SIGFPE crash with crafted PAF file

Bug #1036831 reported by William Ella on 2012-08-14
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libsndfile (Ubuntu)
Undecided
Unassigned

Bug Description

When opening a crafted PAF file with channels=0 in the header, I receive a floating point exception error from libsndfile. I have verified this is different than any of the reported SIGFPEs in CVE-2009-4835, as they don't work on v21 or v25. This has been tested on two systems with four versions of libsndfile:

Ubuntu 10.04.4:
  *libsndfile-1.0.20 from CVE-2009-4835 reports
  *libsndfile-1.0.21-2 from /usr/lib via the 10.04 repository
  *libsndfile-1.0.25 compiled on the machine from the author's source page

Ubuntu 12.04
  *libsndfile-1.0.25-4 from /usr/lib/x86_64-linux-gnu via the 12.04 repository
  *libsndfile-1.0.25 compiled on the machine from the author's source page

On 10.04.4 I used the test programs "lt-sndfile-info", "lt-sndfile-to-text", and "Audacity 1.3.12-beta". On 12.04 I just used "lt-sndfile-to-text". An example:

------------
$ ./lt-sndfile-info a.paf

Version : libsndfile-1.0.25

Floating point exception
------------

I have attached a tar file with the crafted audio file, a.paf. It also includes another, b.paf, where the only change is channels=1 to demonstrate different behavior.

Though this isn't a serious problem (libsndfile isn't a service), I've tagged it as a security vulnerability since I presume it's going to be a CWE_369 (I haven't looked at the source myself).

William Ella (billy-ella) wrote :
description: updated
William Ella (billy-ella) wrote :

This also affects libsndfile on Windows, as it's bundled with programs like the Windows version of Audacity. I didn't feel that was appropriate for the main text in an Ubuntu bug report though.

Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and reporting a bug. Since SIGFPE is not exploitable, Ubuntu is not going to treat this as a security vulnerability. As such, I will mark this bug as public. I encourage you to contact upstream directly at http://www.mega-nerd.com/libsndfile/. After which Ubuntu will get the fix through our normal development process. Thanks again.

Changed in libsndfile (Ubuntu):
status: New → Confirmed
security vulnerability: yes → no
visibility: private → public
William Ella (billy-ella) wrote :

Thanks for the advice! I've just sent the author a quick message about it.

Erik de Castro Lopo (erikd) wrote :

FIxed in the following git commit:

https://github.com/erikd/libsndfile/commit/8680d870447f470a56ece1204d0a5d3d46ff12c3

Thanks for the bug report.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers