libextractor

GNU libextractor
Log | Files | Refs | Submodules | README | LICENSE
commit e10de566fdef0dc80f819f8e88819d01b551d30d
parent 0c10afa404fc9f43aeecb7e62e484bd31e293301
Author: Christian Grothoff <christian@grothoff.org>
Date:   Mon, 15 May 2006 01:44:30 +0000

Luigi found a bug in the asf extractor.  Looks like xine fixed this
one about 2 years ago:

http://xine.cvs.sourceforge.net/xine/xine-lib/src/demuxers/demux_asf.c?view=log
http://xine.cvs.sourceforge.net/xine/xine-lib/src/demuxers/demux_asf.c?r1=1.155&r2=1.156

which is good since it means we don't have to tell them about it.

Here's what Luigi wrote:

From: 
Luigi Auriemma <aluigi@autistici.org>
  To: 
  libextractor@gnu.org
    Date: 
    Today 10:20:07 am
       
         Spam Status: Spamassassin 0% probability of being spam.

	 Full report:
	 No, score=-2.0 required=5.0 tests=BAYES_00, MSGID_FROM_MTA_HEADER,UNPARSEABLE_RELAY autolearn=ham version=3.1.1  Bogofilter 0% probability of being spam.

	 Full report:
	 Ham, tests=bogofilter, spamicity=0.000000, version=1.0.2  
	 Hey,

	 I want to report a security bug I have found in libextractor, tested
	 both 0.5.13 and current SVN.

	 The bug is a heap overflow in src/plugins/asfextractor.c.

	 The demux_asf_t structure is allocated when the plugin is called and
	 subsequently is performed a call to asf_read_header which reads all the
	 header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
	 and then to CODEC_TYPE_AUDIO.
	 Here we have the arbitrary reading of the data from the ASF file to the
	 wavex buffer of 1024*2 bytes using the 32 bit number called total_size
	 provided by the same file as amount of data to read.
	 No checks are made on total_size so is possible to cause a heap overflow.

	 The following is the piece of code containing the bug:

	           ...
		             total_size = get_le32(this);
			               stream_data_size = get_le32(this);
				                 stream_id = get_le16(this); /* stream id */
						           get_le32(this);

							             if (type == CODEC_TYPE_AUDIO) {
								                 ext_uint8_t buffer[6];

										             readBuf (this, (ext_uint8_t *) this->wavex, total_size);
											               ...

												       I have written a proof-of-concept which creates ASF files with the
												       possibility to specify the size of total_size too:

												         http://aluigi.org/poc/libextbof.zip

													 (if the link doesn't work copy it in the browser's bar).

													 I wait your reply.


													 


Diffstat:

Msrc/plugins/asfextractor.c | 2++


1 file changed, 2 insertions(+), 0 deletions(-)

diff --git a/src/plugins/asfextractor.c b/src/plugins/asfextractor.c
@@ -518,6 +518,8 @@ static int asf_read_header(demux_asf_t *this) {
           guid = get_guid(this);
           get_le64(this);
           total_size = get_le32(this);
+	  if (total_size > sizeof(this->wavex))
+	    goto fail; 
           stream_data_size = get_le32(this);
           stream_id = get_le16(this); /* stream id */
           get_le32(this);