| 제목 | jarikomppa soloud master-branch Heap-based Buffer Overflow |
|---|
| 설명 | ### Description
The crash occurs within SoLoud::Wav::loadflac at src/audiosource/wav/soloud_wav.cpp:257, which is invoked when loading a crafted audio file (via loadMem). The AddressSanitizer (ASAN) report indicates a WRITE of size 4 occurring 1024 bytes past the end of a very large allocated region (approx 16GB).
### Environment
- OS: Linux x86_64
- Complier: Clang
- Build Configuration: Release mode with ASan enabled.
### Vulnerability Details
- Type: Heap-buffer-overflow (Write)
- Location: src/audiosource/wav/soloud_wav.cpp:257:38
- Function: SoLoud::Wav::loadflac
- Context: The issue seems to trigger during the parsing of FLAC data embedded in a WAV container or loaded as a raw memory file.
### Reproduce
1. Build soloud and harness with Release optimization and ASAN enabled.
<details>
<summary>harness.cpp</summary>
```
#include "soloud.h"
#include "soloud_wav.h"
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
int main(int argc, char **argv) {
if (argc < 2) {
return 1;
}
FILE *f = fopen(argv[1], "rb");
if (!f) {
return 1;
}
fseek(f, 0, SEEK_END);
long len = ftell(f);
fseek(f, 0, SEEK_SET);
unsigned char *buf = (unsigned char *)malloc(len);
if (!buf) {
fclose(f);
return 1;
}
if (fread(buf, 1, len, f) != (size_t)len) {
free(buf);
fclose(f);
return 1;
}
fclose(f);
SoLoud::Soloud soloud;
soloud.init(SoLoud::Soloud::CLIP_ROUNDOFF | SoLoud::Soloud::ENABLE_VISUALIZATION,
SoLoud::Soloud::NULLDRIVER);
SoLoud::Wav wav;
int res = wav.loadMem(buf, len, false, false);
if (res == 0) {
SoLoud::handle h = soloud.play(wav);
soloud.stop(h);
}
soloud.deinit();
free(buf);
return 0;
}
```
</details>
2. Run with the crashing [file](https://github.com/oneafter/0209/blob/main/so1/repro):
```
./harness repro
```
<details>
<summary>ASAN report</summary>
```
=================================================================
==63267==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fd35c8f6c00 at pc 0x5578999a38fe bp 0x7ffd856790d0 sp 0x7ffd856790c8
WRITE of size 4 at 0x7fd35c8f6c00 thread T0
#0 0x5578999a38fd in SoLoud::Wav::loadflac(SoLoud::MemoryFile*) /src/soloud/src/audiosource/wav/soloud_wav.cpp:257:38
#1 0x5578999a45d4 in SoLoud::Wav::loadMem(unsigned char const*, unsigned int, bool, bool) /src/soloud/src/audiosource/wav/soloud_wav.cpp:314:10
#2 0x557899948124 in main /src/soloud/harness.cpp:39:19
#3 0x7fd35ef461c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#4 0x7fd35ef4628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#5 0x5578998645d4 in _start (/src/soloud/harness+0x395d4) (BuildId: 564525bdfb4ff8144e0982209d7e978677d8be1c)
0x7fd35c8f6c00 is located 1024 bytes after 17179860992-byte region [0x7fcf5c8f8800,0x7fd35c8f6800)
allocated by thread T0 here:
#0 0x557899945ba1 in operator new[](unsigned long) (/src/soloud/harness+0x11aba1) (BuildId: 564525bdfb4ff8144e0982209d7e978677d8be1c)
#1 0x5578999a30e0 in SoLoud::Wav::loadflac(SoLoud::MemoryFile*) /src/soloud/src/audiosource/wav/soloud_wav.cpp:241:11
#2 0x5578999a45d4 in SoLoud::Wav::loadMem(unsigned char const*, unsigned int, bool, bool) /src/soloud/src/audiosource/wav/soloud_wav.cpp:314:10
#3 0x557899948124 in main /src/soloud/harness.cpp:39:19
#4 0x7fd35ef461c9 (/lib/x86_64-linux-gnu/libc.so.6+0x2a1c9) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#5 0x7fd35ef4628a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2a28a) (BuildId: 274eec488d230825a136fa9c4d85370fed7a0a5e)
#6 0x5578998645d4 in _start (/src/soloud/harness+0x395d4) (BuildId: 564525bdfb4ff8144e0982209d7e978677d8be1c)
SUMMARY: AddressSanitizer: heap-buffer-overflow /src/soloud/src/audiosource/wav/soloud_wav.cpp:257:38 in SoLoud::Wav::loadflac(SoLoud::MemoryFile*)
Shadow bytes around the buggy address:
0x7fd35c8f6980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6b80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x7fd35c8f6c00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6d80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7fd35c8f6e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==63267==ABORTING
```
</details> |
|---|
| 원천 | ⚠️ https://github.com/jarikomppa/soloud/issues/401 |
|---|
| 사용자 | Oneafter (UID 92781) |
|---|
| 제출 | 2026. 02. 18. PM 03:04 (2 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 28. PM 06:07 (10 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 348279 [jarikomppa soloud 까지 20200207 Audio File soloud_wav.cpp SoLoud::Wav::loadflac 메모리 손상] |
|---|
| 포인트들 | 20 |
|---|