Heap-based Buffer Overflow in hoene/libmysofa

Valid

Reported on

Oct 13th 2021


Description

system : ubuntu 20.04

build command

cd libmysofa
mkdir build
cd build
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../
make all

repro

./mysofa2json -c ./libmyfofa_mysofa_check

Proof of Concept

https://drive.google.com/file/d/1MO3g--nRZkPMZIvwEpT6N_JkeHx6AV8B/view?usp=sharing

ASAN report

==2771211==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001eb8 at pc 0x0000004e3b49 bp 0x7ffc0f2db170 sp 0x7ffc0f2db168
READ of size 4 at 0x602000001eb8 thread T0
    #0 0x4e3b48 in mysofa_check /home/fuzz/libmysofa/src/hrtf/check.c:153:14
    #1 0x4df78d in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:46:10
    #2 0x4df413 in mysofa_open /home/fuzz/libmysofa/src/hrtf/easy.c:101:10
    #3 0x4c57de in main /home/fuzz/libmysofa/src/tests/sofa2json.c:104:13
    #4 0x7fa0526060b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #5 0x41d44d in _start (/home/fuzz/libmysofa/mysofa2json+0x41d44d)

analyse

    149      for (int i = 0; i < 6; i++) {
    150        int offset = i * hrtf->M;
    151        double receiverPosition = hrtf->ReceiverPosition.values[offset];
    152        for (int j = 1; j < hrtf->M; j++)
 →  153          if (!fequals(receiverPosition,
    154                       hrtf->ReceiverPosition.values[offset + j]))
    155            return MYSOFA_RECEIVERS_WITH_RCI_SUPPORTED; // LCOV_EXCL_LINE
    156      }
    157    } else {

gef➤  p hrtf->M
$1 = 0x4e2
gef➤  p sizeof(hrtf->ReceiverPosition.values)
$2 = 0x8

We have contacted a member of the hoene/libmysofa team and are waiting to hear back a month ago
aletheaz modified their report
a month ago
Christian Hoene validated this vulnerability a month ago
aletheaz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christian Hoene confirmed that a fix has been merged on ba82b1 a month ago
Christian Hoene has been awarded the fix bounty