Stack-buffer-overflow in function impeghe_wav_header_decode() at libmpeghe/test/impeghe_testbench.c:244 #16
Description
Describe
A stack-buffer-overflow was discovered in libmpeghe v[2024-06-12]. The issue is being triggered in function impeghe_wav_header_decode() at libmpeghe/test/impeghe_testbench.c:244.Attackers may exploit this vulnerability to execute and cause a DOS attack.
Reproduce:
Tested in Ubuntu 22.04
First,Compile the program with address sanitizer:
mkdir cmake_build
cd cmake_build
AFL_USE_ASAN=1 CC=afl-clang-lto CXX=afl-clang-lto++ cmake ..
AFL_USE_ASAN=1 make -j8
Then the poc is inputed:
./MPEGHEncoder -ifile:/home/crashes/libmpeghe/crashes.2024-06-28-03:53:38/id:000000,sig:06,src:000009+000601,time:1661846,execs:14312,op:splice,rep:16 -ofile:1.mp4
ASan Reports:
==2599528==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f17cd20006f at pc 0x5596e543c952 bp 0x7ffc9c0e0310 sp 0x7ffc9c0e0308
READ of size 1 at 0x7f17cd20006f thread T0
#0 0x5596e543c951 in impeghe_wav_header_decode /home/libmpeghe/test/impeghe_testbench.c:244:28
#1 0x5596e5440eee in impeghe_main_process /home/libmpeghe/test/impeghe_testbench.c:1688:9
#2 0x5596e5455664 in main /home/libmpeghe/test/impeghe_testbench.c:2748:7
#3 0x7f17ceffdd8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#4 0x7f17ceffde3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
#5 0x5596e534eb74 in _start (/home/libmpeghe/build/bin/MPEGHEncoder+0x36eb74) (BuildId: ad74bd9c567612d9)
Address 0x7f17cd20006f is located in stack of thread T0 at offset 111 in frame
#0 0x5596e5439c5f in impeghe_wav_header_decode /home/libmpeghe/test/impeghe_testbench.c:169
This frame has 2 object(s):
[32, 108) 'wav_hdr' (line 171) <== Memory access at offset 111 overflows this variable
[144, 148) 'data_start' (line 172)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/libmpeghe/test/impeghe_testbench.c:244:28 in impeghe_wav_header_decode
Shadow bytes around the buggy address:
0x7f17cd1ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd1ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd1ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd1fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd1fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f17cd200000: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00[04]f2 f2
0x7f17cd200080: f2 f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd200100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd200180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd200200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7f17cd200280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2599528==ABORTING
Poc
Poc file is here
Fuzzer:
Fuzzer is AFL.