Re: [libextractor] Security bug in libextractor

[Christian Grothoff]

Thanks for letting us know!  Seems like the xine guys fixed this particular 
problem a while back already (that's where the asf code comes from), so no 
need to inform them.  I've fixed the problem in SVN 2827.

Christian

On Sunday 14 May 2006 10:20, Luigi Auriemma wrote:
> Hey,
>
> I want to report a security bug I have found in libextractor, tested
> both 0.5.13 and current SVN.
>
> The bug is a heap overflow in src/plugins/asfextractor.c.
>
> The demux_asf_t structure is allocated when the plugin is called and
> subsequently is performed a call to asf_read_header which reads all the
> header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
> and then to CODEC_TYPE_AUDIO.
> Here we have the arbitrary reading of the data from the ASF file to the
> wavex buffer of 1024*2 bytes using the 32 bit number called total_size
> provided by the same file as amount of data to read.
> No checks are made on total_size so is possible to cause a heap overflow.
>
> The following is the piece of code containing the bug:
>
>           ...
>           total_size = get_le32(this);
>           stream_data_size = get_le32(this);
>           stream_id = get_le16(this); /* stream id */
>           get_le32(this);
>
>           if (type == CODEC_TYPE_AUDIO) {
>             ext_uint8_t buffer[6];
>
>             readBuf (this, (ext_uint8_t *) this->wavex, total_size);
>           ...
>
> I have written a proof-of-concept which creates ASF files with the
> possibility to specify the size of total_size too:
>
>   http://aluigi.org/poc/libextbof.zip
>
> (if the link doesn't work copy it in the browser's bar).
>
> I wait your reply.
>
>
> BYEZ
>
>
> ---
> Luigi Auriemma
> http://aluigi.org
> http://mirror.aluigi.org
>
>
> _______________________________________________
> libextractor mailing list
> address@hidden
> http://lists.gnu.org/mailman/listinfo/libextractor