Headline
CVE-2017-7605: libaacplus: signed integer overflow, left shift and assertion failure
aacplusenc.c in HE-AAC+ Codec (aka libaacplus) 2.0.2 has an assertion failure, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted audio file.
Description:
libaacplus is a HE-AAC+ v2 library, based on the reference implementation.
While fuzzing it I found some crashes. Upstream was poked on 2017-03-12, but no response from him.
# aacplusenc $FILE out.aac 24000 s au_channel.h:31:91: runtime error: signed integer overflow: 2147483647 + 8 cannot be represented in type ‘int’
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00254-libaacplus-signedintoverflow
CVE:
CVE-2017-7603
##############################################
# aacplusenc $FILE out.aac 24000 s au_channel.h:31:83: runtime error: left shift of 241 by 24 places cannot be represented in type ‘int’
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00255-libaacplus-leftshift
CVE:
CVE-2017-7604
##############################################
# aacplusenc $FILE out.aac 24000 s aacplusenc: aacplusenc.c:67: aacplusEncHandle aacplusEncOpen(unsigned long, unsigned int, unsigned long *, unsigned long *): Assertion `numChannels <= MAX_CHANNELS’ failed.
Affected version:
2.0.2
Fixed version:
N/A
Commit fix:
N/A
Reproducer:
https://github.com/asarubbo/poc/blob/master/00256-libaacplus-assertion-failure
CVE:
CVE-2017-7605
##############################################
Credit:
These bugs were discovered by Agostino Sarubbo of Gentoo.
Timeline:
2017-03-12: bug discovered and poked upstream about
2017-04-01: blog post about the issue
2017-04-09: CVE assigned
Note:
This bug was found with American Fuzzy Lop.
Permalink:
libaacplus: signed integer overflow, left shift and assertion failure
This entry was posted in advisories, security. Bookmark the permalink.
Related news
Gentoo Linux Security Advisory 202209-13 - Multiple vulnerabilities have been discovered in libaacplus, the worst of which could result in denial of service. Versions less than or equal to 2.0.2-r3 are affected.
Gentoo Linux Security Advisory 202209-13 - Multiple vulnerabilities have been discovered in libaacplus, the worst of which could result in denial of service. Versions less than or equal to 2.0.2-r3 are affected.
Gentoo Linux Security Advisory 202209-13 - Multiple vulnerabilities have been discovered in libaacplus, the worst of which could result in denial of service. Versions less than or equal to 2.0.2-r3 are affected.