Segmentation fault in wav_open() function of oggenc
During a fuzz testing, I found a program-crashing bug in the latest version of oggenc. When a malicious WAV file is provided as an input, segmentation fault occurs inside memcpy() called from wav_open().
I downloaded http://downloads.xiph.org/releases/vorbis/vorbis-tools-1.4.0.tar.gz file, and compiled it with clang 3.8.
I attach the PoC file, and GDB/ASAN log.
[GDB log]
jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-clang$ gdb ./oggenc/oggenc -q
Reading symbols from ./oggenc/oggenc...done.
(gdb) run ~/poc_segv
Starting program: /home/jason/ground/vorbis-tools-1.4.0-clang/oggenc/oggenc ~/poc_segv
Warning: INVALID format chunk in wav header.
Trying to read anyway (may not work)...
WARNING: Unknown WAV surround channel mask: -1465341784
blindly mapping speakers using default SMPTE/ITU ordering.
Warning: WAV 'block alignment' value is incorrect, ignoring.
The software that created this file is incorrect.
Program received signal SIGSEGV, Segmentation fault.
__memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363
363 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory.
(gdb) x/i $rip
=> 0x7ffff6f09f4c <__memmove_avx_unaligned_erms+364>: vmovdqu (%rsi),%ymm4
(gdb) info reg rsi
rsi 0x3d0730 3999536
(gdb) where
#0 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:363
#1 0x00000000004055ff in wav_open (in=<optimized out>, opt=<optimized out>, oldbuf=<optimized out>, buflen=<optimized out>) at audio.c:576
#2 0x0000000000405f00 in open_audio_file (in=<optimized out>, opt=<optimized out>) at audio.c:86
#3 0x0000000000404355 in main (argc=<optimized out>, argv=<optimized out>) at oggenc.c:256[ASAN log]
jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-ASAN$ export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer
jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-ASAN$ export ASAN_OPTIONS=detect_leaks=0:allocator_may_return_null=1
jason@debian-amd64-stretch:~/ground/vorbis-tools-1.4.0-ASAN$ ./oggenc/oggenc ~/poc_segv
Warning: INVALID format chunk in wav header.
Trying to read anyway (may not work)...
WARNING: Unknown WAV surround channel mask: -1465341784
blindly mapping speakers using default SMPTE/ITU ordering.
Warning: WAV 'block alignment' value is incorrect, ignoring.
The software that created this file is incorrect.
==13504==WARNING: AddressSanitizer failed to allocate 0xffffffffffff84a0 bytes
=================================================================
==13504==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x000000000000,0xffffffffffff84a0) and [0x0000004e2200, 0x0000004da6a0) overlap
#0 0x4a46c2 in __asan_memcpy (/home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc+0x4a46c2)
#1 0x4f506b in wav_open /home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/audio.c:576:13
#2 0x4f6c13 in open_audio_file /home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/audio.c:86:16
#3 0x4f1495 in main /home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc.c:256:22
#4 0x7ffff65c12e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#5 0x41c689 in _start (/home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc+0x41c689)
AddressSanitizer can not describe address in more detail (wild memory access suspected).
AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: memcpy-param-overlap (/home/jason/ground/vorbis-tools-1.4.0-ASAN/oggenc/oggenc+0x4a46c2) in __asan_memcpy
==13504==ABORTING