Multiple bugs

1.
the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid -o out.wav 
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, 
    event_data=0x6091bc "\202\035)", running_event=144 '\220')
    at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
2318	                if (sysex_store[sysex_store_len - 1] == 0xF7) {
(gdb) bt
#0  0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, 
    event_data=0x6091bc "\202\035)", running_event=144 '\220')
    at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
#1  0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
    at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#2  0x00007ffff7bb685b in WildMidi_Open (
    midifile=0x7fffffffe325 "/home/a/Documents/file")
    at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#3  0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
    at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cef
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cef:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:	movzbl (%rax),%eax
End of assembler dump.
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cff
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cff:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>:	movzbl (%rax),%eax
   0x00007ffff7bc1cf1 <_WM_SetupMidiEvent+3493>:	cmp    $0xf7,%al
   0x00007ffff7bc1cf3 <_WM_SetupMidiEvent+3495>:	jne    0x7ffff7bc1ed7 <_WM_SetupMidiEvent+3979>
   0x00007ffff7bc1cf9 <_WM_SetupMidiEvent+3501>:	movb   $0x41,-0x40(%rbp)
   0x00007ffff7bc1cfd <_WM_SetupMidiEvent+3505>:	movb   $0x10,-0x3f(%rbp)
End of assembler dump.
(gdb) i r
rax            0x1006096af	4301297327
rbx            0x0	0
rcx            0x0	0
rdx            0xffffffff	4294967295
rsi            0x6091bc	6328764
rdi            0x6096b0	6330032
rbp            0x7fffffffdbd0	0x7fffffffdbd0
rsp            0x7fffffffdb40	0x7fffffffdb40
r8             0x0	0
r9             0x7ffff78b97b8	140737346508728
r10            0x7ffff78b8760	140737346504544
r11            0xffffff01	4294967041
r12            0x401ea0	4202144
r13            0x7fffffffdf80	140737488347008
r14            0x0	0
r15            0x0	0
rip            0x7ffff7bc1cee	0x7ffff7bc1cee <_WM_SetupMidiEvent+3490>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
---Type <return> to continue, or q <return> to quit---
gs             0x0	0
(gdb) x/20x 0x1006096af
0x1006096af:	Cannot access memory at address 0x1006096af
(gdb) 

------------------line:2318
//sysex_len , sysex_store_len = 0,sysex_store_len - 1 = 0xFFFFFFFF 0x6096b0 + 0xFFFFFFFF = 0x1006096af

sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;

if (sysex_store[sysex_store_len - 1] == 0xF7) {
    uint8_t rolandsysexid[] = { 0x41, 0x10, 0x42, 0x12 };

This vulnerability has been assigned as CVE-2017-11661

2.
the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid -o out.wav 
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
    at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
274	                    if (*tracks[i] > 0x7f) {
(gdb) bt
#0  0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
    at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
#1  0x00007ffff7bb685b in WildMidi_Open (
    midifile=0x7fffffffe325 "/home/a/Documents/file")
    at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#2  0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
    at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc59d9,0x00007ffff7bc59ff
Dump of assembler code from 0x7ffff7bc59d9 to 0x7ffff7bc59ff:
=> 0x00007ffff7bc59d9 <_WM_ParseNewMidi+2974>:	movzbl (%rax),%eax
   0x00007ffff7bc59dc <_WM_ParseNewMidi+2977>:	test   %al,%al
   0x00007ffff7bc59de <_WM_ParseNewMidi+2979>:	jns    0x7ffff7bc5a6d <_WM_ParseNewMidi+3122>
   0x00007ffff7bc59e4 <_WM_ParseNewMidi+2985>:	mov    -0x68(%rbp),%eax
   0x00007ffff7bc59e7 <_WM_ParseNewMidi+2988>:	lea    0x0(,%rax,4),%rdx
   0x00007ffff7bc59ef <_WM_ParseNewMidi+2996>:	mov    -0x18(%rbp),%rax
   0x00007ffff7bc59f3 <_WM_ParseNewMidi+3000>:	add    %rax,%rdx
   0x00007ffff7bc59f6 <_WM_ParseNewMidi+3003>:	mov    -0x68(%rbp),%eax
   0x00007ffff7bc59f9 <_WM_ParseNewMidi+3006>:	lea    0x0(,%rax,4),%rcx
End of assembler dump.
(gdb) i r
rax            0x7093a2	7377826
rbx            0x0	0
rcx            0x60909d	6328477
rdx            0x8	8
rsi            0x60909d	6328477
rdi            0x7ffff7f87010	140737353642000
rbp            0x7fffffffdc60	0x7fffffffdc60
rsp            0x7fffffffdbe0	0x7fffffffdbe0
r8             0x0	0
r9             0x7ffff78b97b8	140737346508728
r10            0x7fffffffd900	140737488345344
r11            0x7ffff7592fd0	140737343205328
r12            0x401ea0	4202144
r13            0x7fffffffdf80	140737488347008
r14            0x0	0
r15            0x0	0
rip            0x7ffff7bc59d9	0x7ffff7bc59d9 <_WM_ParseNewMidi+2974>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
---Type <return> to continue, or q <return> to quit---
gs             0x0	0
(gdb) x/20x 0x7093a2
0x7093a2:	Cannot access memory at address 0x7093a2
(gdb)

This vulnerability has been assigned as CVE-2017-11662

3.
the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid -o out.wav 
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid

debug info:
Breakpoint 2, 0x00007ffff7bc1cd4 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, 
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
2315	                memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1  0x00007ffff7bc1cd9 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, 
    event_data=0x62bbd7 "", running_event=145 '\221')
    at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
#2  0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
    at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3  0x00007ffff7bb685b in WildMidi_Open (
    midifile=0x7fffffffe349 "/home/a/Documents/file")
    at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4  0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
    at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cb9,0x00007ffff7bc1cd9
Dump of assembler code from 0x7ffff7bc1cb9 to 0x7ffff7bc1cd9:
   0x00007ffff7bc1cb9 <_WM_SetupMidiEvent+3437>:	mov    %rax,-0x48(%rbp)
   0x00007ffff7bc1cbd <_WM_SetupMidiEvent+3441>:	mov    -0x5c(%rbp),%edx
   0x00007ffff7bc1cc0 <_WM_SetupMidiEvent+3444>:	mov    -0x54(%rbp),%ecx
   0x00007ffff7bc1cc3 <_WM_SetupMidiEvent+3447>:	mov    -0x48(%rbp),%rax
   0x00007ffff7bc1cc7 <_WM_SetupMidiEvent+3451>:	add    %rax,%rcx
   0x00007ffff7bc1cca <_WM_SetupMidiEvent+3454>:	mov    -0x80(%rbp),%rax
   0x00007ffff7bc1cce <_WM_SetupMidiEvent+3458>:	mov    %rax,%rsi
   0x00007ffff7bc1cd1 <_WM_SetupMidiEvent+3461>:	mov    %rcx,%rdi
   0x00007ffff7bc1cd4 <_WM_SetupMidiEvent+3464>:	callq  0x7ffff7bb1600 <memcpy@plt>
End of assembler dump.
(gdb) i r
rax            0x62bbd7	6470615
rbx            0x0	0
rcx            0x7fffe41b6010	140737020387344
rdx            0x3e494d4	65311956
rsi            0x62bbd7	6470615
rdi            0x7fffe41b6010	140737020387344
rbp            0x7fffffffdc00	0x7fffffffdc00
rsp            0x7fffffffdb70	0x7fffffffdb70
r8             0xffffffff	4294967295
r9             0x0	0
r10            0x22	34
r11            0xf78b9701	4153120513
r12            0x401ea0	4202144
r13            0x7fffffffdfb0	140737488347056
r14            0x0	0
r15            0x0	0
rip            0x7ffff7bc1cd4	0x7ffff7bc1cd4 <_WM_SetupMidiEvent+3464>
eflags         0x202	[ IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
---Type <return> to continue, or q <return> to quit---
gs             0x0	0
(gdb) x/20x 0x44750AB
0x44750ab:	Cannot access memory at address 0x44750ab
(gdb) ni

Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb)
------------------ line:2315
//point:sysex_len is larger than the length of event_data
sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;

This vulnerability has been assigned as CVE-2017-11663

4.
the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.

./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid -o out.wav 
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid

debug info:
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
	(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1  0x00007ffff7bc15d0 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010, 
    event_data=0x62b927 "", running_event=0 '\000')
    at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2122
#2  0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
    at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3  0x00007ffff7bb685b in WildMidi_Open (
    midifile=0x7fffffffe349 "/home/a/Documents/file")
    at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4  0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
    at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc15b6,0x00007ffff7bc15d0
Dump of assembler code from 0x7ffff7bc15b6 to 0x7ffff7bc15d0:
   0x00007ffff7bc15b6 <_WM_SetupMidiEvent+1642>:	mov    %rax,-0x50(%rbp)
   0x00007ffff7bc15ba <_WM_SetupMidiEvent+1646>:	mov    -0x60(%rbp),%edx
   0x00007ffff7bc15bd <_WM_SetupMidiEvent+1649>:	mov    -0x80(%rbp),%rcx
   0x00007ffff7bc15c1 <_WM_SetupMidiEvent+1653>:	mov    -0x50(%rbp),%rax
   0x00007ffff7bc15c5 <_WM_SetupMidiEvent+1657>:	mov    %rcx,%rsi
   0x00007ffff7bc15c8 <_WM_SetupMidiEvent+1660>:	mov    %rax,%rdi
   0x00007ffff7bc15cb <_WM_SetupMidiEvent+1663>:	callq  0x7ffff7bb1600 <memcpy@plt>
End of assembler dump.
(gdb) i r
rax            0xffff8000086e68a4	-140737346901852
rbx            0x0	0
rcx            0x840e6	540902
rdx            0x42073	270451
rsi            0x62b927	6469927
rdi            0x7ffff7f03010	140737353101328
rbp            0x7fffffffdc00	0x7fffffffdc00
rsp            0x7fffffffdb68	0x7fffffffdb68
r8             0xffffffff	4294967295
r9             0x0	0
r10            0x22	34
r11            0xf7592f01	4149817089
r12            0x401ea0	4202144
r13            0x7fffffffdfb0	140737488347056
r14            0x0	0
r15            0x0	0
rip            0x7ffff7592ffe	0x7ffff7592ffe <__memcpy_sse2_unaligned+46>
eflags         0x10206	[ PF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
---Type <return> to continue, or q <return> to quit---
gs             0x0	0
(gdb) x/20x 0x66D99A
0x66d99a:	Cannot access memory at address 0x66d99a
(gdb) 

----------------line:2122--------------
//the tmp_length is larger than the length of event_data
text = malloc(tmp_length + 1);
memcpy(text, event_data, tmp_length);
text[tmp_length] = '\0';
midi_setup_trackname(mdi, text);

This vulnerability has been assigned as CVE-2017-11664


[poc.zip](https://github.com/Mindwerks/wildmidi/files/1186857/poc.zip)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Multiple bugs #175

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Multiple bugs #175

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions