-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Advisory: libsndfile/Winamp VOC Processing Heap Buffer
Overflow
Advisory ID: TKADV2009-006
Revision: 1.0
Release Date: 2009/05/16
Last Modified: 2009/05/16
Date Reported: 2009/04/19
Author: Tobias Klein (tk at trapkit.de)
Affected Software: libsndfile <= version 1.0.19
Winamp <= v5.552
Remotely Exploitable: Yes
Locally Exploitable: No
Vendor URL: http://www.mega-nerd.com/libsndfile/
Vendor Status: Vendor has released an updated version
Patch development time: 26 days

======================
Vulnerability Details:

libsndfile contains a heap buffer overflow vulnerability while parsing
malformed VOC (Creative Voice) media files. The vulnerability may be
exploited by a (remote) attacker to execute arbitrary code in the
context
of an application using the libsndfile library.

As libsndfile is used by Winamp (see [REF2]) this popular media player
is
also affected by this vulnerability.

See [REF3] for a list of software projects that are using the
libsndfile
library.

==================
Technical Details:

Source code file: libsndfile-1.0.19/src/voc.c

[…]
156 static int
157 voc_read_header (SF_PRIVATE *psf)
158 { VOC_DATA *pvoc ;
…
201 while (1)
202 { int size ;
203 short count ;
204
205 block_type = 0 ;
206 offset += psf_binheader_readf (psf, "1", &block_type) ;
207
208 switch (block_type)
209 { case VOC_ASCII :
210 [1] offset += psf_binheader_readf (psf, "e3", &size) ;
211
212 psf_log_printf (psf, " ASCII : %d\n", size) ;
213
214 [2] offset += psf_binheader_readf (psf, "b", psf->header,
size) ;
215 psf->header [size] = 0 ;
216 psf_log_printf (psf, " text : %s\n", psf->header) ;
217 continue ;
[…]

[1] The int variable "size" is filled with user supplied data from the
media file.
[2] The user controlled value of "size" is used as an argument for the
"psf_binheader_readf()" function.

Source code file: libsndfile-1.0.19/src/common.c

[…]
906 int
907 psf_binheader_readf (SF_PRIVATE *psf, char const format, …)
908 { va_list argptr ;
…
1035 case 'b' :
1036 charptr = va_arg (argptr, char) ;
1037 [3] count = va_arg (argptr, int) ;
1038 if (count > 0)
1039 [4] byte_count += header_read (psf, charptr, count) ;
1040 break ;
[…]

[3] The user controlled value gets stored in "count".
[4] "count" is used as an argument for the "header_read()" function.

Source code file: libsndfile-1.0.19/src/common.c

[…]
793 static int
794 header_read (SF_PRIVATE *psf, void *ptr, int bytes)
795 { int count = 0 ;
…
805 if (psf->headindex + bytes > SIGNED_SIZEOF (psf->header))
806 { int most ;
807
808 most = SIGNED_SIZEOF (psf->header) - psf->headindex ;
809 psf_fread (psf->header + psf->headend, 1, most, psf) ;
810 [5] memset ((char *) ptr + most, 0, bytes - most) ;
811
812 psf_fseek (psf, bytes - most, SEEK_CUR) ;
813 return bytes ;
814 } ;
[…]

[5] The third argument of memset() is calculated using the user
controlled
value of "bytes". This leads to a heap buffer overflow.

=========
Solution:

Upgrade to libsndfile >= version 1.0.20 (see [REF4]).

====================
Disclosure Timeline:

2009/04/19 - Initial vendor notification
2009/04/19 - Initial response from the libsndfile maintainers
2009/04/19 - Vulnerability details sent to libsndfile maintainers
2009/05/14 - Public disclosure of vulnerability details by
libsndfile
maintainers
2009/05/16 - Release date of this security advisory

========
Credits:

Vulnerability found and advisory written by Tobias Klein.

===========
References:

[REF1] www.mega-nerd.com/libsndfile/
[REF2] www.winamp.com/
[REF3]
www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/ten_years.html
[REF4]
www.mega-nerd.com/erikd/Blog/CodeHacking/libsndfile/rel_20.html
[REF5] www.trapkit.de/advisories/TKADV2009-006.txt

========
Changes:

Revision 0.1 - Initial draft release to the vendor
Revision 1.0 - Public release

===========
Disclaimer:

The information within this advisory may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are no warranties, implied or express, with regard
to this information. In no event shall the author be liable for any
direct or indirect damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this
information is at the user's own risk.

==================
PGP Signature Key:

http://www.trapkit.de/advisories/tk-advisories-signature-key.asc

Copyright 2009 Tobias Klein. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iD8DBQFKDnUykXxgcAIbhEERAjh2AKDHaFAm87Tfkfbhc3cZtPCF/MW6sACdFV/5
DHg3SlP9tOgZP3YLjkpt6WE=
=aDXB
-----END PGP SIGNATURE-----