The one place for your designs
To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.
integer overflow leads to out-of-bounds read in print_comments(char *comments, int length)
Hi, recently I fuzzed speex-1.2.0 with afl,and found a crash: root@host-10-0-0-25:/home/ubuntu/speex/test/speex-1.2.0# src/speexdec fuzzout/crashes/id:000000,sig:06,src:000001,op:flip2,pos:168 dddd.wav 2>redirect_stderr
- The original normal speex file is:all_normal.spx
- The invalid speex file generated by afl is:id_000000_sig_06_src_000001_op_flip2_pos_168
- And the stderr is:redirect_stderr
later I analyzed the crash, and found there is a integer overflow in function print_comments():
Breakpoint 9, print_comments ( comments=0xf6000200 "=r\230\023\361\063~\375\234Y\220}\r\035\221q5\027\241\026", <incomplete sequence \331>, length=0x3e) at speexdec.c:107 107 c+=4;
gdb-peda$ print len $105 = 0x1398723d
gdb-peda$ print end $106 = 0xf600023e
Obviously,c=comments+4,c+len<end, and bypass the length check at line 108 in speexdec.c,then leads to out-of-bounds read at line 113 in speexdec.c.