From http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510205: "Today, the Music Player Daemon project received a bug report from Anton Khirnov: MPD crashed when attempting to play a WAV file. "file" says: RIFF (little-endian) data, WAVE audio, Microsoft ADPCM, stereo 44100 Hz The MPD bug report: http://musicpd.org/mantis/view.php?id=1915 The test file: http://filebin.ca/meqmyu/max_theme.wav Turns out that this is a bug in libaudiofile. When attempting to decode the file, libaudiofile writes past the buffer in msadpcm.c:194 code = *encoded >> 4; newSample = ms_adpcm_decode_sample(state[0], code, coefficient[0]); *decoded++ = newSample; [...] A quick look at the code revealed that the allocated buffer size depended on the following formula: bufsize = outc->nframes * _af_format_frame_size(&outc->f, AF_TRUE); outc->nframes basically comes from _AF_ATOMIC_NVFRAMES (1024), because the msadpcm module does not implement the max_pull callback. This results in a 4096 byte allocation in modules.c:2539 (frame size is 4). In ms_adpcm_decode_block(), msadpcm->samplesPerBlock is set to 2036 (unverified value from the input file header). outputLength is 8144, which obviously does not fit into the allocated 4096 byte buffer. I could reproduce the same crash with "normalize-audio max_theme.wav". The real crash happens after closing the file, probably due to heap corruption. valgrind notices the problem before the crash actually occurs." To me this sounds like an application crash with a possible security hole due to the heap overflow. But i'm no expert on this.
There's no fix yet, if i get the debian bug report correctly. Can we provide/work with the debian folks on one?
Was assigned CVE-2008-5824
There's now a patch, but he says it needs more work.
NetBSD applies these patches: http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/audio/libaudiofile/patches/patch-ac?rev=1.1&content-type=text/x-cvsweb-markup http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/audio/libaudiofile/patches/patch-ad?rev=1.1&content-type=text/x-cvsweb-markup
.. which still backtraces... $ normalize max_theme.wav Computing levels... max_theme.wav 100% done, ETA 00:00:00 (batch 100% done, ETA 00:00:00) Applying adjustment of -3.26dB to max_theme.wav... *** glibc detected *** normalize: corrupted double-linked list: 0x0000000000c5f310 *** ======= Backtrace: ========= /lib/libc.so.6[0x7fd9b18abd87] /lib/libc.so.6[0x7fd9b18ae17e] /lib/libc.so.6(cfree+0x76)[0x7fd9b18ae3c6] /lib/libc.so.6(fclose+0x156)[0x7fd9b189b8b6] /usr/lib/libaudiofile.so.0[0x7fd9b1e3519d] /usr/lib/libaudiofile.so.0(af_virtual_file_destroy+0x7)[0x7fd9b1e351f7] /usr/lib/libaudiofile.so.0(af_fclose+0x9)[0x7fd9b1e35209] /usr/lib/libaudiofile.so.0(afCloseFile+0x31)[0x7fd9b1e32131] normalize[0x405f3f] normalize[0x403c58] /lib/libc.so.6(__libc_start_main+0xe6)[0x7fd9b1850486] normalize[0x4024a9]
Upstream bug (closed as fixed): https://bugzilla.gnome.org/show_bug.cgi?id=603198
CVE says that it only affects audiofile-0.2.6. Long removed. Closing noglsa.
