libmad memory corruption vulnerability ================ Author : qflb.wu =============== Introduction: ============= libmad is a high-quality MPEG audio decoder capable of 24-bit output. Affected version: ===== 0.15.1b Vulnerability Description: ========================== the mad_decoder_run function in decoder.c in libmad 0.15.1b can cause a denial of service(memory corruption) via a crafted mp3 file. I found this bug when I test mpg321 0.3.2 which used the libmad library. ./mpg321 libmad_0.15.1b_memory_corruption.mp3 ----debug info:---- Program received signal SIGABRT, Aborted. 0x00007ffff6bf7cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 56../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 0x00007ffff6bf7cc9 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56 #1 0x00007ffff6bfb0d8 in __GI_abort () at abort.c:89 #2 0x00007ffff6c34394 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff6d42b28 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007ffff6c4066e in malloc_printerr (ptr=, str=0x7ffff6d42c58 "double free or corruption (out)", action=1) at malloc.c:4996 #4 _int_free (av=, p=, have_lock=0) at malloc.c:3840 #5 0x00007ffff749ab43 in mad_decoder_run ( decoder=decoder@entry=0x7fffffffbd20, mode=mode@entry=MAD_DECODER_MODE_SYNC) at decoder.c:559 #6 0x0000000000403d5d in main (argc=, argv=) at mpg321.c:1092 (gdb) POC: libmad_0.15.1b_memory_corruption.mp3 CVE: CVE-2017-11552 Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42409.zip