A Endless-Loop detected in ok_wav.c:ok_wav_decode_caf_file

Question

A Endless-Loop detected in ok_wav.c:ok_wav_decode_caf_file

p0l42 opened this issue a year ago · 1 comments

Hello,
A endless-loop detected in ok_wav_decode_caf_file by fuzzing.
In detail, my testcase's chunk_length is 0x64, and after casting input_user_data to FILE*, it access a wrong memory,
and the memory here has data fit fseek(input_user_data, 0x64, SEEK_CUR), so the function ok_seek always return true
In the loop in ok_wav_decode_caf_file, while(true), the chunk_header check always goto else branch, so a endless loop triggered in this case.
The gdb info is as follows:
p chunk_length
$13 = 0x64
p decoder->input_user_data
$19 = (void*) 0x55555555c2a0
x/32gx 0x55555555c2a0+0x64
0x55555555c304 0xf7e1a6a000000000 0x0000000300007fff ....
The testcase I'll upload soon.

Answer 1 · 2023-12-02T13:48:32.000Z

The testcase and gdb debug info is here.
endless-loop.zip