Heap-based Buffer Overflow in hoene/libmysofa

Valid

Reported on

Oct 18th 2021


Description

system : ubuntu 20.04

build command

cd libmysofa
mkdir build
cd build
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../
make all

Proof of Concept

https://drive.google.com/file/d/1JbQAECc_j5-SDRZVUsRWiaBgJQZ0nMiK/view?usp=sharing

repro

./mysofa2json -c ./libmysofa_loudness

asan report

==1987809==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd5e74bc000 at pc 0x0000004f1efa bp 0x7fffe97e30b0 sp 0x7fffe97e30a8
READ of size 4 at 0x7fd5e74bc000 thread T0
    #0 0x4f1ef9 in mysofa_loudness /home/fuzz/libmysofa/src/hrtf/loudness.c:32:12
    #1 0x4e17af in mysofa_open_default /home/fuzz/libmysofa/src/hrtf/easy.c:62:5
    #2 0x4c7395 in main /home/fuzz/libmysofa/src/tests/sofa2json.c:104:13
    #3 0x7fd5ea2530b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #4 0x41d48d in _start (/home/fuzz/libmysofa/mysofa2json+0x41d48d)
We have contacted a member of the hoene/libmysofa team and are waiting to hear back 2 months ago
Christian Hoene validated this vulnerability 2 months ago
aletheaz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Christian Hoene confirmed that a fix has been merged on e846c8 2 months ago
Christian Hoene has been awarded the fix bounty