[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libextractor] Another security bug in libextractor
From: |
Luigi Auriemma |
Subject: |
[libextractor] Another security bug in libextractor |
Date: |
Mon, 15 May 2006 23:48:52 +0200 |
Hey,
I want to report also another heap overflow and a common bug.
The heap overflow happens in qtextractor.c exactly in this line
(STSD_ATOM handling):
memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
BE_32(&trak_atom[i + 0x0C + hack_adjust]));
I think that here we can see also a normal bug since the instruction
copies not only the data but also the size of the data (IMHO the second
argument should be &trak_atom[i + 16 + hack_adjust] like in the
current Xine version) and naturally the heap overflow happens since
trak->stsd has been previously allocated with current_atom_size but
here we copy an amount of data specified in another "size" ever
provided by the input file.
I will write a complete proof-of-concept tomorrow but the alfa version
I have written some minutes ago fully confirms the vulnerability.
The other normal bug instead is in src/plugins/riffextractor.c:
if (c > 8) {
word = malloc(c+1-8);
memcpy(word,
&buffer[8],
c);
word[c-8] = '\0';
If c is 10 we allocate 3 bytes for word but then we copy 10 bytes in it.
BYEZ
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
- [libextractor] Another security bug in libextractor,
Luigi Auriemma <=