[security-report]Lame multi memory error bug && CVE Request

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[security-report]Lame multi memory error bug && CVE Request

ChenQin


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

hi,

reproduce:
lame 2
lame 3

Case1:
LAME 3.99.5 64bits (http://lame.sf.net)
Resampling:  input -2.14698e+06 kHz  output 8 kHz
Using polyphase lowpass filter, transition band:  3903 Hz -  4000 Hz
Encoding 2 to 2.mp3
Encoding as 8 kHz j-stereo MPEG-2.5 Layer III (10.7x)  24 kbps qval=3
    Frame          |  CPU time/estim | REAL time/estim | play/CPU |    ETA
     0/       ( 0%)|    0:00/     :  |    0:00/     :  |         x|     :
00:03----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
   kbps      %     %
    0.0           ASAN:SIGSEGV
=================================================================
==523==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000053e651 sp 0x7ffda3f33c20 bp 0x000000000000 T0)
    #0 0x53e650 in fill_buffer_resample /home/k/a/lame-3.99.5/libmp3lame/util.c:608
    #1 0x53e650 in fill_buffer /home/k/a/lame-3.99.5/libmp3lame/util.c:676
    #2 0x495550 in lame_encode_buffer_sample_t /home/k/a/lame-3.99.5/libmp3lame/lame.c:1736    #3 0x407127 in lame_encoder_loop /home/k/a/lame-3.99.5/frontend/lame_main.c:462
    #4 0x4094b6 in lame_encoder /home/k/a/lame-3.99.5/frontend/lame_main.c:531
    #5 0x4094b6 in lame_main /home/k/a/lame-3.99.5/frontend/lame_main.c:707
    #6 0x4042c3 in c_main /home/k/a/lame-3.99.5/frontend/main.c:470
    #7 0x4042c3 in main /home/k/a/lame-3.99.5/frontend/main.c:438
    #8 0x7f7e77bfea3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #9 0x405a98 in _start (/usr/local/bin/lame+0x405a98)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/k/a/lame-3.99.5/libmp3lame/util.c:608 fill_buffer_resample
==523==ABORTING


Case2:
==1484==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c00000bf78 at pc 0x5408cc bp 0x7ffff7f747d0 sp 0x7ffff7f747c0
READ of size 4 at 0x60c00000bf78 thread T0
    #0 0x5408cb in fill_buffer_resample /home/k/a/lame-3.99.5/libmp3lame/util.c:606
    #1 0x5408cb in fill_buffer /home/k/a/lame-3.99.5/libmp3lame/util.c:676
    #2 0x495550 in lame_encode_buffer_sample_t /home/k/a/lame-3.99.5/libmp3lame/lame.c:1736
    #3 0x407127 in lame_encoder_loop /home/k/a/lame-3.99.5/frontend/lame_main.c:462
    #4 0x4094b6 in lame_encoder /home/k/a/lame-3.99.5/frontend/lame_main.c:531
    #5 0x4094b6 in lame_main /home/k/a/lame-3.99.5/frontend/lame_main.c:707
    #6 0x4042c3 in c_main /home/k/a/lame-3.99.5/frontend/main.c:470
    #7 0x4042c3 in main /home/k/a/lame-3.99.5/frontend/main.c:438
    #8 0x7f37b4618a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #9 0x405a98 in _start (/usr/local/bin/lame+0x405a98)

0x60c00000bf78 is located 8 bytes to the left of 128-byte region [0x60c00000bf80,0x60c00000c000)
allocated by thread T0 here:
    #0 0x7f37b516e985 in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x57985)
    #1 0x53fa9c in fill_buffer_resample /home/k/a/lame-3.99.5/libmp3lame/util.c:558
    #2 0x53fa9c in fill_buffer /home/k/a/lame-3.99.5/libmp3lame/util.c:676

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/k/a/lame-3.99.5/libmp3lame/util.c:606 fill_buffer_resample
Shadow bytes around the buggy address:
  0x0c187fff9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff97a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff97b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff97c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff97d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fff97e0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa[fa]
  0x0c187fff97f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9800: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c187fff9810: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c187fff9820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c187fff9830: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==1484==ABORTING




Chen Qin / Topsec Product Security Team
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJWg3CPAAoJEIVElDCpqHYPXE4P/1ynHC7RTRLbAIn2fat1/LJB
PNrecyvQHVWTQ9pYEWylCchpBqJYiBmQFr/unyfHfIeEO9YwPB/hTkz5QnEEFBCN
lpfeToQ9Z7Q4gpOQCeA9TYuBhM/TjY+hsKm4g0L9pPjj1rXe6Mm+BPJq+GuFEyEV
pEGDudzaXupjMpxVKr5IOiUJx93CcquPt3E+nxziFl8sgKzWyJUX/R1b2D3Fk+cQ
idLMCfyMkt8PmgZIymr6L1KNlF27CKzB17+CHZOmj7dzDBH6paqKp1qnXAzPVskl
qkIO03g9/tcuA1Y8WUMlqu01EuludJ5kA+uNzfcDRD5SyeCi+i7zIzJDM0wRq9mD
Eeftd4s3suTygL0PCRjC5Vt79Lz1BI5JdZM6HATHYL8amNDhWWLs6rmliEGbNgM0
On7vYU9nlmvowa81wo5SLHnrvdBTvrpnocaSm1SLL13fnJaG9gifRmYcJcFFz0Bk
MfXKgIndTK0LJBHLT573T/fu9kWyaDCm5KAJOT/8nhT/KSuunQ4jwcVgplx3Pe1D
1Q4GNckKcepNfvIgtZX+487IFDIoHGs7a10A3LNx9F6nxQDWJMogePHPKEtCIu0H
DNwy1rZodM7oLglGLg3a9HM1CfDLdkvKKt4dX+m2Da4EMoj+eMT3LCs+ajUaEr+D
dGLaTiJEwURSdDgj6Pd5
=L9oN
-----END PGP SIGNATURE-----





------------------------------------------------------------------------------

_______________________________________________
Lame-dev mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/lame-dev