Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory leak on wavpack #165

Closed
Frank-Z7 opened this issue Sep 18, 2023 · 2 comments
Closed

Memory leak on wavpack #165

Frank-Z7 opened this issue Sep 18, 2023 · 2 comments

Comments

@Frank-Z7
Copy link

Memory leak on wavpack

Description

We found a Memory leak bug when we used wavpack to convert wav format files to wv files under the specific configuration option "-bn=22.1 -c -v [inputfile] -o".

It should be noted that wavpack(version 5.2.0-1) downloaded through apt-get may also trigger this vulnerability, which may endanger the system security of Debian users.

image-20230918174940462

Version

wavpack 5.6.6,the latest version.

root@38ad1e4b9d16:/afltest/wavpackgit# ./cli/wavpack --version
wavpack 5.6.6
libwavpack 5.6.6

image-20230918171447790

Reference

http://www.wavpack.com/

https://github.com/dbry/WavPack

Actual Behavior

Memory leak

PoC

wavpackpoc1: https://github.com/Frank-Z7/z-vulnerabilitys/blob/main/wavpackpoc1

Reproduction

git clone https://github.com/dbry/WavPack.git wavpackgit
cd wavpackgit
./autogen.sh
CFLAGS="-fsanitize=address -fno-omit-frame-pointer -g" CXXFLAGS=" -fsanitize=address -fno-omit-frame-pointer -g" ./configure
make

./cli/wavpack -bn=22.1 -c -v wavpackpoc1 -o ./test1.wv

ASAN Log

=================================================================
==437243==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 4106 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff7699808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5555555684e7 in main cli/wavpack.c:928
    #2 0x7ffff71dc082 in __libc_start_main ../csu/libc-start.c:308

Direct leak of 8 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff7699c3e in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:163
    #1 0x555555568587 in main cli/wavpack.c:934
    #2 0x7ffff71dc082 in __libc_start_main ../csu/libc-start.c:308

Indirect leak of 21 byte(s) in 1 object(s) allocated from:
    #0 0x7ffff7699808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
    #1 0x5555555685e9 in main cli/wavpack.c:935
    #2 0x7ffff71dc082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: 4135 byte(s) leaked in 3 allocation(s).

image-20230918174114029

Location

image-20230919002354644

Environment

ubuntu:20.04
gcc version 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
clang version 10.0.0-4ubuntu1

Credit

Zeng Yunxiang ([Huazhong University of Science and Technology](http://cse.hust.edu.cn/))
@dbry
Copy link
Owner

dbry commented Sep 18, 2023

Thanks very much for reporting this, and for the detailed analysis!

It turns out that the problem has nothing to do with the test file. The problem is that there is a syntax error (several, actually) in the command line and the program is reporting those and terminating early. You can see the error messages above ("illegal option"). This was actually reported once before in issue #124 and I discuss it there in great detail.

In short, I do not consider this a possible security vulnerability, but if you can explain how this might be exploited I would be happy to listen.

@Frank-Z7
Copy link
Author

thanks a lot!

@dbry dbry mentioned this issue Mar 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dbry @Frank-Z7