"Today, the Music Player Daemon project received a bug report from
Anton Khirnov: MPD crashed when attempting to play a WAV file. "file"
RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100
The MPD bug report: http://musicpd.org/mantis/view.php?id=1915
The test file: http://filebin.ca/meqmyu/max_theme.wav
Turns out that this is a bug in libaudiofile. When attempting to
decode the file, libaudiofile writes past the buffer in msadpcm.c:194
code = *encoded >> 4;
newSample = ms_adpcm_decode_sample(state, code,
*decoded++ = newSample;
A quick look at the code revealed that the allocated buffer size
depended on the following formula:
bufsize = outc->nframes * _af_format_frame_size(&outc->f, AF_TRUE);
outc->nframes basically comes from _AF_ATOMIC_NVFRAMES (1024), because
the msadpcm module does not implement the max_pull callback. This
results in a 4096 byte allocation in modules.c:2539 (frame size is 4).
In ms_adpcm_decode_block(), msadpcm->samplesPerBlock is set to 2036
(unverified value from the input file header). outputLength is 8144,
which obviously does not fit into the allocated 4096 byte buffer.
I could reproduce the same crash with "normalize-audio max_theme.wav".
The real crash happens after closing the file, probably due to heap
corruption. valgrind notices the problem before the crash actually
To me this sounds like an application crash with a possible security hole due to the heap overflow. But i'm no expert on this.
There's no fix yet, if i get the debian bug report correctly. Can we provide/work with the debian folks on one?
Was assigned CVE-2008-5824
There's now a patch, but he says it needs more work.
NetBSD applies these patches:
.. which still backtraces...
$ normalize max_theme.wav
max_theme.wav 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00)
Applying adjustment of -3.26dB to max_theme.wav...
*** glibc detected *** normalize: corrupted double-linked list: 0x0000000000c5f310 ***
======= Backtrace: =========
Upstream bug (closed as fixed):
CVE says that it only affects audiofile-0.2.6. Long removed. Closing noglsa.