Uninitialized Read in WavpackSetConfiguration64()
rohanpadhye opened this issue · comments
uninit-config.wav.zip - contains fuzzed input
The parsing of the attached file uninit-config.wav leads to a read of an uninitialized location in memory. The uninitialized read can be uncovered using a tool such as Valgrind or MemorySanitizer. For example:
$ valgrind ./cli/wavpack uninit-config.wav
==21125== Memcheck, a memory error detector
==21125== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==21125== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==21125== Command: ./cli/wavpack uninit-config.wav
==21125==
WAVPACK Hybrid Lossless Audio Compressor Linux Version 5.1.0
Copyright (c) 1998 - 2019 David Bryant. All Rights Reserved.
creating uninit-config.wv,==21125== Conditional jump or move depends on uninitialised value(s)
==21125== at 0x425EEE: WavpackSetConfiguration64 (pack_utils.c:198)
==21125== by 0x4137E8: ParseDsdiffHeaderConfig (dsdiff.c:318)
==21125== by 0x408A94: pack_file (wavpack.c:1777)
==21125== by 0x404AE2: main (wavpack.c:1273)
It appears that this is an uninitialized read of the field config->sample_rate
on this line.
This is fixed now, thanks!