Tested Version:
v1.4
Details:
In EXTRACTOR_nsfe_extract_method function, it read chunksize from file, so a crafted file can set chunksize to -8, this make the code falls into an infinite loop.
Vulnerability Code:
365 while (0 == ret)
366 {
367 if (off != ec->seek (ec->cls,
368 off,
369 SEEK_SET))
370 break;
371 if (8 >
372 ec->read (ec->cls,
373 &data,
374 8))
375 break;
376 chunksize = nsfeuint (data);
377 off += 8 + chunksize;
378 if (0 == memcmp (data + 4, "INFO", 4))
379 ret = info_extract (ec, chunksize);
380 else if (0 == memcmp (data + 4, "auth", 4))
381 ret = auth_extract (ec, chunksize);
382 else if (0 == memcmp (data + 4, "tlbl", 4))
383 ret = tlbl_extract (ec, chunksize);
384 /* Ignored chunks: DATA, NEND, plst, time, fade, BANK */
385 }
Crash Information:
gdb and backtrace
(gdb) run -i extract-nsfe_extract_method-nsfe_extractor-376.loop
Starting program: /opt/asan/bin/extract -i extract-nsfe_extract_method-nsfe_extractor-376.loop
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Keywords for file extract-nsfe_extract_method-nsfe_extractor-376.loop:
mimetype - audio/x-nsfe
broadcast television system - PAL
song count - 2
starting song - 0
^C
Program received signal SIGINT, Interrupt.
EXTRACTOR_nsfe_extract_method (ec=0x7fffffffa050) at nsfe_extractor.c:367
367 if (off != ec->seek (ec->cls,
(gdb) b nsfe_extractor.c:376
Breakpoint 1 at 0x7ffff181db5e: file nsfe_extractor.c, line 376.
(gdb) c
Continuing.
Breakpoint 1, EXTRACTOR_nsfe_extract_method (ec=0x7fffffffa050) at nsfe_extractor.c:376
376 chunksize = nsfeuint (data);
(gdb) x/d data
0x7fffffffa0d0: -8
(gdb) p (int)chunksize
$4 = -8
(gdb) p off
$5 = 22
(gdb) n
377 off += 8 + chunksize;
(gdb) p off
$6 = 22
(gdb)
CREDIT
Zhao Liang, Huawei Weiran Labs
Attachment is POC file
extract-nsfe_extract_method-nsfe_extractor-376.loop