Bugzilla – Bug 1196487
VUL-1: CVE-2022-24599: audiofile: memory leak in printinfo.c
Last modified: 2022-08-01 13:59:57 UTC
In autofile Audio File Library 0.3.6, there exists one memory leak vulnerability in printfileinfo, in printinfo.c, which allows an attacker to leak sensitive information via a crafted file. The printfileinfo function calls the copyrightstring function to get data, however, it dosn't use zero bytes to truncate the data.
The "crafted" file is not as complicated. It is just a AIFF mangled AIFF with a chunk that declares a shorter length than it actually is. As a result, printf() gets an unterminated string and it could swallow part of heap following the string. And the AIFF parser will try to read a random garbage somewhere later.
So I will start with proposed zeroing of the memory and look what is happening there. The goal is simple:
- printf() should always get a NUL terminated string, even if the provided string is not terminated.
- If the AIFF parser gets a random garbage, nothing bad could happen.