KissFFT Integer Overflow Leading to Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in KissFFT versions prior to the fix commit 1b083165. This issue arises in the `kiss_fft_alloc()` function within `kiss_fft.c`, specifically on platforms where `size_t` is 32-bit. The vulnerability is caused by an integer overflow in the `nfft` parameter, which is not properly validated before being used in a size calculation. When `nfft` is large, the calculation can wrap around to a small value, leading to `malloc()` allocating an undersized buffer. The subsequent initialization loop, which sets up twiddle factors, then writes an excessive number of elements into this small buffer, causing a heap buffer overflow. This vulnerability is present on all 32-bit architectures, including ARM32, x86 (i386/i686), MIPS32, and other 32-bit platforms. In contrast, 64-bit systems are not vulnerable as the size calculation does not overflow, allowing `malloc()` to receive the correct buffer size.

Impact

Exploitation of this vulnerability causes a critical heap buffer overflow, where memory is overwritten beyond the bounds of an allocated buffer. This type of overflow can often be exploited to execute arbitrary code or cause a program to crash.

Reproduction

The vulnerability can be reproduced on a 32-bit Linux system by compiling a program that calls `kiss_fft_alloc()` with an `nfft` value greater than 536,870,912. This can be done using Docker to simulate a 32-bit environment, compiling the program with `gcc`, and running it. The expected result is a segmentation fault, indicating a memory access violation. Alternatively, the program can be compiled with AddressSanitizer, which will report the heap-buffer-overflow error, confirming the vulnerability.

Remediation

Users can update to KissFFT versions that include the fix for this vulnerability, specifically versions after the commit 1b083165.