[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-libextractor] libextract 'EXTRACTOR_wav_extract_method/wav_extr
From: |
Christian Grothoff |
Subject: |
Re: [bug-libextractor] libextract 'EXTRACTOR_wav_extract_method/wav_extractor.c' Divide-By-Zero Denial of Service Vulnerability |
Date: |
Mon, 9 Oct 2017 15:30:48 +0200 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 |
Thanks for reporting, fixed in f376d24..b577d54.
Happy hacking!
Christian
On 10/09/2017 04:42 AM, Leon Zhao wrote:
> *Tested Version:*
> v1.4
>
> *Details:*
> In 'EXTRACTOR_wav_extract_method' function of wav_extractor.c, the
> program does not check the value of sample_rate, with a crafted file,
> the sample_rate can be set to zero.
>
> *Vulnerability Code:*
> 114 snprintf (scratch,
> 115 sizeof (scratch),
> 116 "%u ms, %d Hz, %s",
> 117 (samples < sample_rate)
> 118 ? (samples * 1000 / sample_rate)
> 119 : (samples / sample_rate) * 1000,
> 120 sample_rate, (1 == channels) ? _("mono") : _("stereo"));
>
> *Crash Information:*
> the output of gdb
> Reading symbols from /opt/asan/bin/extract...done.
> (gdb) set args -i extract-wav_extractor-119.dos
> (gdb) run
> Starting program: /opt/asan/bin/extract -i extract-wav_extractor-119.dos
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Keywords for file extract-wav_extractor-119.dos:
>
> Program received signal SIGFPE, Arithmetic exception.
> 0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070)
> at wav_extractor.c:119
> 119 : (samples / sample_rate) * 1000,
> (gdb) p sample_rate
> $1 = 0
> (gdb) bt
> #0 0x00007ffff1c242fe in EXTRACTOR_wav_extract_method
> (ec=0x7fffffffa070) at wav_extractor.c:119
> #1 0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0,
> ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>,
> proc_cls=0x0) at extractor.c:577
> #2 0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520,
> filename=0x60800000be59 "extract-wav_extractor-119.dos", data=0x0, size=0,
> proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at
> extractor.c:655
> #3 0x00000000004044ca in main (argc=3, argv=0x7fffffffe4d8) at
> extract.c:977
> (gdb) l
> 114 snprintf (scratch,
> 115 sizeof (scratch),
> 116 "%u ms, %d Hz, %s",
> 117 (samples < sample_rate)
> 118 ? (samples * 1000 / sample_rate)
> 119 : (samples / sample_rate) * 1000,
> 120 sample_rate, (1 == channels) ? _("mono") : _("stereo"));
> 121 if (0 != ec->proc (ec->cls,
> 122 "wav",
> 123 EXTRACTOR_METATYPE_RESOURCE_TYPE,
> (gdb)
>
> *CREDIT*
> Zhao Liang, Huawei Weiran Labs
>
>
> _______________________________________________
> bug-libextractor mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/bug-libextractor
>
signature.asc
Description: OpenPGP digital signature