Author: grothoff Date: 2006-05-14 18:44:30 -0700 (Sun, 14 May 2006) New Revision: 2827
Modified: Extractor/src/plugins/asfextractor.c Log: Luigi found a bug in the asf extractor. Looks like xine fixed this one about 2 years ago: http://xine.cvs.sourceforge.net/xine/xine-lib/src/demuxers/demux_asf.c?view=log http://xine.cvs.sourceforge.net/xine/xine-lib/src/demuxers/demux_asf.c?r1=1.155&r2=1.156 which is good since it means we don't have to tell them about it. Here's what Luigi wrote: From: Luigi Auriemma <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Date: Today 10:20:07 am Spam Status: Spamassassin 0% probability of being spam. Full report: No, score=-2.0 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,UNPARSEABLE_RELAY autolearn=ham version=3.1.1 Bogofilter 0% probability of being spam. Full report: Ham, tests=bogofilter, spamicity=0.000000, version=1.0.2 Hey, I want to report a security bug I have found in libextractor, tested both 0.5.13 and current SVN. The bug is a heap overflow in src/plugins/asfextractor.c. The demux_asf_t structure is allocated when the plugin is called and subsequently is performed a call to asf_read_header which reads all the header of the input file arriving to GUID_ASF_STREAM_PROPERTIES and then to CODEC_TYPE_AUDIO. Here we have the arbitrary reading of the data from the ASF file to the wavex buffer of 1024*2 bytes using the 32 bit number called total_size provided by the same file as amount of data to read. No checks are made on total_size so is possible to cause a heap overflow. The following is the piece of code containing the bug: ... total_size = get_le32(this); stream_data_size = get_le32(this); stream_id = get_le16(this); /* stream id */ get_le32(this); if (type == CODEC_TYPE_AUDIO) { ext_uint8_t buffer[6]; readBuf (this, (ext_uint8_t *) this->wavex, total_size); ... I have written a proof-of-concept which creates ASF files with the possibility to specify the size of total_size too: http://aluigi.org/poc/libextbof.zip (if the link doesn't work copy it in the browser's bar). I wait your reply. Modified: Extractor/src/plugins/asfextractor.c =================================================================== --- Extractor/src/plugins/asfextractor.c 2006-05-14 23:24:41 UTC (rev 2826) +++ Extractor/src/plugins/asfextractor.c 2006-05-15 01:44:30 UTC (rev 2827) @@ -518,6 +518,8 @@ guid = get_guid(this); get_le64(this); total_size = get_le32(this); + if (total_size > sizeof(this->wavex)) + goto fail; stream_data_size = get_le32(this); stream_id = get_le16(this); /* stream id */ get_le32(this); _______________________________________________ GNUnet-SVN mailing list [email protected] http://lists.gnu.org/mailman/listinfo/gnunet-svn
