When changing both sample format and number of channels, data gets corrupted; if new sample format smaller than old, possible buffer overflow

Bug #1502721 reported by Fabrizio Gennari on 2015-10-04
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
audiofile (Ubuntu)
Undecided
Unassigned

Bug Description

When libaudiofile is used to change both the number of channels of an audio file (e.g. from stereo to mono) and the sample format (e.g. from 16-bit samples to 8-bit samples), the output file will contain corrupted data.

If the new sample format is smaller than the old one, there is a risk of buffer overflow: e.g. when the input file has 16-bit samples and the output file has 8-bit samples, afReadFrames will treat the buffer to read the samples (argument void *data) as a pointer to int16_t instead of int8_t, therefore it will write past its end.

The attached program (which is a rework of a file already present in the upstream's test suite, reworked by me) shows the problem. The 2 variables byte and abyte are int8_t. afReadFrames is told to read 1 8-bit sample into byte, but ends up treating &byte as a pointer to an int16_t, thus overwriting abyte (when abyte is stored right after byte in memory, which is what happens when I compile with gcc).

I proposed a fix (before realising about the buffer overflow, only about the data corruption) at https://github.com/mpruett/audiofile/pull/25

ProblemType: Bug
DistroRelease: Ubuntu 15.04
Package: libaudiofile1 0.3.6-2
ProcVersionSignature: Ubuntu 3.19.0-15.15-generic 3.19.3
Uname: Linux 3.19.0-15-generic x86_64
ApportVersion: 2.17.2-0ubuntu1.5
Architecture: amd64
CurrentDesktop: Unity
Date: Sun Oct 4 23:55:03 2015
InstallationDate: Installed on 2010-11-07 (1792 days ago)
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release amd64 (20101007)
SourcePackage: audiofile
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Fabrizio Gennari (fabrizio-ge) wrote :
information type: Private Security → Public Security
Seth Arnold (seth-arnold) wrote :

This has been assigned CVE-2015-7747 by MITRE: http://www.openwall.com/lists/oss-security/2015/10/08/1

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package audiofile - 0.3.3-2ubuntu0.1

---------------
audiofile (0.3.3-2ubuntu0.1) precise-security; urgency=medium

  * SECURITY UPDATE: buffer overflow when changing both sample format and
    number of channels (LP: #1502721)
    - debian/patches/CVE-2015-7747.patch: don't corrupt files in
      libaudiofile/modules/ModuleState.cpp, added test to test/Makefile.am,
      test/sixteen-stereo-to-eight-mono.c.
    - CVE-2015-7747

 -- Marc Deslauriers <email address hidden> Tue, 20 Oct 2015 08:57:52 -0400

Changed in audiofile (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package audiofile - 0.3.6-2ubuntu0.14.04.1

---------------
audiofile (0.3.6-2ubuntu0.14.04.1) trusty-security; urgency=medium

  * SECURITY UPDATE: buffer overflow when changing both sample format and
    number of channels (LP: #1502721)
    - debian/patches/CVE-2015-7747.patch: don't corrupt files in
      libaudiofile/modules/ModuleState.cpp, added test to test/Makefile.am,
      test/sixteen-stereo-to-eight-mono.c.
    - CVE-2015-7747

 -- Marc Deslauriers <email address hidden> Tue, 20 Oct 2015 07:57:26 -0400

Changed in audiofile (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers