<<< Date Index >>>     <<< Thread Index >>>

Two heap overflow in libextractor 0.5.13 (rev 2832)



#######################################################################

                             Luigi Auriemma

Application:  libextractor
              http://gnunet.org/libextractor/
Versions:     <= 0.5.13 (rev 2832)
Platforms:    *nix, *BSD, Windows and more
Bugs:         A] heap overflow in asfextractor
              B] heap overflow in qtextractor
Exploitation: local
Date:         17 May 2006
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


libextractor is a library which allows to search meta-data in different
file formats.
It's used in some programs and it's required for GnuNET
(http://gnunet.org).


#######################################################################

=======
2) Bugs
=======

--------------------------------
A] heap overflow in asfextractor
--------------------------------

The demux_asf_t structure is allocated when the plugin is launched,
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to the handling (depending by the
file) of GUID_ASF_STREAM_PROPERTIES and then CODEC_TYPE_AUDIO.
Here we have the arbitrary copying of an amount of data, specified by
the 32 bit numer called total_size, from the ASF file to the wavex
buffer of 1024*2 bytes.
The total_size value is read from the same file and no checks are
performed on its size so is possible to cause a heap overflow.

>From src/plugins/asfextractor.c:

static int asf_read_header(demux_asf_t *this) {
          ...
          total_size = get_le32(this);
          stream_data_size = get_le32(this);
          stream_id = get_le16(this); /* stream id */
          get_le32(this);

          if (type == CODEC_TYPE_AUDIO) {
            ext_uint8_t buffer[6];

            readBuf (this, (ext_uint8_t *) this->wavex, total_size);
          ...


-------------------------------
B] heap overflow in qtextractor
-------------------------------

An heap overflow exists also in the plugin which handles the QT/MOV
files.
The problem is located in the parse_trak_atom function and is caused by
the allocation of a buffer using a specific amount of bytes chosen by
the attacker on which is then called memcpy using another amount of
data provided ever by the same input file.

>From src/plugins/qtextractor.c:

static qt_error parse_trak_atom (qt_trak *trak,
                                 unsigned char *trak_atom) {
      ...
      trak->stsd_size = current_atom_size;
      trak->stsd = realloc (trak->stsd, current_atom_size);
      memset (trak->stsd, 0, trak->stsd_size);

      /* awful, awful hack to support a certain type of stsd atom that
       * contains more than 1 video description atom */
      if (BE_32(&trak_atom[i + 8]) == 1) {
        /* normal case */
        memcpy (trak->stsd, &trak_atom[i], current_atom_size);
        hack_adjust = 0;
      } else {
        /* pathological case; take this route until a more definite
         * solution is found: jump over the first atom video
         * description atom */

        /* copy the first 12 bytes since those remain the same */
        memcpy (trak->stsd, &trak_atom[i], 12);

        /* skip to the second atom and copy it */
        hack_adjust = BE_32(&trak_atom[i + 0x0C]);
        memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
          BE_32(&trak_atom[i + 0x0C + hack_adjust]));
      ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/libextho.zip


#######################################################################

======
4) Fix
======


The bug in the ASF plugin has been fixed in revision 2827 while that in
QT in 2833.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org