[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libextractor] Security bug in libextractor
From: |
Luigi Auriemma |
Subject: |
[libextractor] Security bug in libextractor |
Date: |
Sun, 14 May 2006 19:20:07 +0200 |
Hey,
I want to report a security bug I have found in libextractor, tested
both 0.5.13 and current SVN.
The bug is a heap overflow in src/plugins/asfextractor.c.
The demux_asf_t structure is allocated when the plugin is called and
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
and then to CODEC_TYPE_AUDIO.
Here we have the arbitrary reading of the data from the ASF file to the
wavex buffer of 1024*2 bytes using the 32 bit number called total_size
provided by the same file as amount of data to read.
No checks are made on total_size so is possible to cause a heap overflow.
The following is the piece of code containing the bug:
...
total_size = get_le32(this);
stream_data_size = get_le32(this);
stream_id = get_le16(this); /* stream id */
get_le32(this);
if (type == CODEC_TYPE_AUDIO) {
ext_uint8_t buffer[6];
readBuf (this, (ext_uint8_t *) this->wavex, total_size);
...
I have written a proof-of-concept which creates ASF files with the
possibility to specify the size of total_size too:
http://aluigi.org/poc/libextbof.zip
(if the link doesn't work copy it in the browser's bar).
I wait your reply.
BYEZ
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
- [libextractor] Security bug in libextractor,
Luigi Auriemma <=