[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[GNUnet-SVN] r2827 - Extractor/src/plugins
From: |
grothoff |
Subject: |
[GNUnet-SVN] r2827 - Extractor/src/plugins |
Date: |
Sun, 14 May 2006 18:44:32 -0700 (PDT) |
Author: grothoff
Date: 2006-05-14 18:44:30 -0700 (Sun, 14 May 2006)
New Revision: 2827
Modified:
Extractor/src/plugins/asfextractor.c
Log:
Luigi found a bug in the asf extractor. Looks like xine fixed this
one about 2 years ago:
http://xine.cvs.sourceforge.net/xine/xine-lib/src/demuxers/demux_asf.c?view=log
http://xine.cvs.sourceforge.net/xine/xine-lib/src/demuxers/demux_asf.c?r1=1.155&r2=1.156
which is good since it means we don't have to tell them about it.
Here's what Luigi wrote:
From:
Luigi Auriemma <address@hidden>
To:
address@hidden
Date:
Today 10:20:07 am
Spam Status: Spamassassin 0% probability of being spam.
Full report:
No, score=-2.0 required=5.0 tests=BAYES_00,
MSGID_FROM_MTA_HEADER,UNPARSEABLE_RELAY autolearn=ham version=3.1.1 Bogofilter
0% probability of being spam.
Full report:
Ham, tests=bogofilter, spamicity=0.000000, version=1.0.2
Hey,
I want to report a security bug I have found in libextractor, tested
both 0.5.13 and current SVN.
The bug is a heap overflow in src/plugins/asfextractor.c.
The demux_asf_t structure is allocated when the plugin is called and
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to GUID_ASF_STREAM_PROPERTIES
and then to CODEC_TYPE_AUDIO.
Here we have the arbitrary reading of the data from the ASF file to the
wavex buffer of 1024*2 bytes using the 32 bit number called total_size
provided by the same file as amount of data to read.
No checks are made on total_size so is possible to cause a heap
overflow.
The following is the piece of code containing the bug:
...
total_size = get_le32(this);
stream_data_size = get_le32(this);
stream_id = get_le16(this); /*
stream id */
get_le32(this);
if (type
== CODEC_TYPE_AUDIO) {
ext_uint8_t buffer[6];
readBuf (this, (ext_uint8_t *) this->wavex, total_size);
...
I have written a proof-of-concept which creates ASF
files with the
possibility to specify the size of total_size too:
http://aluigi.org/poc/libextbof.zip
(if the link doesn't work copy it in the browser's
bar).
I wait your reply.
Modified: Extractor/src/plugins/asfextractor.c
===================================================================
--- Extractor/src/plugins/asfextractor.c 2006-05-14 23:24:41 UTC (rev
2826)
+++ Extractor/src/plugins/asfextractor.c 2006-05-15 01:44:30 UTC (rev
2827)
@@ -518,6 +518,8 @@
guid = get_guid(this);
get_le64(this);
total_size = get_le32(this);
+ if (total_size > sizeof(this->wavex))
+ goto fail;
stream_data_size = get_le32(this);
stream_id = get_le16(this); /* stream id */
get_le32(this);
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [GNUnet-SVN] r2827 - Extractor/src/plugins,
grothoff <=