Lucene search

Aaardu7CA8D9EA-E2A6-4294-AF28-70260BB53BC1

HistorySep 27, 2021 - 1:04 p.m.

Heap-based Buffer Overflow in hoene/libmysofa

2021-09-2713:04:04

aaardu

www.huntr.dev

heap-based buffer overflow

libmysofa

mysofa2json

ubuntu 20.04.3 lts

clang 12.0.1

addresssanitizer

proof of concept

EPSS

0.003

Percentile

71.5%

JSON

Description

There are some heap-buffer-overflows in mysofa2json of libmysofa. They are in function loudness, mysofa_check and readOHDRHeaderMessageDataLayout.

System info

Ubuntu 20.04.3 LTS

clang 12.0.1

libmysofa (github master branch commit 0cb89cb)

Command to Reproduce

build libmysofa with AddressSanitizer

cd libmysofa
mkdir build
cd build
CC=clang CXX=clang++ CFLAGS="-fsanitize=address -g" CXXFLAGS="-fsanitize=address -g" cmake ../
make all

execute mysofa2json with poc

./src/mysofa2json -c poc

Proof of Concept

POC
POC2
POC3

ASAN output

POC

==32642==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001f30 at pc 0x000000504266 bp 0x7ffd90b79510 sp 0x7ffd90b79508
READ of size 4 at 0x602000001f30 thread T0
    #0 0x504265 in loudness /VulMin/libmysofa/libmysofa/src/hrtf/tools.c:183:12
    #1 0x522e98 in mysofa_loudness /VulMin/libmysofa/libmysofa/src/hrtf/loudness.c:49:12
    #2 0x504d22 in mysofa_open_default /VulMin/libmysofa/libmysofa/src/hrtf/easy.c:56:5
    #3 0x4ca783 in main /VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:104:13
    #4 0x7fcc7c4220b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #5 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)

POC2

==12027==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000024100 at pc 0x00000051255c bp 0x7fff68b0a490 sp 0x7fff68b0a488
READ of size 4 at 0x621000024100 thread T0
    #0 0x51255b in mysofa_check /VulMin/libmysofa/libmysofa/src/hrtf/check.c:153:14
    #1 0x504463 in mysofa_open_default /VulMin/libmysofa/libmysofa/src/hrtf/easy.c:43:10
    #2 0x4ca783 in main /VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:104:13
    #3 0x7f5185b890b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #4 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)

POC3

==12079==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62a000005060 at pc 0x000000435cde bp 0x7ffd91bcd2d0 sp 0x7ffd91bcca98
WRITE of size 28771 at 0x62a000005060 thread T0
    #0 0x435cdd in fread (/VulMin/libmysofa/build/src/mysofa2json+0x435cdd)
    #1 0x4e14bc in readOHDRHeaderMessageDataLayout /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:511:13
    #2 0x4e14bc in readOHDRmessages /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1123:20
    #3 0x4dcee6 in dataobjectRead /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1226:9
    #4 0x4f7023 in directblockRead /VulMin/libmysofa/libmysofa/src/hdf/fractalhead.c:239:15
    #5 0x4f39ba in fractalheapRead /VulMin/libmysofa/libmysofa/src/hdf/fractalhead.c:638:13
    #6 0x4dd43a in dataobjectRead /VulMin/libmysofa/libmysofa/src/hdf/dataobject.c:1251:11
    #7 0x4da3dd in superblockRead /VulMin/libmysofa/libmysofa/src/hdf/superblock.c:201:12
    #8 0x4d0483 in mysofa_load /VulMin/libmysofa/libmysofa/src/hrtf/reader.c:305:10
    #9 0x4ca71b in main VulMin/libmysofa/libmysofa/src/tests/sofa2json.c:90:10
    #10 0x7f6b102d00b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
    #11 0x41e4dd in _start (/VulMin/libmysofa/build/src/mysofa2json+0x41e4dd)

EPSS

0.003

Percentile

71.5%

JSON

Related for 7CA8D9EA-E2A6-4294-AF28-70260BB53BC1