Re: Re: CVE request: libsndfile 1.0.25 heap overflow

[gauri () tut by]

Hello list.

03.11.2015, 21:02, "cve-assign () mitre org" <cve-assign () mitre org>:
> >  Unrelated, but I recently reported an out of bounds triggered by the
> >  test suite of libsndfile and got no reply:
> >  http://permalink.gmane.org/gmane.comp.audio.libsndfile.devel/681
>
> >  Out of bounds reads in psf_strlcpy_crlf when running test suite
>
> >  AddressSanitizer: global-buffer-overflow ... READ of size 1
>
> Use CVE-2015-8075.

I have followed up on this to spot the root cause of what has been assigned CVE-2015-8075; as recommended by Hanno, I 
am sharing my results with the wider audience.

The `test_psf_strlcpy_crlf()` routine, as it is presented [1] in version 1.0.25, is incorrect in that it supplies an 
invalid argument value to the function `psf_strlcpy_crlf()` being tested: the last argument `srcmax` receives 
`sizeof(src)`, which is the size of the pointer `src`, and not the source string length it points to, as might have 
been anticipated by the author. Since the reporter tested a 64-bit build, `srcmax` gets passed 8, but the string is 7 
bytes long. This triggers OOB access detected by address sanitizer, just like in the original report.

At this point, it seems CVE-2015-8075 has to be rejected as there is no vulnerability, only a poorly written test case 
which doesn't see any action except when running `make check`.

Note: Apparently, the vendor has attempted to fix the test [2], but it seems like `srcmax` is getting `sizeof(char)` 
instead of `sizeof(char *)` now. The test remains invalid, although due to a different reason.

Cheers,
Z.

References:
[1] https://github.com/erikd/libsndfile/blob/f66e21e0b1f1b52b544dabb5ba4fa89fa6f62a30/src/test_strncpy_crlf.c
[2] https://github.com/erikd/libsndfile/blob/495c2877e1c841fbb420383551547d2ca60533c6/src/test_strncpy_crlf.c