Bug 306 - Segmentation fault in gig::File::LoadGroups() with crafted input file
Summary: Segmentation fault in gig::File::LoadGroups() with crafted input file
Alias: None
Product: libgig
Classification: Unclassified
Component: libgig (show other bugs)
Version: SVN Trunk
Hardware: PC All
: P5 major
Assignee: Christian Schoenebeck
Depends on:
Reported: 2017-11-09 10:13 CET by Henri Salo
Modified: 2021-05-11 13:56 CEST (History)
0 users

See Also:

reproducer (325.85 KB, application/octet-stream)
2017-11-09 10:13 CET, Henri Salo

Note You need to log in before you can comment on or make changes to this bug.
Description Henri Salo 2017-11-09 10:13:33 CET
Created attachment 89 [details]

./bin/gigextract libgig-segv-loadgroups-001.gig temp
Extracting samples from "libgig-segv-loadgroups-001.gig" to directory "temp/".
Seeking for available samples...ASAN:SIGSEGV
==14977==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f02a6bc56c0 sp 0x7ffd8215eb80 bp 0x7ffd8215ebd0 T0)
    #0 0x7f02a6bc56bf in gig::File::LoadGroups() /home/hsalo/src/libgig/src/gig.cpp:6196
    #1 0x7f02a6bd92ab in gig::File::LoadSamples(RIFF::progress_t*) /home/hsalo/src/libgig/src/gig.cpp:5658
    #2 0x7f02a6bc68cc in gig::File::GetFirstSample(RIFF::progress_t*) /home/hsalo/src/libgig/src/gig.cpp:5564
    #3 0x409c38 in ExtractSamples(gig::File*, char*, std::map<unsigned int, bool, std::less<unsigned int>, std::allocator<std::pair<unsigned int const, bool> > >*) /home/hsalo/src/libgig/src/tools/gigextract.cpp:212
    #4 0x403579 in main /home/hsalo/src/libgig/src/tools/gigextract.cpp:162
    #5 0x7f02a5a8fb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #6 0x404029 (/home/hsalo/builds/libgig/2017-10-16/bin/gigextract+0x404029)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/hsalo/src/libgig/src/gig.cpp:6196 gig::File::LoadGroups()
Comment 1 Christian Schoenebeck 2019-03-10 18:00:10 CET
If I understand it correctly, you were using fuzzy input data to cause this crash.

Please note that even though we would like to make libgig as secure as possible against any potential attacks, we must also be realistic and see that we currently cannot offer such a high security standard for libgig in contrast to other core system libraries that you may be used to. There is simply a completely different use case and development priority for libgig if being compared to libjpeg et al.

So yes, you might also find and open additional security reports that may cause libgig to crash with specially crafted input data. But unless you don't provide appropriate patches, it will not be likely that all invidiual fuzzy crash report will be addressed from our side at this point.