Bug 2027690 (CVE-2021-4156) - CVE-2021-4156 libsndfile: heap out-of-bounds read in src/flac.c in flac_buffer_copy
Summary: CVE-2021-4156 libsndfile: heap out-of-bounds read in src/flac.c in flac_buffe...
Alias: CVE-2021-4156
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2027692 2030507 2030508
Blocks: 2027694 2034822
TreeView+ depends on / blocked
Reported: 2021-11-30 13:05 UTC by Marian Rehak
Modified: 2023-01-06 04:39 UTC (History)
2 users (show)

Fixed In Version: libsndfile 1.1.0
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read flaw was found in libsndfile's FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
Clone Of:
Last Closed: 2022-05-10 19:45:27 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1968 0 None None None 2022-05-10 14:35:03 UTC

Description Marian Rehak 2021-11-30 13:05:20 UTC
The vulnerability can lead to heap-based buffer overflow via a crafted sound file, and potentially control heap data by forge buffer content to perform heap exploitation.

Upstream Reference:


Comment 1 Marian Rehak 2021-11-30 13:05:33 UTC
Created libsndfile tracking bugs for this issue:

Affects: fedora-all [bug 2027692]

Comment 2 Todd Cullum 2021-12-09 00:54:00 UTC
Flaw summary:

There's an out-of-bounds READ possible in libsndfile's flac_buffer_copy() routine in flac.c. This could be triggered by a specially crafted file that is processed by a program linked with libsndfile.

Technical detail:

In the following for loop:

                                for (i = 0 ; i < len && pflac->remain > 0 ; i++)
                                {       offset = pflac->pos + i * channels ;

                                        if (pflac->bufferpos >= frame->header.blocksize)
                                                break ;

                                        if (offset + channels > pflac->len)
                                                break ;

                                        for (j = 0 ; j < channels ; j++)
                                                retpcm [offset + j] = ((uint32_t) buffer [j][pflac->bufferpos]) << shift ;
                                        pflac->remain -= channels ;
                                        pflac->bufferpos++ ;
                                        } ;
                                } ;

We see that there's an if check to ensure the loop terminates if pflac->bufferpos >= frame->header.blocksize.

In this case, frame->header.blocksize can be set to a value greater than the size of `buffer`, and since `buffer` is indexed by `pflac->bufferpos`, the loop will not terminate before causing an out-of-bounds read when reading `buffer`.

The upstream patch[1] introduces a check to prevent the above, and errors out upon failure.

1. https://github.com/libsndfile/libsndfile/pull/732/commits/4c30646abf7834e406f7e2429c70bc254e18beab

Comment 4 errata-xmlrpc 2022-05-10 14:35:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1968 https://access.redhat.com/errata/RHSA-2022:1968

Comment 5 Product Security DevOps Team 2022-05-10 19:45:25 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.