Signed integer overflow in src/mat4.c:323 #789

shao-hua-li · 2021-11-14T23:13:04Z

Hi there,

I found an undefined behavior in src/mat4.c:323, which is a signed integer overflow.

libsndfile version: commit c7b69d7
Compile args: CFLAGS='-fsanitize=undefined' ./configure --disable-shared && make
Compiler: clang13
Platform: Ubuntu 20.04.2 LTS, x86_64
Reproduce: ./programs/sndfile-metadata-get mat4.c_int_overflow
POC: mat4.c_int_overflow.tar.gz

Undefined Behavior Sanitizer report:

src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in
src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in

A possible quick fix is to add explicit type casting in mat4.c:323, like psf->dataend = psf->dataoffset + (long)rows * cols * psf->bytewidth ;

Another consequence of this bug is for clang -O1 and clang -O2, the frame filed in outputs would be different.

The text was updated successfully, but these errors were encountered:

arthurt · 2022-01-28T17:19:44Z

mat4.c

	int		rows, cols, imag ;
...
		psf->dataend = psf->dataoffset + rows * cols * psf->bytewidth ;

So clang is complaining that the result of rows * cols overflows a 32-bit int. (Rows and cols are read from the file, and are stored as 32-bit there.)

psf->dataend is a sf_count_t, so 64-bits. A change of bracketing, or casting rows and cols each to (sf_count_t) before the multiplication would fix this.

rfrohl · 2023-07-19T08:41:00Z

FTR: someone assigned a CVE to this bug report: CVE-2022-33065

stiepan · 2023-08-09T11:47:23Z

Hi,
Are there any plans/timeline to address this issue and the CVE-2022-33065 vulnerability?

The clang sanitizer warns of a possible signed integer overflow when calculating the `dataend` value in `mat4_read_header()`. ``` src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in ``` Cast the offending `rows` and `cols` ints to `st_count_t` (the type of `dataend` before performing the calculation, to avoid the issue. CVE: CVE-2022-33065 Fixes: libsndfile#789 Fixes: libsndfile#833 Signed-off-by: Alex Stewart <alex.stewart@ni.com>

The clang sanitizer warns of a possible signed integer overflow when calculating the `dataend` value in `mat4_read_header()`. ``` src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in ``` Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of `dataend` before performing the calculation, to avoid the issue. CVE: CVE-2022-33065 Fixes: libsndfile#789 Fixes: libsndfile#833 Signed-off-by: Alex Stewart <alex.stewart@ni.com>

The clang sanitizer warns of a possible signed integer overflow when calculating the `dataend` value in `mat4_read_header()`. ``` src/mat4.c:323:41: runtime error: signed integer overflow: 205 * -100663296 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:41 in src/mat4.c:323:48: runtime error: signed integer overflow: 838860800 * 4 cannot be represented in type 'int' SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior src/mat4.c:323:48 in ``` Cast the offending `rows` and `cols` ints to `sf_count_t` (the type of `dataend` before performing the calculation, to avoid the issue. CVE: CVE-2022-33065 Fixes: libsndfile#789 Fixes: libsndfile#833 Upstream-Status: Backport [9a82911] Signed-off-by: Alex Stewart <alex.stewart@ni.com>

evpobr added the Bug Something isn't working label Nov 16, 2021

evpobr mentioned this issue May 2, 2022

UndefinedBehaviorSanitizer: multiple signed integer overflow #833

Closed

amstewart mentioned this issue Oct 17, 2023

Fix various numeric overflow vulns throughout code (CVE-2022-33065) #979

Merged

3 tasks

evpobr closed this as completed in 0754562 Oct 20, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Signed integer overflow in src/mat4.c:323 #789

Signed integer overflow in src/mat4.c:323 #789

shao-hua-li commented Nov 14, 2021 •

edited

Loading

arthurt commented Jan 28, 2022 •

edited

Loading

rfrohl commented Jul 19, 2023

stiepan commented Aug 9, 2023

Signed integer overflow in src/mat4.c:323 #789

Signed integer overflow in src/mat4.c:323 #789

Comments

shao-hua-li commented Nov 14, 2021 • edited Loading

arthurt commented Jan 28, 2022 • edited Loading

rfrohl commented Jul 19, 2023

stiepan commented Aug 9, 2023

shao-hua-li commented Nov 14, 2021 •

edited

Loading

arthurt commented Jan 28, 2022 •

edited

Loading