bin/57973: Read buffer overflow in audioplay(1)

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: bin/57973: Read buffer overflow in audioplay(1)
From: gson%gson.org@localhost (Andreas Gustafsson)
Date: Thu, 29 Feb 2024 17:05:00 +0000 (UTC)

>Number:         57973
>Category:       bin
>Synopsis:       Read buffer overflow in audioplay(1)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 29 17:05:00 +0000 2024
>Originator:     Andreas Gustafsson
>Release:        NetBSD-current as of yesterday
>Organization:
>Environment:
System: NetBSD
Architecture: x86_64
Machine: amd64
>Description:

I am in need of some BSD licensed code for reading .wav files and
figured I could reuse that in NetBSD's src/usr.bin/audio/common/wav.c,
used by audioplay(1), but after reading some of it, I don't think I
want to run it on untrusted input.

In audio_wav_parse_hdr(), there's this loop:

	do {
		memcpy(&part, where, sizeof part);
		owhere = where;
		where += getle32(part.len) + 8;
	} while (where < end && strncmp(part.name, strfmt, sizeof strfmt));

where the memcpy reads from "where" without checking there is enough
data first; that's a read buffer overflow.

This is followed by

	/* too short ? */
	if (where + sizeof fmt > end)
		return (AUDIO_ESHORTHDR);

Here, the pointer addition has undefined behavior when the "if"
condition would otherwise be true (assuming the array "where" points
into actually ends at "end").

>How-To-Repeat:

Code inspection.

>Fix:

Prev by Date: Re: kern/57965: urtwn(4) command queue can overflow and deadlock
Next by Date: NetBSD Nightly Trouble Ticket Report
Previous by Thread: xsrc/57971: AMD AGP cards do not start X properly
Next by Thread: Re: bin/57973: Read buffer overflow in audioplay(1)
Indexes:

Home | Main Index | Thread Index | Old Index