[crash] Interger underflow

Affected component(s)

libxspf project(makeUriString function)
uriparser project (uriToStringCharsRequiredA function)

Attack vector(s)

Adversary sends crafted movie playlist file and victim opens it with media player which is using libxspf library (such as VLC player).

Suggested description of the vulnerability for use in the CVE

makeUriString() function from Xspf class trusts the return values (i.e., int* charsRequired) from uriparser library; thus assumes positive value.

However, "uriparser" library's uriToStringCharsRequired() functions returns negative value on crafted URI string such as "http://example.co@" (actually the function should return NULL).

Due to this integer underflow, the code meets crash with heap alloction failure.

libxspf

    XML_Char * makeUriString(UriUri const & uri) {
            XML_Char * uriString;
            int charsRequired;            
            if (uriToStringCharsRequired(&uri, &charsRequired) != URI_SUCCESS) {
                    // the uriparse should have return NULL!
                    return NULL;
            }
            charsRequired++;
            // negative value are inserted to charsRequired (e.g., 0xffffffffff9e5331)
            // allocator error here!
            uriString = new XML_Char[charsRequired];  
            if (uriToString(uriString, &uri, charsRequired, NULL) != URI_SUCCESS) {
                    delete [] uriString;
                    return NULL;
            }
            return uriString;
    }

Discoverer

Jinho Jung (jinho.jung@gatech.edu, Georgia Institute of Technology)

Reference

N/A

Additional Information

PoC: https://ffs.gtisc.gatech.edu/download/ca3502e783138c47/#WQ_4uRrb_CSkyHvA5fpJMg
How to reproduce

we use example application from libxspf

find read.cpp file and modify the file name to PoC's
compile and run the read program

We also report this problem to uriparser project team

Affected component(s)
======================
- libxspf project(makeUriString function)

- uriparser project (uriToStringCharsRequiredA function)

Attack vector(s)
================
Adversary sends crafted movie playlist file and victim opens it with media player which is using libxspf library (such as VLC player).

Suggested description of the vulnerability for use in the CVE
===============================================================

makeUriString() function from Xspf class trusts the return values (i.e., int* charsRequired) from uriparser library; thus assumes positive value.

However, "uriparser" library's uriToStringCharsRequired() functions returns negative value on crafted URI string such as "http://example.co@" (actually the function should return NULL).

Due to this integer underflow, the code meets crash with heap alloction failure.

* libxspf

```c
    XML_Char * makeUriString(UriUri const & uri) {
            XML_Char * uriString;
            int charsRequired;            
            if (uriToStringCharsRequired(&uri, &charsRequired) != URI_SUCCESS) {
                    // the uriparse should have return NULL!
                    return NULL;
            }
            charsRequired++;
            // negative value are inserted to charsRequired (e.g., 0xffffffffff9e5331)
            // allocator error here!
            uriString = new XML_Char[charsRequired];  
            if (uriToString(uriString, &uri, charsRequired, NULL) != URI_SUCCESS) {
                    delete [] uriString;
                    return NULL;
            }
            return uriString;
    }
```

Discoverer
===========
Jinho Jung (jinho.jung@gatech.edu, Georgia Institute of Technology)

Reference
=========
N/A

Additional Information
======================

1. PoC:
https://ffs.gtisc.gatech.edu/download/ca3502e783138c47/#WQ_4uRrb_CSkyHvA5fpJMg

2. How to reproduce

we use example application from libxspf 
1) find read.cpp file and modify the file name to PoC's
2) compile and run the read program

3. We also report this problem to uriparser project team

Edited Feb 10, 2020 by Jinho Jung