Skip to content

Oob read fixes #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Konstanty merged 99 commits into from
Jan 28, 2022
Merged

Oob read fixes #66

Konstanty merged 99 commits into from
Jan 28, 2022

Conversation

@Konstanty
Copy link
Owner

@Konstanty Konstanty commented Jan 28, 2022
edited
Loading

Merge several OOB read fixes discovered from a long fuzzing operation (debrouxl).

Konstanty added 30 commits May 29, 2017 06:49
@Konstanty
ABC: transpose only needs to look at notes (<26)
f3c1b47
@Konstanty
Check memory position isn't over the memory length
d7890bd 
- prevents several OOB reads
@Konstanty
Initialize nPatterns to 0 earlier
04b7eaf 
- ensures good 'state' of variable
@Konstanty
ABC: Ensure for loop does not increment past end of loop
f0c1ff2
@Konstanty
ABC: Use blankline more often
d387dfd 
- use single % as it wont execute additional code
@Konstanty
ABC: abort early if macro would be blank
ca73f52
@Konstanty
ABC: avoid possibility of incrementing *p
22b2b3c
@Konstanty
ABC: clean up loop exiting code
b4867d7 
- this solution is much cleaner
@Konstanty
ABC: ensure array access is bounded correctly.
0b0d113
@Konstanty
ABC: initialize earlier
675ab5d 
(This is purely cosmetic)
@Konstanty
OKT: ensure file size is enough to contain data
eabcd64
@Konstanty
WAV: check that there is space for both headers
23ded13
@Konstanty
ABC: cleanup tracks correctly.
9f7821a 
- previously only events were freed.
@Konstanty
PSM: make sure reads occur of only valid ins
347eeb8
@Konstanty
ABC: 10 digit ints require null termination
1162fd5 
- adding 1 byte to array
@Konstanty
FAR: out by one on check
d0adf30
@Konstanty
OKT: add one more bound check
5163a38
@Konstanty
ABC: terminate early when things don't work in substitute
f82b63a
@Konstanty
ABC: ensure read pointer is valid before incrementing
cdc0842
@Konstanty
ABC: prevent possible increment of p past end
4d0bc15
@Konstanty
PSM: add missing line to commit
f6dd59a
@Konstanty
OKT: increase bound check at start to 12.
1db0c41 
- avoid need to check twice.
- there are many more required elements in an OKT file.
@Konstanty
MED: Ensure that there is room to read one double
083e662
@Konstanty
MDL: make sure there is enough space to read the UINT
5523dd6
@Konstanty
XM: OOB fixes- don't read items outside 'packsize'
5f4ef8b
@Konstanty
MT2: OOB read fixes
1fbf435 
- many checks vs mt2instrument
- check wDataLen - it might be large enough to be negative in signed equiv.
- len might be zero (or len-4)
@Konstanty
MDL: OOB read fixes
57a5cf1 
- check before memcpy
- check before reading ps[x] data
@Konstanty
ABC: where char is lower case, allow another octave.
2314d9e 
- Another octave of possible values, means no OOB read will occur.
@Konstanty
STM: make sure patterns are not loaded above the maximum size
43f0fc4
@Konstanty
ABC: bound divider to not be below 1.
1cde769 
- prevents strange negative numbers,
- prevents divide by zero
AliceLR and others added 22 commits June 19, 2021 04:06
@AliceLR
Fix another Extreme's AMS crash.
31910e1
@AliceLR
Fix AMS slow loads due to large garbage samples.
ecf8df0
@AliceLR
Fix AMS2 instrument bounding checks.
6948105
@AliceLR
Add more missing consts in AMS loaders.
4282f68
@AliceLR
Add missing AMSUnpack bounds checks.
5e1443f
@AliceLR
Fix AMS sample packed length bounding.
2ff82c3
@AliceLR
Revise MIDI debug message fix to still use sprintf instead of snprintf.
19a5370
@AliceLR
Add missing DMF sample bounds check.
89b591f
@AliceLR
Fix WAV fmt header bounds check, add consts to WAV loader.
d8ee117
@AliceLR
Shrink AMS samples if the packed size can't possibly fit them.
cd6baf2
@AliceLR
Fix hang in WAV loader caused by missing chunk length check.
38a7b2f
@AliceLR
Fix XM slow loads caused by bad instrument checks, fix other checks.
f2c6827
@AliceLR
Revise FAR max pattern length bounding to be more readable.
6dfcfed
@AliceLR
Fix off-by-one AMS pattern bounds checks.
70d73b9
@AliceLR
Add extra AMS2 pitchenv bounds check in case support is ever added fo…
f768b60 
…r it.
@AliceLR
Add missing DMF track bounds check, tweak for consistency.
4317cb7
@Konstanty
Merge branch 'master' into oob_read_fixes
5306ac8
@Konstanty
Merge branch 'master' into oob_read_fixes
1e38a97
@Konstanty
Merge branch 'oob_read_fixes' of github.com:Konstanty/libmodplug into…
6c5cb42 
… oob_read_fixes
@Konstanty
Merge branch 'fuzz-patch-1-original' of https://github.com/AliceLR/li…
1eec55f 
…bmodplug into AliceLR-fuzz-patch-1-original
@Konstanty
Merge branch 'AliceLR-fuzz-patch-1-original' into oob_read_fixes
7c1c3aa
@Konstanty
Increment version 0.8.9.1
d04fbc2
@Konstanty Konstanty merged commit bfe501c into master Jan 28, 2022
@AliceLR AliceLR mentioned this pull request Jan 28, 2022
Closed
@debrouxl
Copy link

debrouxl commented Jan 28, 2022
edited
Loading

Woo, fixes have been merged :)

When the dust has settled a bit, it's time for a new release.
While creating CVE IDs for every single fix made to the library as part of this PR is both undesirable (some issues only have practical impact with instrumented code, AFAICT) and really cumbersome, considering the sheer number of fixes, several CVE IDs for more severe or more visible vulnerabilities (e.g. OOB writes such as aea13cc , UAF, UMR, divide by zero which is pure DoS but doesn't require instrumentation, nullptr deref which is pure DoS under sane OS unless the offset is large) should be requested nevertheless, so as to prod downstreams into upgrading libmodplug.

@AliceLR AliceLR mentioned this pull request Jan 28, 2022
Open
@AliceLR
Copy link
Contributor

AliceLR commented Jan 28, 2022
edited
Loading

So far I've found a couple of minor redundant checks from combining this and my patch that can be revised. I also found more potential breakage in the Oktalyzer loader I somehow never noticed. Will follow up with a small patch after I test this a little more.

edit: yep, 0.1 seconds of fuzzing with UBSan confirmed this loader has major alignment problems.

This was referenced Jan 28, 2022
Merged
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Konstanty @debrouxl @AliceLR