On Thu, 27 Feb 2014 at 16:43:35 +0000, Gustavo Grieco wrote: > a buffer overflow in mp3gain can be used to execute code using a malformed > mp3 file. A POC is attached.
Hi, Have you already reported this bug to mp3gain's upstream developer <http://mp3gain.sourceforge.net/> or requested a CVE ID for it? How did you find this overflow? Did you use a fuzzer or similar to construct your PoC, or did you locate a specific buffer that was overflowed by inspecting the source code, or what? Do you have any advice on fixing or mitigating this class of vulnerability? `gcc -fsanitize=address` appears to catch this overflow, so I've uploaded version 1.5.2-r2-4 built with that option in order to mitigate this bug. That produces what's probably a more useful backtrace: (gdb) break __asan_report_error ... (gdb) run ... (gdb) bt #0 0x00007ffff4e66b90 in __asan_report_error () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #1 0x00007ffff4e5d40b in ?? () from /usr/lib/x86_64-linux-gnu/libasan.so.0 #2 0x00000000004230b3 in memcpy (__len=209, __src=<optimized out>, __dest=<optimized out>) at /usr/include/x86_64-linux-gnu/bits/string3.h:51 #3 copy_mp (mp=mp@entry=0x7fffffff68d0, size=size@entry=49818, ptr=0x7fffffff6c29 "\036\307\354\266Dž") at mpglibDBL/interface.c:188 #4 0x0000000000424fc7 in decodeMP3 (mp=mp@entry=0x7fffffff68d0, in=<optimized out>, isize=isize@entry=209, done=done@entry=0x7fffffff2010) at mpglibDBL/interface.c:686 #5 0x0000000000404e25 in main (argc=2, argv=<optimized out>) at mp3gain.c:2289 >From the details given when not breaking on __asan_report_error, it appears that (on x86-64) 209 bytes are written to a position 31895 bytes into the 31920 byte struct mpstr_tag mp, overflowing it. If my arithmetic is correct, that starting position is close to the end of the array 'synth_buffs'. I don't know this codebase well - Fabrizio, you're the maintainer, any ideas? Regards, S -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
