audition/cool_wv4.c: bounds-check cue/plst/ltxt special data sizes#238
Merged
Conversation
Owner
|
Created an appropriately corrupt WavPack file and verified that (1) it crashes the Cool Edit plugin without this fix, and (2) the fix causes the cue list to be silently ignored (which, BTW, is exactly what Cool Edit does when presented with the same corruption in a native WAV file). Thanks! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reconstructing the RIFF chunks from a file's wrapper, a crafted "cue " chunk:
FilterGetNextSpecialData takes the record count straight out of the chunk payload, which comes from WavpackGetWrapperData and so is attacker controlled, then uses it as both the GlobalAlloc size and the loop bound with no check against dwSize. "plst" has the same shape. "ltxt" copies a fixed 12 bytes into a GlobalAlloc(dwSize - 4) buffer, so a dwSize below 20 overruns the destination (and below 4 underflows the size).
Found while reading the wrapper-replay path. The encode side derives the counts from dwSize, so it is safe; the decode side trusts the stored count, so it is not.
Validate each count and size against dwSize before allocating and copying.