Skip to content

Multiple bugs #175

@qflb

Description

@qflb

the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
2318 if (sysex_store[sysex_store_len - 1] == 0xF7) {
(gdb) bt
#0 0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
#1 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#2 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#3 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cef
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cef:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>: movzbl (%rax),%eax
End of assembler dump.
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cff
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cff:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>: movzbl (%rax),%eax
0x00007ffff7bc1cf1 <_WM_SetupMidiEvent+3493>: cmp $0xf7,%al
0x00007ffff7bc1cf3 <_WM_SetupMidiEvent+3495>: jne 0x7ffff7bc1ed7 <_WM_SetupMidiEvent+3979>
0x00007ffff7bc1cf9 <_WM_SetupMidiEvent+3501>: movb $0x41,-0x40(%rbp)
0x00007ffff7bc1cfd <_WM_SetupMidiEvent+3505>: movb $0x10,-0x3f(%rbp)
End of assembler dump.
(gdb) i r
rax 0x1006096af 4301297327
rbx 0x0 0
rcx 0x0 0
rdx 0xffffffff 4294967295
rsi 0x6091bc 6328764
rdi 0x6096b0 6330032
rbp 0x7fffffffdbd0 0x7fffffffdbd0
rsp 0x7fffffffdb40 0x7fffffffdb40
r8 0x0 0
r9 0x7ffff78b97b8 140737346508728
r10 0x7ffff78b8760 140737346504544
r11 0xffffff01 4294967041
r12 0x401ea0 4202144
r13 0x7fffffffdf80 140737488347008
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc1cee 0x7ffff7bc1cee <_WM_SetupMidiEvent+3490>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x1006096af
0x1006096af: Cannot access memory at address 0x1006096af
(gdb)

------------------line:2318
//sysex_len , sysex_store_len = 0,sysex_store_len - 1 = 0xFFFFFFFF 0x6096b0 + 0xFFFFFFFF = 0x1006096af

sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;

if (sysex_store[sysex_store_len - 1] == 0xF7) {
uint8_t rolandsysexid[] = { 0x41, 0x10, 0x42, 0x12 };

This vulnerability has been assigned as CVE-2017-11661

the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
274 if (*tracks[i] > 0x7f) {
(gdb) bt
#0 0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
#1 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#2 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc59d9,0x00007ffff7bc59ff
Dump of assembler code from 0x7ffff7bc59d9 to 0x7ffff7bc59ff:
=> 0x00007ffff7bc59d9 <_WM_ParseNewMidi+2974>: movzbl (%rax),%eax
0x00007ffff7bc59dc <_WM_ParseNewMidi+2977>: test %al,%al
0x00007ffff7bc59de <_WM_ParseNewMidi+2979>: jns 0x7ffff7bc5a6d <_WM_ParseNewMidi+3122>
0x00007ffff7bc59e4 <_WM_ParseNewMidi+2985>: mov -0x68(%rbp),%eax
0x00007ffff7bc59e7 <_WM_ParseNewMidi+2988>: lea 0x0(,%rax,4),%rdx
0x00007ffff7bc59ef <_WM_ParseNewMidi+2996>: mov -0x18(%rbp),%rax
0x00007ffff7bc59f3 <_WM_ParseNewMidi+3000>: add %rax,%rdx
0x00007ffff7bc59f6 <_WM_ParseNewMidi+3003>: mov -0x68(%rbp),%eax
0x00007ffff7bc59f9 <_WM_ParseNewMidi+3006>: lea 0x0(,%rax,4),%rcx
End of assembler dump.
(gdb) i r
rax 0x7093a2 7377826
rbx 0x0 0
rcx 0x60909d 6328477
rdx 0x8 8
rsi 0x60909d 6328477
rdi 0x7ffff7f87010 140737353642000
rbp 0x7fffffffdc60 0x7fffffffdc60
rsp 0x7fffffffdbe0 0x7fffffffdbe0
r8 0x0 0
r9 0x7ffff78b97b8 140737346508728
r10 0x7fffffffd900 140737488345344
r11 0x7ffff7592fd0 140737343205328
r12 0x401ea0 4202144
r13 0x7fffffffdf80 140737488347008
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc59d9 0x7ffff7bc59d9 <_WM_ParseNewMidi+2974>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x7093a2
0x7093a2: Cannot access memory at address 0x7093a2
(gdb)

This vulnerability has been assigned as CVE-2017-11662

the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid

debug info:
Breakpoint 2, 0x00007ffff7bc1cd4 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
2315 memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc1cd9 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cb9,0x00007ffff7bc1cd9
Dump of assembler code from 0x7ffff7bc1cb9 to 0x7ffff7bc1cd9:
0x00007ffff7bc1cb9 <_WM_SetupMidiEvent+3437>: mov %rax,-0x48(%rbp)
0x00007ffff7bc1cbd <_WM_SetupMidiEvent+3441>: mov -0x5c(%rbp),%edx
0x00007ffff7bc1cc0 <_WM_SetupMidiEvent+3444>: mov -0x54(%rbp),%ecx
0x00007ffff7bc1cc3 <_WM_SetupMidiEvent+3447>: mov -0x48(%rbp),%rax
0x00007ffff7bc1cc7 <_WM_SetupMidiEvent+3451>: add %rax,%rcx
0x00007ffff7bc1cca <_WM_SetupMidiEvent+3454>: mov -0x80(%rbp),%rax
0x00007ffff7bc1cce <_WM_SetupMidiEvent+3458>: mov %rax,%rsi
0x00007ffff7bc1cd1 <_WM_SetupMidiEvent+3461>: mov %rcx,%rdi
0x00007ffff7bc1cd4 <_WM_SetupMidiEvent+3464>: callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0x62bbd7 6470615
rbx 0x0 0
rcx 0x7fffe41b6010 140737020387344
rdx 0x3e494d4 65311956
rsi 0x62bbd7 6470615
rdi 0x7fffe41b6010 140737020387344
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdb70 0x7fffffffdb70
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xf78b9701 4153120513
r12 0x401ea0 4202144
r13 0x7fffffffdfb0 140737488347056
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc1cd4 0x7ffff7bc1cd4 <_WM_SetupMidiEvent+3464>
eflags 0x202 [ IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x44750AB
0x44750ab: Cannot access memory at address 0x44750ab
(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb)
------------------ line:2315
//point:sysex_len is larger than the length of event_data
sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;

This vulnerability has been assigned as CVE-2017-11663

the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc15d0 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62b927 "", running_event=0 '\000')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2122
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc15b6,0x00007ffff7bc15d0
Dump of assembler code from 0x7ffff7bc15b6 to 0x7ffff7bc15d0:
0x00007ffff7bc15b6 <_WM_SetupMidiEvent+1642>: mov %rax,-0x50(%rbp)
0x00007ffff7bc15ba <_WM_SetupMidiEvent+1646>: mov -0x60(%rbp),%edx
0x00007ffff7bc15bd <_WM_SetupMidiEvent+1649>: mov -0x80(%rbp),%rcx
0x00007ffff7bc15c1 <_WM_SetupMidiEvent+1653>: mov -0x50(%rbp),%rax
0x00007ffff7bc15c5 <_WM_SetupMidiEvent+1657>: mov %rcx,%rsi
0x00007ffff7bc15c8 <_WM_SetupMidiEvent+1660>: mov %rax,%rdi
0x00007ffff7bc15cb <_WM_SetupMidiEvent+1663>: callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0xffff8000086e68a4 -140737346901852
rbx 0x0 0
rcx 0x840e6 540902
rdx 0x42073 270451
rsi 0x62b927 6469927
rdi 0x7ffff7f03010 140737353101328
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdb68 0x7fffffffdb68
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xf7592f01 4149817089
r12 0x401ea0 4202144
r13 0x7fffffffdfb0 140737488347056
r14 0x0 0
r15 0x0 0
rip 0x7ffff7592ffe 0x7ffff7592ffe <__memcpy_sse2_unaligned+46>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x66D99A
0x66d99a: Cannot access memory at address 0x66d99a
(gdb)

----------------line:2122--------------
//the tmp_length is larger than the length of event_data
text = malloc(tmp_length + 1);
memcpy(text, event_data, tmp_length);
text[tmp_length] = '\0';
midi_setup_trackname(mdi, text);

This vulnerability has been assigned as CVE-2017-11664

poc.zip

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions