Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150214133032.1f5dbbf8@pc>
Date: Sat, 14 Feb 2015 13:30:32 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request : Several Bugs Found on Libflac
 1.3.1 and Libtta++-2.2

Hi,

On Fri, 13 Feb 2015 21:44:10 +0800
Zhenghao Hu <zhenghaohuu@...il.com> wrote:

> Several bugs found in the latest libflac and libtta codec fuzzing
> with AFL ( http://lcamtuf.coredump.cx/afl/), working together with
> Nie Sen, from K33nTeam.

I think I haven't posted this here yet: Also recently fuzzed flac
with afl and found something:

https://git.xiph.org/?p=flac.git;a=commit;h=43ba7ad05f1656e885ce2f34a9a72494f45705ae
https://sourceforge.net/p/flac/bugs/421/

Crashing sample is attached to the bug report.

What happens is that flac does an malloc for the number of comments. If
that fails due to an insane number of comments it'll fail, but it will
still try to access the non-allocated memory.

I think the upstream fix is not optimal - it limits the amount of
allowed comments. That probably fixes this in most situations, but it
still leaves problems, because it doesn't check for malloc
failures.

cu,
-- 
Hanno Böck
http://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.