<<< Date Index >>>     <<< Thread Index >>>

[TKADV2009-006] libsndfile/Winamp VOC Processing Heap Buffer Overflow



Please find attached a detailed advisory of the vulnerability.

Alternatively, the advisory can also be found at:
http://www.trapkit.de/advisories/TKADV2009-006.txt

Related blog entry:
http://tk-blog.blogspot.com/2009/05/exploitable-vs-tkadv2009-006-vs-static.html
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory:               libsndfile/Winamp VOC Processing Heap Buffer 
                        Overflow
Advisory ID:            TKADV2009-006
Revision:               1.0              
Release Date:           2009/05/16
Last Modified:          2009/05/16
Date Reported:          2009/04/19
Author:                 Tobias Klein (tk at trapkit.de)
Affected Software:      libsndfile <= version 1.0.19
                        Winamp <= v5.552
Remotely Exploitable:   Yes
Locally Exploitable:    No 
Vendor URL:             http://www.mega-nerd.com/libsndfile/ 
Vendor Status:          Vendor has released an updated version
Patch development time: 26 days


======================
Vulnerability Details: 
======================

libsndfile contains a heap buffer overflow vulnerability while parsing 
malformed VOC (Creative Voice) media files. The vulnerability may be 
exploited by a (remote) attacker to execute arbitrary code in the context 
of an application using the libsndfile library.

As libsndfile is used by Winamp (see [REF2]) this popular media player is 
also affected by this vulnerability.

See [REF3] for a list of software projects that are using the libsndfile 
library.


==================
Technical Details:
==================

Source code file: libsndfile-1.0.19/src/voc.c

[..]
156 static int
157 voc_read_header     (SF_PRIVATE *psf)
158 {   VOC_DATA        *pvoc ;
...
201   while (1)
202   {  int size ;
203      short count ;
204
205      block_type = 0 ;
206          offset += psf_binheader_readf (psf, "1", &block_type) ;
207
208      switch (block_type)
209          {  case VOC_ASCII :
210 [1]       offset += psf_binheader_readf (psf, "e3", &size) ;
211
212           psf_log_printf (psf, " ASCII : %d\n", size) ;
213
214 [2]       offset += psf_binheader_readf (psf, "b", psf->header, size) ;
215           psf->header [size] = 0 ;
216           psf_log_printf (psf, "  text : %s\n", psf->header) ;
217           continue ;
[..]

[1] The int variable "size" is filled with user supplied data from the 
    media file.
[2] The user controlled value of "size" is used as an argument for the 
    "psf_binheader_readf()" function.


Source code file: libsndfile-1.0.19/src/common.c

[..]
 906 int
 907 psf_binheader_readf (SF_PRIVATE *psf, char const *format, ...)
 908 { va_list                  argptr ;
 ...
1035   case 'b' :
1036           charptr = va_arg (argptr, char*) ;
1037 [3]       count = va_arg (argptr, int) ;
1038           if (count > 0)
1039 [4]           byte_count += header_read (psf, charptr, count) ;
1040           break ;
[..]

[3] The user controlled value gets stored in "count".
[4] "count" is used as an argument for the "header_read()" function.


Source code file: libsndfile-1.0.19/src/common.c

[..]
793 static int
794 header_read (SF_PRIVATE *psf, void *ptr, int bytes)
795 {  int count = 0 ;
...
805    if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
806        {  int most ;
807
808       most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
809       psf_fread (psf->header + psf->headend, 1, most, psf) ;
810 [5]   memset ((char *) ptr + most, 0, bytes - most) ;
811
812       psf_fseek (psf, bytes - most, SEEK_CUR) ;
813       return bytes ;
814       } ;
[..]

[5] The third argument of memset() is calculated using the user controlled 
    value of "bytes". This leads to a heap buffer overflow. 


========= 
Solution: 
=========

  Upgrade to libsndfile >= version 1.0.20 (see [REF4]).
 

====================
Disclosure Timeline: 
====================

  2009/04/19 - Initial vendor notification
  2009/04/19 - Initial response from the libsndfile maintainers 
  2009/04/19 - Vulnerability details sent to libsndfile maintainers
  2009/05/14 - Public disclosure of vulnerability details by libsndfile 
               maintainers
  2009/05/16 - Release date of this security advisory


======== 
Credits: 
========

  Vulnerability found and advisory written by Tobias Klein.


=========== 
References: 
===========

  [REF1] www.mega-nerd.com/libsndfile/
  [REF2] www.winamp.com/
  [REF3] www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/ten_years.html
  [REF4] www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html
  [REF5] www.trapkit.de/advisories/TKADV2009-006.txt


======== 
Changes: 
========

  Revision 0.1 - Initial draft release to the vendor
  Revision 1.0 - Public release


===========
Disclaimer:
===========

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.


================== 
PGP Signature Key: 
==================

  http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

  
Copyright 2009 Tobias Klein. All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFKDnUykXxgcAIbhEERAjh2AKDHaFAm87Tfkfbhc3cZtPCF/MW6sACdFV/5
DHg3SlP9tOgZP3YLjkpt6WE=
=aDXB
-----END PGP SIGNATURE-----