SoundTouch 1.9.2 Multiple Vulnerabilities

2017.07.29
Credit: qflb.wu
Risk: Medium
Local: Yes
Remote: No
CWE: N/A

SoundTouch multiple vulnerabilities ================ Author : qflb.wu =============== Introduction: ============= SoundTouch is an open-source audio processing library for changing the Tempo, Pitch and Playback Rates of audio streams or audio files. The library additionally supports estimating stable beats-per-minute rates for audio tracks. Affected version: ===== 1.9.2 Vulnerability Description: ========================== 1. the TDStretch::processSamples function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(infinite loop and CPU consumption) via a crafted wav file. ./soundstretch SoundTouch_1.9.2_infinite_loop.wav out POC: SoundTouch_1.9.2_infinite_loop.wav CVE: CVE-2017-9258 2. the TDStretch::acceptNewOverlapLength function in source/SoundTouch/TDStretch.cpp in SoundTouch 1.9.2 can cause a denial of service(memory allocation error and application crash) via a crafted wav file. ./soundstretch SoundTouch_1.9.2_memory_allocation_error.wav out ==87485==ERROR: AddressSanitizer failed to allocate 0x16103e000 (5922611200) bytes of LargeMmapAllocator: 12 ==87485==Process memory map follows: 0x000000400000-0x0000004c7000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch 0x0000006c7000-0x0000006c8000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch 0x0000006c8000-0x0000006ca000/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch 0x0000006ca000-0x000001b0e000 0x00007fff7000-0x00008fff7000 0x00008fff7000-0x02008fff7000 0x02008fff7000-0x10007fff8000 0x600000000000-0x603000000000 0x603000000000-0x603000010000 0x603000010000-0x604000000000 0x604000000000-0x604000010000 0x604000010000-0x608000000000 0x608000000000-0x608000010000 0x608000010000-0x60b000000000 0x60b000000000-0x60b000010000 0x60b000010000-0x60e000000000 0x60e000000000-0x60e000010000 0x60e000010000-0x611000000000 0x611000000000-0x611000010000 0x611000010000-0x615000000000 0x615000000000-0x615000020000 0x615000020000-0x616000000000 0x616000000000-0x616000020000 0x616000020000-0x619000000000 0x619000000000-0x619000020000 0x619000020000-0x61e000000000 0x61e000000000-0x61e000020000 0x61e000020000-0x621000000000 0x621000000000-0x621000020000 0x621000020000-0x624000000000 0x624000000000-0x624000020000 0x624000020000-0x640000000000 0x640000000000-0x640000003000 0x7fdf6b253000-0x7fdf6d756000 0x7fdf6d756000-0x7fdf6d914000/lib/x86_64-linux-gnu/libc-2.19.so 0x7fdf6d914000-0x7fdf6db13000/lib/x86_64-linux-gnu/libc-2.19.so 0x7fdf6db13000-0x7fdf6db17000/lib/x86_64-linux-gnu/libc-2.19.so 0x7fdf6db17000-0x7fdf6db19000/lib/x86_64-linux-gnu/libc-2.19.so 0x7fdf6db19000-0x7fdf6db1e000 0x7fdf6db1e000-0x7fdf6db34000/lib/x86_64-linux-gnu/libgcc_s.so.1 0x7fdf6db34000-0x7fdf6dd33000/lib/x86_64-linux-gnu/libgcc_s.so.1 0x7fdf6dd33000-0x7fdf6dd34000/lib/x86_64-linux-gnu/libgcc_s.so.1 0x7fdf6dd34000-0x7fdf6de1a000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 0x7fdf6de1a000-0x7fdf6e019000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 0x7fdf6e019000-0x7fdf6e021000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 0x7fdf6e021000-0x7fdf6e023000/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19 0x7fdf6e023000-0x7fdf6e038000 0x7fdf6e038000-0x7fdf6e03b000/lib/x86_64-linux-gnu/libdl-2.19.so 0x7fdf6e03b000-0x7fdf6e23a000/lib/x86_64-linux-gnu/libdl-2.19.so 0x7fdf6e23a000-0x7fdf6e23b000/lib/x86_64-linux-gnu/libdl-2.19.so 0x7fdf6e23b000-0x7fdf6e23c000/lib/x86_64-linux-gnu/libdl-2.19.so 0x7fdf6e23c000-0x7fdf6e243000/lib/x86_64-linux-gnu/librt-2.19.so 0x7fdf6e243000-0x7fdf6e442000/lib/x86_64-linux-gnu/librt-2.19.so 0x7fdf6e442000-0x7fdf6e443000/lib/x86_64-linux-gnu/librt-2.19.so 0x7fdf6e443000-0x7fdf6e444000/lib/x86_64-linux-gnu/librt-2.19.so 0x7fdf6e444000-0x7fdf6e45d000/lib/x86_64-linux-gnu/libpthread-2.19.so 0x7fdf6e45d000-0x7fdf6e65c000/lib/x86_64-linux-gnu/libpthread-2.19.so 0x7fdf6e65c000-0x7fdf6e65d000/lib/x86_64-linux-gnu/libpthread-2.19.so 0x7fdf6e65d000-0x7fdf6e65e000/lib/x86_64-linux-gnu/libpthread-2.19.so 0x7fdf6e65e000-0x7fdf6e662000 0x7fdf6e662000-0x7fdf6e767000/lib/x86_64-linux-gnu/libm-2.19.so 0x7fdf6e767000-0x7fdf6e966000/lib/x86_64-linux-gnu/libm-2.19.so 0x7fdf6e966000-0x7fdf6e967000/lib/x86_64-linux-gnu/libm-2.19.so 0x7fdf6e967000-0x7fdf6e968000/lib/x86_64-linux-gnu/libm-2.19.so 0x7fdf6e968000-0x7fdf6e9bd000/usr/local/lib/libSoundTouch.so.1.0.0 0x7fdf6e9bd000-0x7fdf6ebbd000/usr/local/lib/libSoundTouch.so.1.0.0 0x7fdf6ebbd000-0x7fdf6ebbe000/usr/local/lib/libSoundTouch.so.1.0.0 0x7fdf6ebbe000-0x7fdf6ebc1000/usr/local/lib/libSoundTouch.so.1.0.0 0x7fdf6ebc1000-0x7fdf6ebe4000/lib/x86_64-linux-gnu/ld-2.19.so 0x7fdf6edb1000-0x7fdf6edc8000 0x7fdf6edca000-0x7fdf6edd7000 0x7fdf6edda000-0x7fdf6ede3000 0x7fdf6ede3000-0x7fdf6ede4000/lib/x86_64-linux-gnu/ld-2.19.so 0x7fdf6ede4000-0x7fdf6ede5000/lib/x86_64-linux-gnu/ld-2.19.so 0x7fdf6ede5000-0x7fdf6ede6000 0x7ffcb0503000-0x7ffcb0524000[stack] 0x7ffcb05a4000-0x7ffcb05a6000[vvar] 0x7ffcb05a6000-0x7ffcb05a8000[vdso] 0xffffffffff600000-0xffffffffff601000[vsyscall] ==87485==End of process memory map. ==87485==AddressSanitizer CHECK failed: /build/buildd/llvm-toolchain-3.4-3.4/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) #0 0x46da6f in __asan::AsanCheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46da6f) #1 0x4732d1 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x4732d1) #2 0x477b9e in __sanitizer::MmapOrDie(unsigned long, char const*) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x477b9e) #3 0x433278 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x433278) #4 0x42f2bb in __asan::Allocate(unsigned long, unsigned long, __sanitizer::StackTrace*, __asan::AllocType, bool) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x42f2bb) #5 0x46824d in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x46824d) #6 0x7fdf6e993d8e in soundtouch::TDStretch::acceptNewOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:724 #7 0x7fdf6e993d8e in soundtouch::TDStretch::calculateOverlapLength(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:1008 #8 0x7fdf6e9901f0 in soundtouch::TDStretch::setParameters(int, int, int, int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:158 #9 0x7fdf6e998910 in soundtouch::TDStretch::setChannels(int) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:599 #10 0x47f825 in setup(soundtouch::SoundTouch*, WavInFile const*, RunParameters const*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:127 #11 0x47f825 in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:310 #12 0x7fdf6d777f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #13 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac) POC: SoundTouch_1.9.2_infinite_loop.wav CVE: CVE-2017-9259 3. the TDStretchSSE::calcCrossCorr function in source/SoundTouch/sse_optimized.cpp in SoundTouch 1.9.2 can cause a denial of service(heap-buffer-overflow and application crash) via a crafted wav file. ./soundstretch SoundTouch_1.9.2_heap_buffer_overflow.wav out ==87598==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625000007110 at pc 0x7f5076e3c3dc bp 0x7ffda7a42e10 sp 0x7ffda7a42e08 READ of size 16 at 0x625000007110 thread T0 #0 0x7f5076e3c3db in soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&) /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120:35 #1 0x7f5076e1f0f9 in soundtouch::TDStretch::seekBestOverlapPositionFull(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:305 #2 0x7f5076e1ee2c in soundtouch::TDStretch::seekBestOverlapPosition(float const*) /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:258 #3 0x7f5076e21e88 in soundtouch::TDStretch::processSamples() /home/a/Downloads/soundtouch/source/SoundTouch/TDStretch.cpp:659 #4 0x7f5076e12893 in soundtouch::FIFOSamplePipe::moveSamples(soundtouch::FIFOSamplePipe&) /home/a/Downloads/soundtouch/source/SoundTouch/../../include/FIFOSamplePipe.h:88 #5 0x7f5076e12893 in soundtouch::SoundTouch::putSamples(float const*, unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/SoundTouch.cpp:334 #6 0x480f5e in process(soundtouch::SoundTouch*, WavInFile*, WavOutFile*) /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:200 #7 0x480f5e in main /home/a/Downloads/soundtouch/source/SoundStretch/main.cpp:314 #8 0x7f5075c00f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #9 0x47dbac in _start (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x47dbac) 0x625000007110 is located 0 bytes to the right of 8208-byte region [0x625000005100,0x625000007110) allocated by thread T0 here: #0 0x468209 in operator new[](unsigned long) (/home/a/Downloads/soundtouch/source/SoundStretch/.libs/soundstretch+0x468209) #1 0x7f5076e055db in soundtouch::FIFOSampleBuffer::ensureCapacity(unsigned int) /home/a/Downloads/soundtouch/source/SoundTouch/FIFOSampleBuffer.cpp:174 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/a/Downloads/soundtouch/source/SoundTouch/sse_optimized.cpp:120 soundtouch::TDStretchSSE::calcCrossCorr(float const*, float const*, double&) Shadow bytes around the buggy address: 0x0c4a7fff8dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a7fff8e10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a7fff8e20: 00 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c4a7fff8e70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==87598==ABORTING POC: SoundTouch_1.9.2_heap_buffer_overflow.wav CVE: CVE-2017-9260


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top