-
Notifications
You must be signed in to change notification settings - Fork 45
Description
the _WM_SetupMidiEvent function in internal_midi.c:2318 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_1.mid
debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
2318 if (sysex_store[sysex_store_len - 1] == 0xF7) {
(gdb) bt
#0 0x00007ffff7bc1cee in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x6091bc "\202\035)", running_event=144 '\220')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2318
#1 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#2 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#3 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cef
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cef:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>: movzbl (%rax),%eax
End of assembler dump.
(gdb) disassemble 0x00007ffff7bc1cee,0x00007ffff7bc1cff
Dump of assembler code from 0x7ffff7bc1cee to 0x7ffff7bc1cff:
=> 0x00007ffff7bc1cee <_WM_SetupMidiEvent+3490>: movzbl (%rax),%eax
0x00007ffff7bc1cf1 <_WM_SetupMidiEvent+3493>: cmp $0xf7,%al
0x00007ffff7bc1cf3 <_WM_SetupMidiEvent+3495>: jne 0x7ffff7bc1ed7 <_WM_SetupMidiEvent+3979>
0x00007ffff7bc1cf9 <_WM_SetupMidiEvent+3501>: movb $0x41,-0x40(%rbp)
0x00007ffff7bc1cfd <_WM_SetupMidiEvent+3505>: movb $0x10,-0x3f(%rbp)
End of assembler dump.
(gdb) i r
rax 0x1006096af 4301297327
rbx 0x0 0
rcx 0x0 0
rdx 0xffffffff 4294967295
rsi 0x6091bc 6328764
rdi 0x6096b0 6330032
rbp 0x7fffffffdbd0 0x7fffffffdbd0
rsp 0x7fffffffdb40 0x7fffffffdb40
r8 0x0 0
r9 0x7ffff78b97b8 140737346508728
r10 0x7ffff78b8760 140737346504544
r11 0xffffff01 4294967041
r12 0x401ea0 4202144
r13 0x7fffffffdf80 140737488347008
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc1cee 0x7ffff7bc1cee <_WM_SetupMidiEvent+3490>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x1006096af
0x1006096af: Cannot access memory at address 0x1006096af
(gdb)
------------------line:2318
//sysex_len , sysex_store_len = 0,sysex_store_len - 1 = 0xFFFFFFFF 0x6096b0 + 0xFFFFFFFF = 0x1006096af
sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;
if (sysex_store[sysex_store_len - 1] == 0xF7) {
uint8_t rolandsysexid[] = { 0x41, 0x10, 0x42, 0x12 };
This vulnerability has been assigned as CVE-2017-11661
the _WM_ParseNewMidi function in f_midi.c in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_2.mid
debug info:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
274 if (*tracks[i] > 0x7f) {
(gdb) bt
#0 0x00007ffff7bc59d9 in _WM_ParseNewMidi (midi_data=0x609423 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:274
#1 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe325 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#2 0x000000000040373c in main (argc=4, argv=0x7fffffffdf88)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc59d9,0x00007ffff7bc59ff
Dump of assembler code from 0x7ffff7bc59d9 to 0x7ffff7bc59ff:
=> 0x00007ffff7bc59d9 <_WM_ParseNewMidi+2974>: movzbl (%rax),%eax
0x00007ffff7bc59dc <_WM_ParseNewMidi+2977>: test %al,%al
0x00007ffff7bc59de <_WM_ParseNewMidi+2979>: jns 0x7ffff7bc5a6d <_WM_ParseNewMidi+3122>
0x00007ffff7bc59e4 <_WM_ParseNewMidi+2985>: mov -0x68(%rbp),%eax
0x00007ffff7bc59e7 <_WM_ParseNewMidi+2988>: lea 0x0(,%rax,4),%rdx
0x00007ffff7bc59ef <_WM_ParseNewMidi+2996>: mov -0x18(%rbp),%rax
0x00007ffff7bc59f3 <_WM_ParseNewMidi+3000>: add %rax,%rdx
0x00007ffff7bc59f6 <_WM_ParseNewMidi+3003>: mov -0x68(%rbp),%eax
0x00007ffff7bc59f9 <_WM_ParseNewMidi+3006>: lea 0x0(,%rax,4),%rcx
End of assembler dump.
(gdb) i r
rax 0x7093a2 7377826
rbx 0x0 0
rcx 0x60909d 6328477
rdx 0x8 8
rsi 0x60909d 6328477
rdi 0x7ffff7f87010 140737353642000
rbp 0x7fffffffdc60 0x7fffffffdc60
rsp 0x7fffffffdbe0 0x7fffffffdbe0
r8 0x0 0
r9 0x7ffff78b97b8 140737346508728
r10 0x7fffffffd900 140737488345344
r11 0x7ffff7592fd0 140737343205328
r12 0x401ea0 4202144
r13 0x7fffffffdf80 140737488347008
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc59d9 0x7ffff7bc59d9 <_WM_ParseNewMidi+2974>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x7093a2
0x7093a2: Cannot access memory at address 0x7093a2
(gdb)
This vulnerability has been assigned as CVE-2017-11662
the _WM_SetupMidiEvent function in internal_midi.c:2315 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_3.mid
debug info:
Breakpoint 2, 0x00007ffff7bc1cd4 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
2315 memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc1cd9 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62bbd7 "", running_event=145 '\221')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2315
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc1cb9,0x00007ffff7bc1cd9
Dump of assembler code from 0x7ffff7bc1cb9 to 0x7ffff7bc1cd9:
0x00007ffff7bc1cb9 <_WM_SetupMidiEvent+3437>: mov %rax,-0x48(%rbp)
0x00007ffff7bc1cbd <_WM_SetupMidiEvent+3441>: mov -0x5c(%rbp),%edx
0x00007ffff7bc1cc0 <_WM_SetupMidiEvent+3444>: mov -0x54(%rbp),%ecx
0x00007ffff7bc1cc3 <_WM_SetupMidiEvent+3447>: mov -0x48(%rbp),%rax
0x00007ffff7bc1cc7 <_WM_SetupMidiEvent+3451>: add %rax,%rcx
0x00007ffff7bc1cca <_WM_SetupMidiEvent+3454>: mov -0x80(%rbp),%rax
0x00007ffff7bc1cce <_WM_SetupMidiEvent+3458>: mov %rax,%rsi
0x00007ffff7bc1cd1 <_WM_SetupMidiEvent+3461>: mov %rcx,%rdi
0x00007ffff7bc1cd4 <_WM_SetupMidiEvent+3464>: callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0x62bbd7 6470615
rbx 0x0 0
rcx 0x7fffe41b6010 140737020387344
rdx 0x3e494d4 65311956
rsi 0x62bbd7 6470615
rdi 0x7fffe41b6010 140737020387344
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdb70 0x7fffffffdb70
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xf78b9701 4153120513
r12 0x401ea0 4202144
r13 0x7fffffffdfb0 140737488347056
r14 0x0 0
r15 0x0 0
rip 0x7ffff7bc1cd4 0x7ffff7bc1cd4 <_WM_SetupMidiEvent+3464>
eflags 0x202 [ IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x44750AB
0x44750ab: Cannot access memory at address 0x44750ab
(gdb) ni
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb)
------------------ line:2315
//point:sysex_len is larger than the length of event_data
sysex_store = realloc(sysex_store,sizeof(uint8_t) * (sysex_store_len + sysex_len));
memcpy(&sysex_store[sysex_store_len], event_data, sysex_len);
sysex_store_len += sysex_len;
This vulnerability has been assigned as CVE-2017-11663
the _WM_SetupMidiEvent function in internal_midi.c:2122 in WildMIDI 0.4.2 can cause a denial of service(invalid memory read and application crash) via a crafted mid file.
./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid -o out.wav
or ./wildmidi wildmidi_0.4.2_invalid_memory_read_4.mid
debug info:
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
36 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0 __memcpy_sse2_unaligned ()
at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:36
#1 0x00007ffff7bc15d0 in _WM_SetupMidiEvent (mdi=0x7ffff7f87010,
event_data=0x62b927 "", running_event=0 '\000')
at /home/a/Downloads/wildmidi-master/src/internal_midi.c:2122
#2 0x00007ffff7bc5738 in _WM_ParseNewMidi (midi_data=0x62bca3 "", midi_size=0)
at /home/a/Downloads/wildmidi-master/src/f_midi.c:246
#3 0x00007ffff7bb685b in WildMidi_Open (
midifile=0x7fffffffe349 "/home/a/Documents/file")
at /home/a/Downloads/wildmidi-master/src/wildmidi_lib.c:1667
#4 0x000000000040373c in main (argc=2, argv=0x7fffffffdfb8)
at /home/a/Downloads/wildmidi-master/src/wildmidi.c:1804
(gdb) disassemble 0x00007ffff7bc15b6,0x00007ffff7bc15d0
Dump of assembler code from 0x7ffff7bc15b6 to 0x7ffff7bc15d0:
0x00007ffff7bc15b6 <_WM_SetupMidiEvent+1642>: mov %rax,-0x50(%rbp)
0x00007ffff7bc15ba <_WM_SetupMidiEvent+1646>: mov -0x60(%rbp),%edx
0x00007ffff7bc15bd <_WM_SetupMidiEvent+1649>: mov -0x80(%rbp),%rcx
0x00007ffff7bc15c1 <_WM_SetupMidiEvent+1653>: mov -0x50(%rbp),%rax
0x00007ffff7bc15c5 <_WM_SetupMidiEvent+1657>: mov %rcx,%rsi
0x00007ffff7bc15c8 <_WM_SetupMidiEvent+1660>: mov %rax,%rdi
0x00007ffff7bc15cb <_WM_SetupMidiEvent+1663>: callq 0x7ffff7bb1600 memcpy@plt
End of assembler dump.
(gdb) i r
rax 0xffff8000086e68a4 -140737346901852
rbx 0x0 0
rcx 0x840e6 540902
rdx 0x42073 270451
rsi 0x62b927 6469927
rdi 0x7ffff7f03010 140737353101328
rbp 0x7fffffffdc00 0x7fffffffdc00
rsp 0x7fffffffdb68 0x7fffffffdb68
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x22 34
r11 0xf7592f01 4149817089
r12 0x401ea0 4202144
r13 0x7fffffffdfb0 140737488347056
r14 0x0 0
r15 0x0 0
rip 0x7ffff7592ffe 0x7ffff7592ffe <__memcpy_sse2_unaligned+46>
eflags 0x10206 [ PF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type to continue, or q to quit---
gs 0x0 0
(gdb) x/20x 0x66D99A
0x66d99a: Cannot access memory at address 0x66d99a
(gdb)
----------------line:2122--------------
//the tmp_length is larger than the length of event_data
text = malloc(tmp_length + 1);
memcpy(text, event_data, tmp_length);
text[tmp_length] = '\0';
midi_setup_trackname(mdi, text);
This vulnerability has been assigned as CVE-2017-11664