Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NULL pointer dereference in ModuleState::setup, in ModuleState.cpp #49

Open
92wyunchao opened this issue Jul 6, 2018 · 1 comment
Open

NULL pointer dereference in ModuleState::setup, in ModuleState.cpp #49

92wyunchao opened this issue Jul 6, 2018 · 1 comment

Comments

@92wyunchao
Copy link

There exists one NULL pointer dereference bug in ModuleState::setup, in ModuleState.cpp, which allows an attacker to cause a denial of service via a crafted caf file.
poc.zip

To reproduce with the attached poc file:
./sfconvert $poc output format aiff

ASan:
==98672==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ff14364b98f bp 0x7ffd2fd4dd80 sp 0x7ffd2fd4d9c0 T0)
#0 0x7ff14364b98e in ModuleState::setup(_AFfilehandle*, Track*) /home/s2e/asan/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:143
#1 0x7ff143634abd in afGetFrameCount /home/s2e/asan/audiofile-0.3.6/libaudiofile/format.cpp:205
#2 0x4ec033 in copyaudiodata /home/s2e/asan/audiofile-0.3.6/sfcommands/sfconvert.c:329
#3 0x4ebbe4 in main /home/s2e/asan/audiofile-0.3.6/sfcommands/sfconvert.c:248
#4 0x7ff1426c382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#5 0x419068 in _start (/home/s2e/asan/audiofile-0.3.6/sfcommands/.libs/lt-sfconvert+0x419068)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/s2e/asan/audiofile-0.3.6/libaudiofile/modules/ModuleState.cpp:143 in ModuleState::setup(_AFfilehandle*, Track*)
==98672==ABORTING
@kirotawa
Copy link

CVE-2018-13440 was assigned to this issue: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-13440

wtay added a commit to wtay/audiofile that referenced this issue Sep 27, 2018
@wtay
ModuleState: handle compress/decompress init failure
fde6d79 
When the unit initcompress or initdecompress function fails,
m_fileModule is NULL. Return AF_FAIL in that case instead of
causing NULL pointer dereferences later.

Fixes mpruett#49
@wtay wtay mentioned this issue Sep 27, 2018
Open
sbaldovi pushed a commit to sbaldovi/audiofile that referenced this issue May 30, 2023
@wtay @sbaldovi
ModuleState: handle compress/decompress init failure
aeeb0cf 
When the unit initcompress or initdecompress function fails,
m_fileModule is NULL. Return AF_FAIL in that case instead of
causing NULL pointer dereferences later.

Fixes mpruett#49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kirotawa @92wyunchao