New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream() #85
Labels
Comments
|
This issue has been assigned CVE-2019-14690. |
miller-alex
added a commit
to miller-alex/adplug
that referenced
this issue
Apr 3, 2020
While fuzzing AdPlug with American Fuzzy Lop, Frederic Cambus found several memory issues and reported them on github. Hook up the reproducers he provided as test cases in stresstest.cpp. This includes tests for the following github issues: * Issue adplug#85 ("Heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream()") * Issue adplug#86 ("Heap-based buffer overflow in CdtmLoader::load()") * Issue adplug#87 ("Heap-based buffer overflow in CmkjPlayer::load()") * Issue adplug#88 ("Multiple heap-based buffer overflows in Ca2mLoader::load()") * Issue adplug#89 ("Multiple heap-based buffer overflows in CradLoader::load()") * Issue adplug#90 ("Multiple heap-based buffer overflows in CmtkLoader::load()") * Issue adplug#91 ("Double free in Cu6mPlayer::~Cu6mPlayer()") Co-authored-by: Frederic Cambus <fred@statdns.com> Bug: adplug#85 Bug: adplug#86 Bug: adplug#87 Bug: adplug#88 Bug: adplug#89 Bug: adplug#90 Bug: adplug#91
miller-alex
added a commit
to miller-alex/adplug
that referenced
this issue
Apr 3, 2020
There are no checks validating the integrity of .bmf files in the methods CxadbmfPlayer::xadplayer_load() and CxadbmfPlayer::__bmf_convert_stream() used to load them. A broken or malicious .bmf file can easily cause invalid memory accesses. This commit addresses the following issues: * Add checks whether the input buffer has enough data available before accessing it in many places. Abort loading otherwise. * Replace unlimited strcpy for instrument names with code that doesn't overflow the destination buffer. * Check index when loading instrument data in BMF0_9B files. * Fail loading if number of streams encoded in version BMF0_9B files exceeds the maximum. * Don't overflow buffer if stream is too long. This fixes CVE-2019-14690. Fixes: adplug#85 Fixes: adplug#93
This was referenced Apr 3, 2020
Closed
Malvineous
pushed a commit
that referenced
this issue
May 11, 2020
While fuzzing AdPlug with American Fuzzy Lop, Frederic Cambus found several memory issues and reported them on github. Hook up the reproducers he provided as test cases in stresstest.cpp. This includes tests for the following github issues: * Issue #85 ("Heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream()") * Issue #86 ("Heap-based buffer overflow in CdtmLoader::load()") * Issue #87 ("Heap-based buffer overflow in CmkjPlayer::load()") * Issue #88 ("Multiple heap-based buffer overflows in Ca2mLoader::load()") * Issue #89 ("Multiple heap-based buffer overflows in CradLoader::load()") * Issue #90 ("Multiple heap-based buffer overflows in CmtkLoader::load()") * Issue #91 ("Double free in Cu6mPlayer::~Cu6mPlayer()") Co-authored-by: Frederic Cambus <fred@statdns.com> Bug: #85 Bug: #86 Bug: #87 Bug: #88 Bug: #89 Bug: #90 Bug: #91
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
While fuzzing AdPlug with American Fuzzy Lop, I found a heap-based buffer overflow in CxadbmfPlayer::__bmf_convert_stream(), in src/bmf.cpp L430.
Attaching a reproducer (gzipped so GitHub accepts it): test01.bmf.gz
The text was updated successfully, but these errors were encountered: