one heap buffer overflow in FilePOSIX::read in File.cpp

[92wyunchao]

one heap buffer overflow in FilePOSIX::read in File.cpp in master branch.
poc.zip

$uname -a
Linux ubuntu 4.15.0-70-generic #79~16.04.1-Ubuntu SMP Tue Nov 12 14:01:10 UTC 2019 x86_64 GNU/Linux

$./sfconvert poc.wav output format wave
asan:

==90086==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61a00001f708 at pc 0x7f64fd42ee55 bp 0x7ffcd6e8e290 sp 0x7ffcd6e8da38
WRITE of size 2 at 0x61a00001f708 thread T0
#0 0x7f64fd42ee54 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45e54)
#1 0x7f64fd14b8cb in FilePOSIX::read(void*, unsigned long) /home/s2e/asan/audiofile/libaudiofile/File.cpp:126
#2 0x7f64fd150ed9 in readValue /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:353
#3 0x7f64fd14fc48 in readSwap /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:375
#4 0x7f64fd14ee93 in _AFfilehandle::readS16(short*) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:397
#5 0x7f64fd16e393 in WAVEFile::parseFormat(Tag const&, unsigned int) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:289
#6 0x7f64fd171751 in WAVEFile::readInit(_AFfilesetup*) /home/s2e/asan/audiofile/libaudiofile/WAVE.cpp:733
#7 0x7f64fd18067e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:356
#8 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217
#9 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195
#10 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#11 0x401568 in _start (/home/s2e/asan/audiofile/tmp/bin/sfconvert+0x401568)

0x61a00001f708 is located 0 bytes to the right of 1160-byte region [0x61a00001f280,0x61a00001f708)
allocated by thread T0 here:
#0 0x7f64fd482532 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x99532)
#1 0x7f64fd14c4f1 in _AFfilehandle::create(int) /home/s2e/asan/audiofile/libaudiofile/FileHandle.cpp:80
#2 0x7f64fd18042e in _afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:337
#3 0x7f64fd17fab0 in afOpenFile /home/s2e/asan/audiofile/libaudiofile/openclose.cpp:217
#4 0x40251a in main /home/s2e/asan/audiofile/sfcommands/sfconvert.c:195
#5 0x7f64fcd7982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x0c347fffbe90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c347fffbed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c347fffbee0: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbef0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c347fffbf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==90086==ABORTING

[carnil]

This appears to have been assigned CVE-2020-18781.

[carnil]

It looks that the patch from #41 as proposed by antlarr@c48e4c6 fixes the issue.