Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stack-buffer-overflow in function calculate_gain(libfaad/sbr_hfadj.c:1346) #18

Closed
fantasy7082 opened this issue Dec 17, 2018 · 2 comments

Comments

@fantasy7082
Copy link

Hi, i found a stack-buffer-overflow bug in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8, the details are below(ASAN):

./faad faad_res/001_stack-buffer-overflow_sbr_hfadj -o out.wav
 *********** Ahead Software MPEG-4 AAC Decoder V2.8.8 ******************

 Build: Dec 13 2018
 Copyright 2002-2004: Ahead Software AG
 http://www.audiocoding.com
 bug tracking: https://sourceforge.net/p/faac/bugs/
 Floating point version

 This program is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License.

 **************************************************************************

faad_res/001_stack-buffer-overflow_sbr_hfadj file info:
ADTS, 12.416 sec, 37 kbps, 48000 Hz

  ---------------------
 | Config:  2 Ch       |
  ---------------------
 | Ch |    Position    |
  ---------------------
 | 00 | Left front     |
 | 01 | Right front    |
  ---------------------

=================================================================
==7021==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffed218532c at pc 0x7f406de6e68c bp 0x7ffed2184390 sp 0x7ffed2184380
WRITE of size 4 at 0x7ffed218532c thread T0
    #0 0x7f406de6e68b in calculate_gain /root/faad2_asan/libfaad/sbr_hfadj.c:1346
    #1 0x7f406de6b392 in hf_adjustment /root/faad2_asan/libfaad/sbr_hfadj.c:83
    #2 0x7f406de89725 in sbr_process_channel /root/faad2_asan/libfaad/sbr_dec.c:363
    #3 0x7f406de8b7fa in sbrDecodeSingleFramePS /root/faad2_asan/libfaad/sbr_dec.c:637
    #4 0x7f406de33b54 in reconstruct_single_channel /root/faad2_asan/libfaad/specrec.c:1071
    #5 0x7f406de3be28 in single_lfe_channel_element /root/faad2_asan/libfaad/syntax.c:631
    #6 0x7f406de3a354 in decode_sce_lfe /root/faad2_asan/libfaad/syntax.c:351
    #7 0x7f406de3b2da in raw_data_block /root/faad2_asan/libfaad/syntax.c:441
    #8 0x7f406ddf59c3 in aac_frame_decode /root/faad2_asan/libfaad/decoder.c:990
    #9 0x7f406ddf5566 in NeAACDecDecode /root/faad2_asan/libfaad/decoder.c:821
    #10 0x40f8ae in decodeAACfile /root/faad2_asan/frontend/main.c:679
    #11 0x411dd4 in faad_main /root/faad2_asan/frontend/main.c:1323
    #12 0x411fe5 in main /root/faad2_asan/frontend/main.c:1366
    #13 0x7f406da2d82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x401aa8 in _start (/usr/local/faad-asan/bin/faad+0x401aa8)

Address 0x7ffed218532c is located in stack of thread T0 at offset 2972 in frame
    #0 0x7f406de6ad8e in hf_adjustment /root/faad2_asan/libfaad/sbr_hfadj.c:60

  This frame has 1 object(s):
    [32, 2972) 'adj' <== Memory access at offset 2972 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /root/faad2_asan/libfaad/sbr_hfadj.c:1346 calculate_gain
Shadow bytes around the buggy address:
  0x10005a428a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005a428a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005a428a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005a428a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005a428a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10005a428a60: 00 00 00 00 00[04]f3 f3 f3 f3 f3 f3 f3 f3 00 00
  0x10005a428a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005a428a80: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
  0x10005a428a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005a428aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005a428ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==7021==ABORTING

POC FILE:https://github.com/fantasy7082/image_test/blob/master/001_stack-buffer-overflow_sbr_hfadj

@hlef
Copy link
Contributor

hlef commented May 5, 2019

Very similar to #21, if not duplicate.

@fabiangreffrath : In any case, fixed by 6b4a7cd.

@fabiangreffrath
Copy link
Collaborator

Closing, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants