Stack-buffer-overflow in function impeghe_wav_header_decode() at libmpeghe/test/impeghe_testbench.c:244

[zhuvensi]

Describe

A stack-buffer-overflow was discovered in libmpeghe v[2024-06-12]. The issue is being triggered in function impeghe_wav_header_decode() at libmpeghe/test/impeghe_testbench.c:244.Attackers may exploit this vulnerability to execute and cause a DOS attack.

Reproduce:

Tested in Ubuntu 22.04
First,Compile the program with address sanitizer:

mkdir cmake_build
cd cmake_build
AFL_USE_ASAN=1 CC=afl-clang-lto CXX=afl-clang-lto++ cmake ..
AFL_USE_ASAN=1  make -j8

Then the poc is inputed:

./MPEGHEncoder -ifile:/home/crashes/libmpeghe/crashes.2024-06-28-03:53:38/id:000000,sig:06,src:000009+000601,time:1661846,execs:14312,op:splice,rep:16 -ofile:1.mp4

ASan Reports：

==2599528==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f17cd20006f at pc 0x5596e543c952 bp 0x7ffc9c0e0310 sp 0x7ffc9c0e0308
READ of size 1 at 0x7f17cd20006f thread T0
    #0 0x5596e543c951 in impeghe_wav_header_decode /home/libmpeghe/test/impeghe_testbench.c:244:28
    #1 0x5596e5440eee in impeghe_main_process /home/libmpeghe/test/impeghe_testbench.c:1688:9
    #2 0x5596e5455664 in main /home/libmpeghe/test/impeghe_testbench.c:2748:7
    #3 0x7f17ceffdd8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #4 0x7f17ceffde3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f) (BuildId: 962015aa9d133c6cbcfb31ec300596d7f44d3348)
    #5 0x5596e534eb74 in _start (/home/libmpeghe/build/bin/MPEGHEncoder+0x36eb74) (BuildId: ad74bd9c567612d9)

Address 0x7f17cd20006f is located in stack of thread T0 at offset 111 in frame
    #0 0x5596e5439c5f in impeghe_wav_header_decode /home/libmpeghe/test/impeghe_testbench.c:169

  This frame has 2 object(s):
    [32, 108) 'wav_hdr' (line 171) <== Memory access at offset 111 overflows this variable
    [144, 148) 'data_start' (line 172)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/libmpeghe/test/impeghe_testbench.c:244:28 in impeghe_wav_header_decode
Shadow bytes around the buggy address:
  0x7f17cd1ffd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd1ffe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd1ffe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd1fff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd1fff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f17cd200000: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00[04]f2 f2
  0x7f17cd200080: f2 f2 04 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd200100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd200180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd200200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f17cd200280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2599528==ABORTING

Poc

Poc file is here

Fuzzer：

Fuzzer is AFL.