bug-libextractor
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-libextractor] libextract 'EXTRACTOR_wav_extract_method/wav_extr

From: Christian Grothoff
Subject: Re: [bug-libextractor] libextract 'EXTRACTOR_wav_extract_method/wav_extractor.c' Divide-By-Zero Denial of Service Vulnerability
Date: Mon, 9 Oct 2017 15:30:48 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 
Thanks for reporting, fixed in f376d24..b577d54.

Happy hacking!

Christian

On 10/09/2017 04:42 AM, Leon Zhao wrote:
> *Tested Version:*
> v1.4
> 
> *Details:*
> In 'EXTRACTOR_wav_extract_method' function of wav_extractor.c, the
> program does not check the value of sample_rate, with a crafted file,
> the sample_rate can be set to zero.
> 
> *Vulnerability Code:*
> 114       snprintf (scratch,
> 115                 sizeof (scratch),
> 116                 "%u ms, %d Hz, %s",
> 117                 (samples < sample_rate)
> 118                 ? (samples * 1000 / sample_rate)
> 119                 : (samples / sample_rate) * 1000,
> 120                 sample_rate, (1 == channels) ? _("mono") : _("stereo"));
> 
> *Crash Information:*
> the output of gdb
> Reading symbols from /opt/asan/bin/extract...done.
> (gdb) set args -i extract-wav_extractor-119.dos 
> (gdb) run
> Starting program: /opt/asan/bin/extract -i extract-wav_extractor-119.dos 
> [Thread debugging using libthread_db enabled]
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Keywords for file extract-wav_extractor-119.dos:
> 
> Program received signal SIGFPE, Arithmetic exception.
> 0x00007ffff1c242fe in EXTRACTOR_wav_extract_method (ec=0x7fffffffa070)
> at wav_extractor.c:119
> 119                 : (samples / sample_rate) * 1000,
> (gdb) p sample_rate
> $1 = 0
> (gdb) bt
> #0  0x00007ffff1c242fe in EXTRACTOR_wav_extract_method
> (ec=0x7fffffffa070) at wav_extractor.c:119
> #1  0x00007ffff6c09793 in do_extract (plugins=0x60800000b520, shm=0x0,
> ds=0x60300000ec20, proc=0x40255a <print_selected_keywords>,
> proc_cls=0x0) at extractor.c:577
> #2  0x00007ffff6c09b99 in EXTRACTOR_extract (plugins=0x60800000b520,
> filename=0x60800000be59 "extract-wav_extractor-119.dos", data=0x0, size=0, 
>     proc=0x40255a <print_selected_keywords>, proc_cls=0x0) at
> extractor.c:655
> #3  0x00000000004044ca in main (argc=3, argv=0x7fffffffe4d8) at
> extract.c:977
> (gdb) l
> 114       snprintf (scratch,
> 115                 sizeof (scratch),
> 116                 "%u ms, %d Hz, %s",
> 117                 (samples < sample_rate)
> 118                 ? (samples * 1000 / sample_rate)
> 119                 : (samples / sample_rate) * 1000,
> 120                 sample_rate, (1 == channels) ? _("mono") : _("stereo"));
> 121       if (0 != ec->proc (ec->cls, 
> 122                          "wav",
> 123                          EXTRACTOR_METATYPE_RESOURCE_TYPE,
> (gdb) 
> 
> *CREDIT*
> Zhao Liang, Huawei Weiran Labs
> 
> 
> _______________________________________________
> bug-libextractor mailing list
> address@hidden
> https://lists.gnu.org/mailman/listinfo/bug-libextractor
>

Attachment: signature.asc
Description: OpenPGP digital signature

reply via email to
[Prev in Thread] Current Thread [Next in Thread]