Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-33065: UndefinedBehaviorSanitizer: multiple signed integer overflow · Issue #833 · libsndfile/libsndfile

Multiple signed integers overflow in function au_read_header in src/au.c and in functions mat4_open and mat4_read_header in src/mat4.c in Libsndfile, allows an attacker to cause Denial of Service or other unspecified impacts.

CVE
Open in Source
#dos#c++

****Describe the bug****

UndefinedBehaviorSanitizer: multiple signed integers overflow in the codebase. I attach different testcases that trigger different overflows.

****To Reproduce****

Built libsndfile using clang-10 according to the oss-fuzz script with CXXFLAGS=’-O1 -fsanitize=address -fsanitize=array-bounds,bool,builtin,enum,float-divide-by-zero,function,integer-divide-by-zero,null,object-size,return,returns-nonnull-attribute,shift,signed-integer-overflow,unreachable,vla-bound,vptr’

commit: 4b01368

****Example UBSAN Output****

$ ./sndfile_alt_fuzzer id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0
INFO: Seed: 3120870912
INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
Running: id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0
src/au.c:324:54: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:324:54 in 
src/au.c:326:29: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:326:29 in 
src/au.c:327:40: runtime error: signed integer overflow: 1684960000 + 779316836 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/au.c:327:40 in 
Executed id:000006,sig:06,src:001126,time:22443,op:havoc,rep:4,trial:0 in 1 ms
***
*** NOTE: fuzzing was not performed, you have only
***       executed the target code on a fixed set of inputs.
***

or for example

$ ./sndfile_alt_fuzzer id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4
INFO: Seed: 3162641945
INFO: Loaded 1 modules   (33759 inline 8-bit counters): 33759 [0x8977c3, 0x89fba2), 
INFO: Loaded 1 PC tables (33759 PCs): 33759 [0x6f6b48,0x77a938), 
sndfile_alt_fuzzer: Running 1 inputs 1 time(s) each.
Running: id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4
src/mat4.c:323:41: runtime error: signed integer overflow: -587202559 * 553648128 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in 
src/mat4.c:323:48: runtime error: signed integer overflow: 553648128 * 8 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in 
src/mat4.c:107:35: runtime error: signed integer overflow: 8 * -587202559 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:107:35 in 
Executed id:000011,sig:06,src:001848,time:296603,op:havoc,rep:4,trial:4 in 1 ms

testcases:
int overflow.zip

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE