Comments (2)
carnil
commented on June 3, 2024
It appears that a CVE has been assigned to this issue: CVE-2022-24599
from audiofile.
bastien-roucaries
commented on June 3, 2024
Fixed by:
commit 4d3238843385b9929d7a1ab9034a6fc13949c7b4
Author: Bastien Roucariès <[email protected]>
Date: Sat Nov 11 15:58:50 2023 +0000
Fix CVE-2022-24599
Memory-leak bug in printfileinfo, due to memcpy on an non allocated memory buffer
with a user declared string.
Fix it by calloc(declaredsize+1,1) that zeros the buffer and terminate by '\0'
for printf
Avoid also a buffer overflow by refusing to allocating more than INT_MAX-1.
Before under valgrind:
libtool --mode=execute valgrind --track-origins=yes ./sfinfo heapleak_poc.aiff
Duration -inf seconds
==896222== Invalid read of size 1
==896222== at 0x4846794: strlen (vg_replace_strmem.c:494)
==896222== by 0x49246C8: __printf_buffer (vfprintf-process-arg.c:435)
==896222== by 0x4924D90: __vfprintf_internal (vfprintf-internal.c:1459)
==896222== by 0x49DE986: __printf_chk (printf_chk.c:33)
==896222== by 0x10985C: printf (stdio2.h:86)
==896222== by 0x10985C: printfileinfo (printinfo.c:134)
==896222== by 0x10930A: main (sfinfo.c:113)
==896222== Address 0x4e89bd1 is 0 bytes after a block of size 1 alloc'd
==896222== at 0x48407B4: malloc (vg_replace_malloc.c:381)
==896222== by 0x109825: copyrightstring (printinfo.c:163)
==896222== by 0x109825: printfileinfo (printinfo.c:131)
==896222== by 0x10930A: main (sfinfo.c:113)
==896222==
Copyright C
After:
Duration -inf seconds
Copyright C
diff --git a/sfcommands/printinfo.c b/sfcommands/printinfo.c
index 60e6947..f5cf925 100644
--- a/sfcommands/printinfo.c
+++ b/sfcommands/printinfo.c
@@ -37,6 +37,7 @@
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
+#include <limits.h>
static char *copyrightstring (AFfilehandle file);
@@ -147,7 +148,11 @@ static char *copyrightstring (AFfilehandle file)
int i, misccount;
misccount = afGetMiscIDs(file, NULL);
- miscids = (int *) malloc(sizeof (int) * misccount);
+ if(!misccount)
+ return NULL;
+ miscids = (int *) calloc(misccount, sizeof(int));
+ if(!miscids)
+ return NULL;
afGetMiscIDs(file, miscids);
for (i=0; i<misccount; i++)
@@ -159,13 +164,16 @@ static char *copyrightstring (AFfilehandle file)
If this code executes, the miscellaneous chunk is a
copyright chunk.
*/
- int datasize = afGetMiscSize(file, miscids[i]);
- char *data = (char *) malloc(datasize);
+ size_t datasize = afGetMiscSize(file, miscids[i]);
+ if(datasize >= INT_MAX -1 ) {
+ goto error;
+ }
+ char *data = (char *) calloc(datasize + 1, 1);
afReadMisc(file, miscids[i], data, datasize);
copyright = data;
break;
}
-
+error:
free(miscids);
return copyright;
from audiofile.
Related Issues (20)
- heap-based buffer overflow in ulaw2linear_buf (G711.cpp) HOT 2
- divide-by-zero in BlockCodec::reset1 (BlockCodec.cpp) HOT 2
- heap-based buffer overflow in Expand3To4Module::run (SimpleModule.h) HOT 5
- multiple ubsan crashes HOT 1
- heap-based buffer overflow in ulaw2linear_buf HOT 1
- Memory leak in AUpvnew
- heap-based buffer overflow in FilePOSIX::read
- NULL pointer dereference in ModuleState::setup, in ModuleState.cpp HOT 1
- A heap-buffer-overflow has occurred when running sfconvert HOT 1
- A heap-buffer-overflow has occurred when running sfconvert HOT 1
- New Release HOT 8
- NULL pointer dereference bug in ulaw2linear_buf, in G711.cpp HOT 5
- out of bound heap access in SimpleModule.h HOT 1
- one heap buffer overflow in FilePOSIX::read in File.cpp HOT 2
- make[2]: *** No rule to make target 'afIdentifyNamedFD.3', needed by 'all-am'. Stop. HOT 2
- 0.3.6 + all up to b62c902d: test suite is failing when source code is configured with `--disable-static` and LTO is used
- 0.3.6 + all up to b62c902d: parallel documentation build fails
- audio artifacts when decoding AIFF-C
- Unary_function is deprecated since c++11 HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from audiofile.