Heap-based Buffer Overflow in hoene/libmysofa
Valid
Reported on
Oct 6th 2021
Description
system : ubuntu 20.04
build command
cd libmysofa
mkdir build
cd build
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../
make all
run cmd
./mysofa2json -c ./heap_oob_read_memcpy
./mysofa2json -c ./heap_oob_read
Proof of Concept
poc 1 : https://drive.google.com/file/d/10jAPwk25mWYmL2pgp_9ZhOwzHBqOjIll/view?usp=sharing poc 2: https://drive.google.com/file/d/15Sia7jfpbwsCQnGX5mLuUNKgouNO2o-z/view?usp=sharing
ASAN reports1
==1280671==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001c91 at pc 0x00000049500a bp 0x7ffd8641ec00 sp 0x7ffd8641e3c8
READ of size 12 at 0x602000001c91 thread T0
#0 0x495009 in __asan_memcpy (/home/fuzz/libmysofa/mysofa2json+0x495009)
#1 0x509f75 in mysofa_lookup_init /home/fuzz/libmysofa/src/hrtf/lookup.c:46:5
#2 0x4fb022 in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:65:18
#3 0x4c5637 in main /home/fuzz/libmysofa/src/tests/sofa2json.c:104:13
#4 0x7fa1a26850b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41d47d in _start (/home/fuzz/libmysofa/mysofa2json+0x41d47d)
0x602000001c91 is located 0 bytes to the right of 1-byte region [0x602000001c90,0x602000001c91)
allocated by thread T0 here:
#0 0x495ed9 in realloc (/home/fuzz/libmysofa/mysofa2json+0x495ed9)
#1 0x4cee3e in getArray /home/fuzz/libmysofa/src/hrtf/reader.c:115:19
#2 0x4cee3e in getHrtf /home/fuzz/libmysofa/src/hrtf/reader.c:256:14
#3 0x4cee3e in mysofa_load /home/fuzz/libmysofa/src/hrtf/reader.c:308:12
#4 0x4faa5e in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:37:16
==3156106==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001db0 at pc 0x000000531268 bp 0x7ffd237f47d0 sp 0x7ffd237f47c8
READ of size 4 at 0x602000001db0 thread T0
#0 0x531267 in mysofa_resampler_process_float /home/fuzz/libmysofa/src/resampler/speex_resampler.c:697:30
#1 0x519a09 in mysofa_resample /home/fuzz/libmysofa/src/hrtf/resample.c:57:5
#2 0x4fad17 in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:49:10
#3 0x4c5637 in main /home/fuzz/libmysofa/src/tests/sofa2json.c:104:13
#4 0x7f8673f9b0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#5 0x41d47d in _start (/home/fuzz/libmysofa/mysofa2json+0x41d47d)
0x602000001db1 is located 0 bytes to the right of 1-byte region [0x602000001db0,0x602000001db1)
allocated by thread T0 here:
#0 0x495ed9 in realloc (/home/fuzz/libmysofa/mysofa2json+0x495ed9)
#1 0x4d15af in getArray /home/fuzz/libmysofa/src/hrtf/reader.c:115:19
#2 0x4d15af in getHrtf /home/fuzz/libmysofa/src/hrtf/reader.c:264:14
#3 0x4d15af in mysofa_load /home/fuzz/libmysofa/src/hrtf/reader.c:308:12
#4 0x4faa5e in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:37:16
We have contacted a member of the
hoene/libmysofa
team and are waiting to hear back
a year ago
aletheaz modified the report
a year ago
aletheaz modified the report
a year ago
aletheaz modified the report
a year ago
to join this conversation