(CVE-2017-14633)an out-of-bound array read vul in function mapping0_forward() in libvorbis 1.3.5 (#2329) · Issues · Xiph.Org / Vorbis

(CVE-2017-14633)an out-of-bound array read vul in function mapping0_forward() in libvorbis 1.3.5

╭─root@linux-jiangxin in /home/jiangxin/experiment/fuzz/AFL/target/libtheora-1.1.1/examples 
╰$ gdb encoder_example               
GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from encoder_example...done.
(gdb) run ../fuzz/crash-oob-read xxx.y4m

Program received signal SIGSEGV, Segmentation fault.
0x00000000005754f9 in mapping0_forward (vb=<optimized out>) at mapping0.c:501
500		  if(ci->floor_type[info->floorsubmap[submap]]!=1)return(-1);
(gdb) bt
#0  0x00000000005754f9 in mapping0_forward (vb=<optimized out>) at mapping0.c:500
#1  0x00000000004d3512 in vorbis_analysis (vb=vb@entry=0x7fffffffdbe0, op=op@entry=0x0) at analysis.c:47
#2  0x0000000000410926 in fetch_and_process_audio (audio=0x83b010, audiopage=audiopage@entry=0x7fffffffda40, vo=vo@entry=0x7fffffffde40, vd=vd@entry=0x7fffffffdb50, vb=vb@entry=0x7fffffffdbe0, audioflag=audioflag@entry=0) at encoder_example.c:996
#3  0x0000000000405a9b in main (argc=<optimized out>, argv=<optimized out>) at encoder_example.c:1754

(gdb) i r
rax            0x84b420	8696864
rbx            0x1d3c1a0	30654880
rcx            0x100	256
rdx            0x1e332a0	31666848
rsi            0x1e32e70	31665776
rdi            0x85f000	8777728
rbp            0x7fffffffc850	0x7fffffffc850
rsp            0x7fffffff9ee0	0x7fffffff9ee0
r8             0x1a9b500	27899136
r9             0x8494f0	8688880
r10            0x3e9b02c6	1050346182
r11            0xfe	254
r12            0x1a9b900	27900160
r13            0x84e0e4	8708324
r14            0x84cc00	8702976
r15            0x1b93728	28915496
rip            0x5754f9	0x5754f9 <mapping0_forward+5737>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/i $pc
=> 0x5754f9 <mapping0_forward+5737>:	cmpl   $0x1,0x528(%r9,%r10,4)
(gdb) x/128xb $r9+$r10*4+0x528
0xfaf0a530:	Cannot access memory at address 0xfaf0a530

```
╭─root@linux-jiangxin in /home/jiangxin/experiment/fuzz/AFL/target/libtheora-1.1.1/examples 
╰$ gdb encoder_example               
GNU gdb (GDB) 7.9
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from encoder_example...done.
(gdb) run ../fuzz/crash-oob-read xxx.y4m

Program received signal SIGSEGV, Segmentation fault.
0x00000000005754f9 in mapping0_forward (vb=<optimized out>) at mapping0.c:501
500		  if(ci->floor_type[info->floorsubmap[submap]]!=1)return(-1);
(gdb) bt
#0  0x00000000005754f9 in mapping0_forward (vb=<optimized out>) at mapping0.c:500
#1  0x00000000004d3512 in vorbis_analysis (vb=vb@entry=0x7fffffffdbe0, op=op@entry=0x0) at analysis.c:47
#2  0x0000000000410926 in fetch_and_process_audio (audio=0x83b010, audiopage=audiopage@entry=0x7fffffffda40, vo=vo@entry=0x7fffffffde40, vd=vd@entry=0x7fffffffdb50, vb=vb@entry=0x7fffffffdbe0, audioflag=audioflag@entry=0) at encoder_example.c:996
#3  0x0000000000405a9b in main (argc=<optimized out>, argv=<optimized out>) at encoder_example.c:1754

(gdb) i r
rax            0x84b420	8696864
rbx            0x1d3c1a0	30654880
rcx            0x100	256
rdx            0x1e332a0	31666848
rsi            0x1e32e70	31665776
rdi            0x85f000	8777728
rbp            0x7fffffffc850	0x7fffffffc850
rsp            0x7fffffff9ee0	0x7fffffff9ee0
r8             0x1a9b500	27899136
r9             0x8494f0	8688880
r10            0x3e9b02c6	1050346182
r11            0xfe	254
r12            0x1a9b900	27900160
r13            0x84e0e4	8708324
r14            0x84cc00	8702976
r15            0x1b93728	28915496
rip            0x5754f9	0x5754f9 <mapping0_forward+5737>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/i $pc
=> 0x5754f9 <mapping0_forward+5737>:	cmpl   $0x1,0x528(%r9,%r10,4)
(gdb) x/128xb $r9+$r10*4+0x528
0xfaf0a530:	Cannot access memory at address 0xfaf0a530
```

Edited Oct 09, 2017 by Jiangxin

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.