New issue
Advanced search Search tips

Issue 651482 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: Sep 2016
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: ----
Type: Bug-Security



Sign in to add a comment

Security: Signed Integer Overflow in libvorbis

Reported by c...@ecraig.com, Sep 29 2016

Issue description

VULNERABILITY DETAILS
The libvorbis function _book_maptype1_quantvals() is prone to a signed integer overflow as reported by UBSAN.

VERSION
Chrome Version: N/A (testing libvorbis-1.3.5.tar.gz directly)
Operating System: Linux 4.2.0-18-generic (Ubuntu)

REPRODUCTION CASE
1) Download libvorbis-1.3.5.tar.gz from http://downloads.xiph.org/releases/vorbis/libvorbis-1.3.5.tar.gz
2) Extract and build the code using clang with UBSAN support (i.e. CFLAGS="-fsanitize=undefined -fno-omit-frame-pointer -g")
3) Make the examples (i.e. cd examples && make)
4) Run the attached AFL produced test case through the decoder sample (i.e. cat $FILE | decoder_example)

The output of this run should include UBSAN reports similar to the following:
bitwise.c:400:25: runtime error: left shift of 28 by 27 places cannot be represented in type 'int'
    #0 0x7fef958c2d99 in oggpack_read /home/spotless/fuzzing/media/vorbis/libogg-1.3.2/src/bitwise.c:400:16
    #1 0x7fef95f68562 in vorbis_staticbook_unpack /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/codebook.c:233:14
    #2 0x7fef95f0440a in _vorbis_unpack_books /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/info.c:270:23
    #3 0x7fef95f0440a in vorbis_synthesis_headerin /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/info.c:424
    #4 0x42e5b9 in main /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/examples/decoder_example.c:166:20
    #5 0x7fef94c9ca3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #6 0x4169c8 in _start (/home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/examples/.libs/lt-decoder_example+0x4169c8)

sharedbook.c:174:11: runtime error: signed integer overflow: 4611686018427387904 * 2 cannot be represented in type 'long'
    #0 0x7fef95f72a3e in _book_maptype1_quantvals /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/sharedbook.c:174:7
    #1 0x7fef95f68a44 in vorbis_staticbook_unpack /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/codebook.c:243:32
    #2 0x7fef95f0440a in _vorbis_unpack_books /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/info.c:270:23
    #3 0x7fef95f0440a in vorbis_synthesis_headerin /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/info.c:424
    #4 0x42e5b9 in main /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/examples/decoder_example.c:166:20
    #5 0x7fef94c9ca3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #6 0x4169c8 in _start (/home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/examples/.libs/lt-decoder_example+0x4169c8)

sharedbook.c:173:10: runtime error: signed integer overflow: 4611686018427387904 * 2 cannot be represented in type 'long'
    #0 0x7fef95f729c0 in _book_maptype1_quantvals /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/sharedbook.c:173:7
    #1 0x7fef95f68a44 in vorbis_staticbook_unpack /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/codebook.c:243:32
    #2 0x7fef95f0440a in _vorbis_unpack_books /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/info.c:270:23
    #3 0x7fef95f0440a in vorbis_synthesis_headerin /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/lib/info.c:424
    #4 0x42e5b9 in main /home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/examples/decoder_example.c:166:20
    #5 0x7fef94c9ca3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #6 0x4169c8 in _start (/home/spotless/fuzzing/media/vorbis/libvorbis-1.3.5/examples/.libs/lt-decoder_example+0x4169c8)

NOTE: I am uncertain if this is exploitable but as far as I can tell, it doesn't appear to be handled within the code.
 
id:000176,orig:id:000449,src:000045,op:flip1,pos:1867
4.5 KB View Download

Comment 1 by kenrb@chromium.org, Sep 29 2016

Cc: kenrb@chromium.org
Status: WontFix (was: Unconfirmed)
Is there any reason to think this affects Chromium?

Our Vorbis support is from ffmpeg. The code you are referencing does not appear to be included in the Chromium project.

I recommend you report this to the codec maintainers.

Comment 2 by c...@ecraig.com, Sep 29 2016

Well, since FFmpeg uses libvorbis and Chromium uses FFmpeg, I was under the impression that Chromium would also be using libvorbis.

From the configure script, it does appear that FFmpeg in the Chromium source at least has the option to use libvorbis: https://cs.chromium.org/chromium/src/third_party/ffmpeg/configure?type=cs&q=lvorbis&sq=package:chromium&l=5527

I am however not familiar enough with the Chromium build process to know how FFmpeg is configured for a Chromium build.

Apologies for the incorrect submission.
Project Member

Comment 3 by sheriffbot@chromium.org, Jan 6 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment