
<div dir="ltr">I'm not familiar with the code, but it seems that the new address is accessed for `nb_fields`:<div><br></div><div>


<span></span>


<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>end = c+length;</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>len=readint(c, </span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">0</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">);</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>c+=</span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">4</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">;</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span></span><span class="m_7291642029083108173gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">if</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"> (len < </span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">0</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"> || c+len>end)</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>{ <span class="m_7291642029083108173gmail-Apple-converted-space"> </span></span></p>

<p class="m_7291642029083108173gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(193,53,31);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="m_7291642029083108173gmail-Apple-converted-space">      </span>fprintf (</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">stderr</span><span class="m_7291642029083108173gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">, </span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">"Invalid/corrupted comments</span><span class="m_7291642029083108173gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(211,56,209)">\n</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">"</span><span class="m_7291642029083108173gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">);</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">      </span></span><span class="m_7291642029083108173gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">return</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">;</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>}</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>fwrite(c, </span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">1</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">, len, </span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">stderr</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">);</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>c+=len;</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>fprintf (</span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">stderr</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">, </span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">"</span><span class="m_7291642029083108173gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(211,56,209)">\n</span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">"</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">);</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span></span><span class="m_7291642029083108173gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">if</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"> (c+</span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">4</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">>end)</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>{ <span class="m_7291642029083108173gmail-Apple-converted-space"> </span></span></p>

<p class="m_7291642029083108173gmail-p2" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(193,53,31);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)"><span class="m_7291642029083108173gmail-Apple-converted-space">      </span>fprintf (</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">stderr</span><span class="m_7291642029083108173gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">, </span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">"Invalid/corrupted comments</span><span class="m_7291642029083108173gmail-s5" style="font-variant-ligatures:no-common-ligatures;color:rgb(211,56,209)">\n</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">"</span><span class="m_7291642029083108173gmail-s4" style="font-variant-ligatures:no-common-ligatures;color:rgb(0,0,0)">);</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">      </span></span><span class="m_7291642029083108173gmail-s3" style="font-variant-ligatures:no-common-ligatures;color:rgb(203,119,33)">return</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">;</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>}</span></p>

<p class="m_7291642029083108173gmail-p1" style="margin:0px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:11px;line-height:normal;font-family:Menlo;color:rgb(0,0,0);background-color:rgb(255,253,207)"><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures"><span class="m_7291642029083108173gmail-Apple-converted-space">   </span>nb_fields=readint(c, </span><span class="m_7291642029083108173gmail-s2" style="font-variant-ligatures:no-common-ligatures;color:rgb(193,53,31)">0</span><span class="m_7291642029083108173gmail-s1" style="font-variant-ligatures:no-common-ligatures">);<span class="m_7291642029083108173gmail-Apple-converted-space"> </span></span></p>


<div><br></div>So if `c+len` overflows and becomes some really small value, say `NULL`, then `readint()` would result in segfault.<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 9, 2018 at 11:56 PM, Jean-Marc Valin <span dir="ltr"><<a href="mailto:jmvalin@jmvalin.ca" target="_blank">jmvalin@jmvalin.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Pointers are unsigned so this shouldn't be an issue. I suspect you're<br>

being hit by something else. That or your compiler is really broken.<br>

<br>

Cheers,<br>

<br>

        Jean-Marc<br>

<span><br>

On 02/09/2018 04:42 AM, Ruikai Liu wrote:<br>

> Hi,<br>

><br>

> I came into a crash when using 32-bit `speexdec` and found that there's<br>

> an address overflow in function `print_comments()`:<br>

><br>

> staticvoidprint_comments(char*<wbr>comments, intlength)<br>

><br>

> {<br>

><br>

>    char*c=comments;<br>

><br>

>    intlen, i, nb_fields;<br>

><br>

>    char*end;<br>

><br>

><br>

</span>>    if(length<8)<br>

<span>><br>

>    {   <br>

><br>

>       fprintf (stderr, "Invalid/corrupted comments\n");<br>

><br>

>       return;<br>

><br>

>    }   <br>

><br>

>    end = c+length;<br>

><br>

>    len=readint(c, 0); <br>

><br>

>    c+=4;<br>

><br>

> // 'c+len' MAY OVERFLOW<br>

><br>

</span>>    if(len < 0|| c+len>end)<br>

<span>><br>

>    {   <br>

><br>

>       fprintf (stderr, "Invalid/corrupted comments\n");<br>

><br>

>       return;<br>

><br>

>    }<br>

><br>

><br>

> The pointer `c` happened to be greater than `0x80000000` and the sum<br>

> overflowed, even though `length` is positive.<br>

><br>

> Here's the patch code:<br>

><br>

</span>> *diff --git a/src/speexdec.c b/src/speexdec.c*<br>

><br>

> *index 4721dc1..18786f1 100644*<br>

><br>

> *--- a/src/speexdec.c*<br>

><br>

> *+++ b/src/speexdec.c*<br>

><br>

> @@ -105,7 +105,7 @@static void print_comments(char *comments, int length)<br>

<span>><br>

>     end = c+length;<br>

><br>

>     len=readint(c, 0);<br>

><br>

>     c+=4;<br>

><br>

> -   if (len < 0 || c+len>end)<br>

><br>

> +   if (len < 0 || c+len>end || c+len<c)<br>

><br>

>     {<br>

><br>

>        fprintf (stderr, "Invalid/corrupted comments\n");<br>

><br>

>        return;<br>

><br>

</span>> @@ -129,7 +129,7 @@static void print_comments(char *comments, int length)<br>

<span>><br>

>        }<br>

><br>

>        len=readint(c, 0);<br>

><br>

>        c+=4;<br>

><br>

> -      if (len < 0 || c+len>end)<br>

><br>

> +      if (len < 0 || c+len>end || c+len<c)<br>

><br>

>        {<br>

><br>

>           fprintf (stderr, "Invalid/corrupted comments\n");<br>

><br>

>           return;<br>

><br>

><br>

> Thanks!<br>

><br>

> --<br>

> Best regards,<br>

><br>

> Ruikai Liu<br>

><br>

><br>

</span>> ______________________________<wbr>_________________<br>

> Speex-dev mailing list<br>

> <a href="mailto:Speex-dev@xiph.org" target="_blank">Speex-dev@xiph.org</a><br>

> <a href="http://lists.xiph.org/mailman/listinfo/speex-dev" rel="noreferrer" target="_blank">http://lists.xiph.org/mailman/<wbr>listinfo/speex-dev</a><br>

><br>

</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="m_7291642029083108173gmail_signature" data-smartmail="gmail_signature">Best regards,<br><br>Ruikai Liu<br></div>

</div></div></div>