Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
libxspf
libxspf
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 0
    • Issues 0
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 0
    • Merge Requests 0
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Packages & Registries
    • Packages & Registries
    • Container Registry
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Members
    • Members
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • Xiph.Org
  • libxspflibxspf
  • Issues
  • #1212

Closed
Open
Opened Feb 10, 2020 by Jinho Jung@jinhojun

[crash] Interger underflow

Affected component(s)

  • libxspf project(makeUriString function)

  • uriparser project (uriToStringCharsRequiredA function)

Attack vector(s)

Adversary sends crafted movie playlist file and victim opens it with media player which is using libxspf library (such as VLC player).

Suggested description of the vulnerability for use in the CVE

makeUriString() function from Xspf class trusts the return values (i.e., int* charsRequired) from uriparser library; thus assumes positive value.

However, "uriparser" library's uriToStringCharsRequired() functions returns negative value on crafted URI string such as "http://example.co@" (actually the function should return NULL).

Due to this integer underflow, the code meets crash with heap alloction failure.

  • libxspf
    XML_Char * makeUriString(UriUri const & uri) {
            XML_Char * uriString;
            int charsRequired;            
            if (uriToStringCharsRequired(&uri, &charsRequired) != URI_SUCCESS) {
                    // the uriparse should have return NULL!
                    return NULL;
            }
            charsRequired++;
            // negative value are inserted to charsRequired (e.g., 0xffffffffff9e5331)
            // allocator error here!
            uriString = new XML_Char[charsRequired];  
            if (uriToString(uriString, &uri, charsRequired, NULL) != URI_SUCCESS) {
                    delete [] uriString;
                    return NULL;
            }
            return uriString;
    }

Discoverer

Jinho Jung (jinho.jung@gatech.edu, Georgia Institute of Technology)

Reference

N/A

Additional Information

  1. PoC: https://ffs.gtisc.gatech.edu/download/ca3502e783138c47/#WQ_4uRrb_CSkyHvA5fpJMg

  2. How to reproduce

we use example application from libxspf

  1. find read.cpp file and modify the file name to PoC's
  2. compile and run the read program
  1. We also report this problem to uriparser project team
Edited Feb 10, 2020 by Jinho Jung
Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: xiph/libxspf#1212