[libextractor] Another security bug in libextractor

[Luigi Auriemma]

Hey,

I want to report also another heap overflow and a common bug.

The heap overflow happens in qtextractor.c exactly in this line
(STSD_ATOM handling):

        memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
          BE_32(&trak_atom[i + 0x0C + hack_adjust]));

I think that here we can see also a normal bug since the instruction
copies not only the data but also the size of the data (IMHO the second
argument should be &trak_atom[i + 16 + hack_adjust] like in the
current Xine version) and naturally the heap overflow happens since
trak->stsd has been previously allocated with current_atom_size but
here we copy an amount of data specified in another "size" ever
provided by the input file.

I will write a complete proof-of-concept tomorrow but the alfa version
I have written some minutes ago fully confirms the vulnerability.

The other normal bug instead is in src/plugins/riffextractor.c:

  if (c > 8) {
    word = malloc(c+1-8);
    memcpy(word,
           &buffer[8],
           c);
    word[c-8] = '\0';

If c is 10 we allocate 3 bytes for word but then we copy 10 bytes in it.


BYEZ


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org