Submit #761338: jarikomppa soloud master-branch Heap-based Buffer Overflowinfo

Titeljarikomppa soloud master-branch Heap-based Buffer Overflow
Beschreibung### Description The crash occurs within SoLoud::Wav::loadflac at src/audiosource/wav/soloud_wav.cpp:257, which is invoked when loading a crafted audio file (via loadMem). The AddressSanitizer (ASAN) report indicates a WRITE of size 4 occurring 1024 bytes past the end of a very large allocated region (approx 16GB). ### Environment - OS: Linux x86_64 - Complier: Clang - Build Configuration: Release mode with ASan enabled. ### Vulnerability Details - Type: Heap-buffer-overflow (Write) - Location: src/audiosource/wav/soloud_wav.cpp:257:38 - Function: SoLoud::Wav::loadflac - Context: The issue seems to trigger during the parsing of FLAC data embedded in a WAV container or loaded as a raw memory file. ### Reproduce 1. Build soloud and harness with Release optimization and ASAN enabled. <details> <summary>harness.cpp</summary> ``` #include "soloud.h" #include "soloud_wav.h" #include <stdint.h> #include <stdlib.h> #include <stdio.h> int main(int argc, char **argv) { if (argc < 2) { return 1; } FILE *f = fopen(argv[1], "rb"); if (!f) { return 1; } fseek(f, 0, SEEK_END); long len = ftell(f); fseek(f, 0, SEEK_SET); unsigned char *buf = (unsigned char *)malloc(len); if (!buf) { fclose(f); return 1; } if (fread(buf, 1, len, f) != (size_t)len) { free(buf); fclose(f); return 1; } fclose(f); SoLoud::Soloud soloud; soloud.init(SoLoud::Soloud::CLIP_ROUNDOFF | SoLoud::Soloud::ENABLE_VISUALIZATION, SoLoud::Soloud::NULLDRIVER); SoLoud::Wav wav; int res = wav.loadMem(buf, len, false, false); if (res == 0) { SoLoud::handle h = soloud.play(wav); soloud.stop(h); } soloud.deinit(); free(buf); return 0; } ``` </details> 2. Run with the crashing [file](https://github.com/oneafter/0209/blob/main/so1/repro): ``` ./harness repro ``` <details> <summary>ASAN report</summary> ``` ================================================================= ==63267==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd35c8f6c00 at pc 0x5578999a38fe bp 0x7ffd856790d0 sp 0x7ffd856790c8 WRITE of size 4 at 0x7fd35c8f6c00 thread T0 #0 0x5578999a38fd in SoLoud::Wav::loadflac(SoLoud::MemoryFile*) /src/soloud/src/audiosource/wav/soloud_wav.cpp:257:38 #1 0x5578999a45d4 in SoLoud::Wav::loadMem(unsigned char const*, unsigned int, bool, bool) /src/soloud/src/audiosource/wav/soloud_wav.cpp:314:10 #2 0x557899948124 in main /src/soloud/harness.cpp:39:19 #3 0x7fd35ef461c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #4 0x7fd35ef4628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #5 0x5578998645d4 in _start (/src/soloud/harness+0x395d4) (BuildId: 564525bdfb4ff8144e0982209d7e978677d8be1c) 0x7fd35c8f6c00 is located 1024 bytes after 17179860992-byte region [0x7fcf5c8f8800,0x7fd35c8f6800) allocated by thread T0 here: #0 0x557899945ba1 in operator new[](unsigned long) (/src/soloud/harness+0x11aba1) (BuildId: 564525bdfb4ff8144e0982209d7e978677d8be1c) #1 0x5578999a30e0 in SoLoud::Wav::loadflac(SoLoud::MemoryFile*) /src/soloud/src/audiosource/wav/soloud_wav.cpp:241:11 #2 0x5578999a45d4 in SoLoud::Wav::loadMem(unsigned char const*, unsigned int, bool, bool) /src/soloud/src/audiosource/wav/soloud_wav.cpp:314:10 #3 0x557899948124 in main /src/soloud/harness.cpp:39:19 #4 0x7fd35ef461c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #5 0x7fd35ef4628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e) #6 0x5578998645d4 in _start (/src/soloud/harness+0x395d4) (BuildId: 564525bdfb4ff8144e0982209d7e978677d8be1c) SUMMARY: AddressSanitizer: heap-buffer-overflow /src/soloud/src/audiosource/wav/soloud_wav.cpp:257:38 in SoLoud::Wav::loadflac(SoLoud::MemoryFile*) Shadow bytes around the buggy address: 0x7fd35c8f6980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x7fd35c8f6c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x7fd35c8f6e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==63267==ABORTING ``` </details>
Quelle⚠️ https://github.com/jarikomppa/soloud/issues/401
Benutzer
 Oneafter (UID 92781)
Einreichung18.02.2026 15:04 (vor 2 Monaten)
Moderieren28.02.2026 18:07 (10 days later)
StatusAkzeptiert
VulDB Eintrag348279 [jarikomppa soloud bis 20200207 Audio File soloud_wav.cpp SoLoud::Wav::loadflac Pufferüberlauf]
Punkte20

ZurückÜbersichtWeiter

Interested in the pricing of exploits?

See the underground prices here!