Heap-based buffer overflow in SoundStretch/WavFile.cpp:WavInFile::readHeaderBlock()
WavInFile::readHeaderBlock() function is vulnerable to heap buffer overflow due to use of signed int instead of unsigned int when calculating the size of structure. For instance, in following block:
// Decode blocks according to their label
if (strcmp(label, fmtStr) == 0)
{
int nLen, nDump;
// 'fmt ' block
memcpy(header.format.fmt, fmtStr, 4);
// read length of the format field
if (fread(&nLen, sizeof(int), 1, fptr) != 1) return -1;
// swap byte order if necessary
_swap32(nLen); // int format_len;
header.format.format_len = nLen;
// calculate how much length differs from expected
nDump = nLen - ((int)sizeof(header.format) - 8);
// if format_len is larger than expected, read only as much data as we've space for
if (nDump > 0)
{
nLen = sizeof(header.format) - 8;
}
// read data
if (fread(&(header.format.fixed), nLen, 1, fptr) != 1) return -1;
It can happen that nLen
will be negative in which case nDump
will be negative as well, so nLen = sizeof(header.format) - 8;
is not executed. fread()
will be then called with negative nLen
which will be typecasted as size_t
, resulting into large unsigned integer. fread()
will then process to overwrite large portion of heap memory with the data that are fully under attacker's control (when parsing untrusted file).
The same happens in else if (strcmp(label, factStr) == 0)
branch. Declaring nLen
and nDump
as unsigned int
should be sufficient to fix this issue.
There's also reproducer publicly available (1-Poc):
https://github.com/TeamSeri0us/pocs/tree/master/soundtouch
I don't know if they already reported this issue (with others as well). I asked them via email, but I haven't got any reply so far. I also don't see any open issue related to this, thus I'm opening new one.