Heap-based Buffer Overflow in hoene/libmysofa
Valid
Reported on
Sep 27th 2021
Description
There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofa_check and readOHDRHeaderMessageDataLayout.
System info
Ubuntu 20.04.3 LTS
clang 12.0.1
libmysofa (github master branch commit 0cb89cb)
Command to Reproduce
build libmysofa with AddressSanitizer
cd libmysofa
mkdir build
cd build
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../
make all
execute mysofa2json with poc
./src/mysofa2json -c poc
Proof of Concept
ASAN output
POC
==32642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001f30 at pc 0x000000504266 bp 0x7ffd90b79510 sp 0x7ffd90b79508
READ of size 4 at 0x602000001f30 thread T0
#0 0x504265 in loudness /VulMin/libmysofa/libmysofa/src/hrtf/tools.c:183:12
#1 0x522e98 in mysofa_loudness /VulMin/libmysofa/libmysofa/src/hrtf/loudness.c:49:12
#2 0x504d22 in mysofa_open_default /VulMin/libmysofa/libmysofa/src/hrtf/easy.c:56:5
#3 0x4ca783 in main /VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:104:13
#4 0x7fcc7c4220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#5 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)
POC2
==12027==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000024100 at pc 0x00000051255c bp 0x7fff68b0a490 sp 0x7fff68b0a488
READ of size 4 at 0x621000024100 thread T0
#0 0x51255b in mysofa_check /VulMin/libmysofa/libmysofa/src/hrtf/check.c:153:14
#1 0x504463 in mysofa_open_default /VulMin/libmysofa/libmysofa/src/hrtf/easy.c:43:10
#2 0x4ca783 in main /VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:104:13
#3 0x7f5185b890b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#4 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)
POC3
==12079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005060 at pc 0x000000435cde bp 0x7ffd91bcd2d0 sp 0x7ffd91bcca98
WRITE of size 28771 at 0x62a000005060 thread T0
#0 0x435cdd in fread (/VulMin/libmysofa/build/src/mysofa2json+0x435cdd)
#1 0x4e14bc in readOHDRHeaderMessageDataLayout /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:511:13
#2 0x4e14bc in readOHDRmessages /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1123:20
#3 0x4dcee6 in dataobjectRead /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1226:9
#4 0x4f7023 in directblockRead /VulMin/libmysofa/libmysofa/src/hdf/fractalhead.c:239:15
#5 0x4f39ba in fractalheapRead /VulMin/libmysofa/libmysofa/src/hdf/fractalhead.c:638:13
#6 0x4dd43a in dataobjectRead /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1251:11
#7 0x4da3dd in superblockRead /VulMin/libmysofa/libmysofa/src/hdf/superblock.c:201:12
#8 0x4d0483 in mysofa_load /VulMin/libmysofa/libmysofa/src/hrtf/reader.c:305:10
#9 0x4ca71b in main VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:90:10
#10 0x7f6b102d00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
#11 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)
We created a
GitHub Issue
asking the maintainers to create a
SECURITY.md
2 years ago
Zhengjie Du modified the report
2 years ago
Zhengjie Du modified the report
2 years ago
Zhengjie Du modified the report
2 years ago
We have contacted a member of the
hoene/libmysofa
team and are waiting to hear back
2 years ago
Hi, could you assign a CVE number to this vulnerability?
thank you for finding the bug.
Sorry, I do not have time to take care of CVE numbers.
Sure! ๐
@maintainer - can you please confirm that you are happy for a CVE to be published for this, and we will handle it for you โฅ๏ธ
to join this conversation