Skip to content

GitLab

  • Menu
Projects Groups Snippets
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • Speex Speex
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 5
    • Issues 5
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Xiph.Org
  • SpeexSpeex
  • Issues
  • #2038
Closed
Open
Created Mar 19, 2018 by JayZhang@JayZhang

integer overflow leads to out-of-bounds read in print_comments(char *comments, int length)

Hi, recently I fuzzed speex-1.2.0 with afl,and found a crash: root@host-10-0-0-25:/home/ubuntu/speex/test/speex-1.2.0# src/speexdec fuzzout/crashes/id:000000,sig:06,src:000001,op:flip2,pos:168 dddd.wav 2>redirect_stderr

  1. The original normal speex file is:all_normal.spx
  2. The invalid speex file generated by afl is:id_000000_sig_06_src_000001_op_flip2_pos_168
  3. And the stderr is:redirect_stderr

later I analyzed the crash, and found there is a integer overflow in function print_comments():

Breakpoint 9, print_comments ( comments=0xf6000200 "=r\230\023\361\063~\375\234Y\220}\r\035\221q5\027\241\026", <incomplete sequence \331>, length=0x3e) at speexdec.c:107 107 c+=4;

gdb-peda$ print len $105 = 0x1398723d

gdb-peda$ print end $106 = 0xf600023e

Obviously,c=comments+4,c+len<end, and bypass the length check at line 108 in speexdec.c,then leads to out-of-bounds read at line 113 in speexdec.c.

Edited Mar 19, 2018 by JayZhang
Assignee
Assign to
Time tracking