Headline
CVE-2021-4156: heap out-of-bounds read in src/flac.c in flac_buffer_copy
An out-of-bounds read flaw was found in libsndfile’s FLAC codec functionality. An attacker who is able to submit a specially crafted file (via tricking a user to open or otherwise) to an application linked with libsndfile and using the FLAC codec, could trigger an out-of-bounds read that would most likely cause a crash but could potentially leak memory information that could be used in further exploitation of other flaws.
Comment 1 Marian Rehak 2021-11-30 13:05:33 UTC
Created libsndfile tracking bugs for this issue:
Affects: fedora-all [bug 2027692]
Comment 2 Todd Cullum 2021-12-09 00:54:00 UTC
Flaw summary:
There’s an out-of-bounds READ possible in libsndfile’s flac_buffer_copy() routine in flac.c. This could be triggered by a specially crafted file that is processed by a program linked with libsndfile.
Technical detail:
In the following for loop:
for (i = 0 ; i < len && pflac->remain > 0 ; i++)
{ offset = pflac->pos + i \* channels ;
if (pflac->bufferpos >= frame->header.blocksize)
break ;
if (offset + channels > pflac->len)
break ;
for (j = 0 ; j < channels ; j++)
retpcm \[offset + j\] = ((uint32\_t) buffer \[j\]\[pflac->bufferpos\]) << shift ;
pflac->remain -= channels ;
pflac->bufferpos++ ;
} ;
} ;
We see that there’s an if check to ensure the loop terminates if pflac->bufferpos >= frame->header.blocksize.
In this case, frame->header.blocksize can be set to a value greater than the size of `buffer`, and since `buffer` is indexed by `pflac->bufferpos`, the loop will not terminate before causing an out-of-bounds read when reading `buffer`.
The upstream patch[1] introduces a check to prevent the above, and errors out upon failure.
- https://github.com/libsndfile/libsndfile/pull/732/commits/4c30646abf7834e406f7e2429c70bc254e18beab