Uninitialized Read (and Divide by Zero) in ParseWave64HeaderConfig()

Question

Uninitialized Read (and Divide by Zero) in ParseWave64HeaderConfig()

rohanpadhye opened this issue 5 years ago · comments

uninit-divzero-waveheader.wav.zip - contains fuzzed input

The parsing of the attached file uninit-divzero-waveheader.wav leads to a read of an uninitialized location in memory. The uninitialized read sometimes further leads to a divide-by-zero error. The uninitialized read can be uncovered using a tool such as Valgrind or MemorySanitizer. For example:

$ valgrind ./cli/wavpack uninit-divzero-waveheader.wav
==3921== Memcheck, a memory error detector
==3921== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3921== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==3921== Command: ./cli/wavpack uninit-divzero-waveheader.wav
==3921== 

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 5.1.0
 Copyright (c) 1998 - 2019 David Bryant.  All Rights Reserved.

creating uninit-divzero-waveheader.wv,==3921== Conditional jump or move depends on uninitialised value(s)
==3921==    at 0x41016B: ParseWave64HeaderConfig (wave64.c:211)
==3921==    by 0x408A94: pack_file (wavpack.c:1777)
==3921==    by 0x404AE2: main (wavpack.c:1273)
==3921== 
==3921== 
==3921== Process terminating with default action of signal 8 (SIGFPE)
==3921==  Integer divide by zero at address 0x1002D83DC5
==3921==    at 0x410214: ParseWave64HeaderConfig (wave64.c:220)
==3921==    by 0x408A94: pack_file (wavpack.c:1777)
==3921==    by 0x404AE2: main (wavpack.c:1273)
==3921==

It appears that this is an uninitialized read of the field WaveHeader.NumChannels on this line. This sometimes leads to a subsequent divide by zero on this line -- I guess the division instruction may or may not be executed based on what value is read for WaveHeader.NumChannels.

Rohan Padhye · Answer 1 · Thu Mar 07 2019 04:05:51 GMT+0800 (China Standard Time)

This is fixed now, thanks!

David Bryant · Answer 2 · Thu Mar 07 2019 04:56:59 GMT+0800 (China Standard Time)

Thanks for the reports and retest!

Utkarsh Gupta · Answer 3 · Thu Jan 14 2021 16:26:08 GMT+0800 (China Standard Time)

uninit-divzero-waveheader.wav.zip - contains fuzzed input

Aw, it's interesting and weird that when I wget the zip and unzip it and run valgrind wavpack uninit-divzero-waveheader.wav, all I get is:

root@15b10a339dee:/home/elts/wavpack# valgrind wavpack uninit-divzero-waveheader.wav
==838== Memcheck, a memory error detector
==838== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==838== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info
==838== Command: wavpack uninit-divzero-waveheader.wav
==838== 

 WAVPACK  Hybrid Lossless Audio Compressor  Linux Version 4.70.0
 Copyright (c) 1998 - 2013 Conifer Software.  All Rights Reserved.

uninit-divzero-waveheader.wav is not a valid .WAV file!        
==838== 
==838== HEAP SUMMARY:
==838==     in use at exit: 0 bytes in 0 blocks
==838==   total heap usage: 7 allocs, 7 frees, 2,334 bytes allocated
==838== 
==838== All heap blocks were freed -- no leaks are possible
==838== 
==838== For counts of detected and suppressed errors, rerun with: -v
==838== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

I am not sure why it gives me uninit-divzero-waveheader.wav is not a valid .WAV file!, any clue?

On the contrary:

root@15b10a339dee:/home/elts/wavpack# file uninit-divzero-waveheader.wav
uninit-divzero-waveheader.wav: Sony Wave64 RIFF data, WAVE 64 audio