[libextractor] Security bug in libextractor

[Luigi Auriemma]

Hey,

I want to report a security bug I have found in libextractor, tested
both 0.5.13 and current SVN.

The bug is a heap overflow in src/plugins/asfextractor.c.

The demux_asf_t structure is allocated when the plugin is called and
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
and then to CODEC_TYPE_AUDIO.
Here we have the arbitrary reading of the data from the ASF file to the
wavex buffer of 1024*2 bytes using the 32 bit number called total_size
provided by the same file as amount of data to read.
No checks are made on total_size so is possible to cause a heap overflow.

The following is the piece of code containing the bug:

          ...
          total_size = get_le32(this);
          stream_data_size = get_le32(this);
          stream_id = get_le16(this); /* stream id */
          get_le32(this);

          if (type == CODEC_TYPE_AUDIO) {
            ext_uint8_t buffer[6];

            readBuf (this, (ext_uint8_t *) this->wavex, total_size);
          ...

I have written a proof-of-concept which creates ASF files with the
possibility to specify the size of total_size too:

  http://aluigi.org/poc/libextbof.zip

(if the link doesn't work copy it in the browser's bar).

I wait your reply.


BYEZ


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org