Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • libxspf libxspf
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Xiph.OrgXiph.Org
  • libxspflibxspf
  • Issues
  • #1212
Closed
Open
Issue created Feb 10, 2020 by Jinho Jung@jinhojun

[crash] Interger underflow

Affected component(s)

  • libxspf project(makeUriString function)

  • uriparser project (uriToStringCharsRequiredA function)

Attack vector(s)

Adversary sends crafted movie playlist file and victim opens it with media player which is using libxspf library (such as VLC player).

Suggested description of the vulnerability for use in the CVE

makeUriString() function from Xspf class trusts the return values (i.e., int* charsRequired) from uriparser library; thus assumes positive value.

However, "uriparser" library's uriToStringCharsRequired() functions returns negative value on crafted URI string such as "http://example.co@" (actually the function should return NULL).

Due to this integer underflow, the code meets crash with heap alloction failure.

  • libxspf
    XML_Char * makeUriString(UriUri const & uri) {
            XML_Char * uriString;
            int charsRequired;            
            if (uriToStringCharsRequired(&uri, &charsRequired) != URI_SUCCESS) {
                    // the uriparse should have return NULL!
                    return NULL;
            }
            charsRequired++;
            // negative value are inserted to charsRequired (e.g., 0xffffffffff9e5331)
            // allocator error here!
            uriString = new XML_Char[charsRequired];  
            if (uriToString(uriString, &uri, charsRequired, NULL) != URI_SUCCESS) {
                    delete [] uriString;
                    return NULL;
            }
            return uriString;
    }

Discoverer

Jinho Jung (jinho.jung@gatech.edu, Georgia Institute of Technology)

Reference

N/A

Additional Information

  1. PoC: https://ffs.gtisc.gatech.edu/download/ca3502e783138c47/#WQ_4uRrb_CSkyHvA5fpJMg

  2. How to reproduce

we use example application from libxspf

  1. find read.cpp file and modify the file name to PoC's
  2. compile and run the read program
  1. We also report this problem to uriparser project team
Edited Feb 10, 2020 by Jinho Jung
Assignee
Assign to
Time tracking