain_effect /root/sox_ASAN/src/effects.c:352
    #8 0x425cdd in sox_flow_effects /root/sox_ASAN/src/effects.c:445
    #9 0x4189fb in process /root/sox_ASAN/src/sox.c:1802
    #10 0x420be9 in main /root/sox_ASAN/src/sox.c:3008
    #11 0x7f4870b2a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x40a658 in _start (/root/sox_ASAN/src/sox+0x40a658)

0x619000006852 is located 0 bytes to the right of 978-byte region [0x619000006480,0x619000006852)
allocated by thread T0 here:
    #0 0x7f4871e39961 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98961)
    #1 0x4e1b37 in lsx_realloc /root/sox_ASAN/src/xmalloc.c:37
    #2 0x51132e in startread /root/sox_ASAN/src/wav.c:829
    #3 0x4db176 in open_read /root/sox_ASAN/src/formats.c:545
    #4 0x4db9ad in sox_open_read /root/sox_ASAN/src/formats.c:585
    #5 0x4200fc in main /root/sox_ASAN/src/sox.c:2945
    #6 0x7f4870b2a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/sox_ASAN/src/ima_rw.c:126 ImaExpandS
Shadow bytes around the buggy address:
  0x0c327fff8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff8d00: 00 00 00 00 00 00 00 00 00 00[02]fa fa fa fa fa
  0x0c327fff8d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8d40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8d50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==20977==ABORTING

Additional info:

Comment 2 Jiri Kucera 2018-01-11 00:40:50 UTC
Link to commit (rawhide, f27, f26):

https://src.fedoraproject.org/rpms/sox/c/7e448dcd69d072ba5bc1a3a6d84bc381199cd21b?branch=master

Comment 3 Jiri Kucera 2018-01-11 00:43:16 UTC
Also resolves [ https://bugzilla.redhat.com/show_bug.cgi?id=1510917 ]

Comment 4 Fedora Update System 2018-01-11 01:00:15 UTC
sox-14.4.2.0-14.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b528f28c59

Comment 5 Fedora Update System 2018-01-11 01:07:36 UTC
sox-14.4.2.0-14.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b26768593c

Comment 6 Fedora Update System 2018-01-11 23:08:44 UTC
sox-14.4.2.0-14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b528f28c59

Comment 7 Fedora Update System 2018-01-11 23:42:37 UTC
sox-14.4.2.0-14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b26768593c

Comment 8 Fedora Update System 2018-01-23 21:17:51 UTC
sox-14.4.2.0-14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2018-01-23 21:44:53 UTC
sox-14.4.2.0-14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.