CVE-2018-10393: Stack buffer overflow(read) in function bark_noise_hybridmp() of libvorbis-1.3.6, which is caused by lacking of array length check. (#2334) · Issues · Xiph.Org / Vorbis

I found a stack buffer overflow vul in function bark_noise_hybridmp() of libvorbis-1.3.6 by fuzzing libtheora, the crash sample behaves as follows:

(gdb) bt
#0  0x00007ffff6fdfb55 in raise () from /lib64/libc.so.6
#1  0x00007ffff6fe1131 in abort () from /lib64/libc.so.6
#2  0x0000000000520a0b in __sanitizer::Abort () at /home/jiangxin/hunter-tool/llvm5/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix_libcdep.cc:146
#3  0x000000000051eb3a in __sanitizer::Die () at /home/jiangxin/hunter-tool/llvm5/projects/compiler-rt/lib/sanitizer_common/sanitizer_termination.cc:59
#4  0x00000000005051a5 in ~ScopedInErrorReport (this=<optimized out>, __in_chrg=<optimized out>) at /home/jiangxin/hunter-tool/llvm5/projects/compiler-rt/lib/asan/asan_report.cc:225
#5  __asan::ReportGenericError (pc=<optimized out>, bp=bp@entry=140737488322736, sp=sp@entry=140737488322728, addr=<optimized out>, is_write=is_write@entry=false, access_size=access_size@entry=4, exp=<optimized out>, exp@entry=0, fatal=<optimized out>, fatal@entry=true) at /home/jiangxin/hunter-tool/llvm5/projects/compiler-rt/lib/asan/asan_report.cc:420
#6  0x0000000000505c03 in __asan::__asan_report_load4 (addr=<optimized out>) at /home/jiangxin/hunter-tool/llvm5/projects/compiler-rt/lib/asan/asan_rtl.cc:133
#7  0x000000000062cc6d in bark_noise_hybridmp (n=256, b=0x61d000000a80, f=0x61d000007c80, noise=0x619000005a80, offset=140, fixed=-1) at psy.c:608
#8  0x000000000062b3fb in _vp_noisemask (p=0x610000000040, logmdct=0x61d000007c80, logmask=0x619000005a80) at psy.c:705
#9  0x000000000069ff59 in mapping0_forward (vb=0x7fffffffd330) at mapping0.c:417
#10 0x00000000006244af in vorbis_analysis (vb=0x7fffffffd330, op=0x0) at analysis.c:46
#11 0x000000000052f14e in fetch_and_process_audio (audio=0x616000000380, audiopage=0x7fffffffd5e0, vo=0x7fffffffceb0, vd=0x7fffffffd260, vb=0x7fffffffd330, audioflag=0) at encoder_example.c:996
#12 0x0000000000536546 in main (argc=5, argv=0x7fffffffdfe8) at encoder_example.c:1754

This vul is because of lacking of array len check , and I recommand a patch as follows: psy.c:

     602   for (i = 0, x = 0.f;; i++, x += 1.f) {
     603 
     604     lo = b[i] >> 16;
     605     if( lo>=0 ) break;
     606     hi = b[i] & 0xffff;
     607     if(hi>=n || -lo>=n)break;//recommanded patch for this vul
     608     tN = N[hi] + N[-lo];
     609     tX = X[hi] - X[-lo];
     610     tXX = XX[hi] + XX[-lo];
     611     tY = Y[hi] + Y[-lo];
     612     tXY = XY[hi] - XY[-lo];

Note: I need compile libtheora and libvorbis by clang asan and use encoder_example of libtheora to reproduce this vul.

The cmdline to reproduce this vul is like this : ./encoder_example crash_sample xxx.y4m -o out.ogv

The binary encoder_example belongs to libtheora.