integer overflow leads to out-of-bounds read in print_comments(char *comments, int length)
Hi, recently I fuzzed speex-1.2.0 with afl,and found a crash: root@host-10-0-0-25:/home/ubuntu/speex/test/speex-1.2.0# src/speexdec fuzzout/crashes/id:000000,sig:06,src:000001,op:flip2,pos:168 dddd.wav 2>redirect_stderr
- The original normal speex file is:all_normal.spx
- The invalid speex file generated by afl is:id_000000_sig_06_src_000001_op_flip2_pos_168
- And the stderr is:redirect_stderr
later I analyzed the crash, and found there is a integer overflow in function print_comments():
Breakpoint 9, print_comments ( comments=0xf6000200 "=r\230\023\361\063~\375\234Y\220}\r\035\221q5\027\241\026", <incomplete sequence \331>, length=0x3e) at speexdec.c:107 107 c+=4;
gdb-peda$ print len $105 = 0x1398723d
gdb-peda$ print end $106 = 0xf600023e
Obviously,c=comments+4,c+len<end, and bypass the length check at line 108 in speexdec.c,then leads to out-of-bounds read at line 113 in speexdec.c.