New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MU4 Issue] Stack buffer overflow vulnerability while parse MIDI file #16346
Comments
|
How about this then: Or (I like that one better, it is done that way in various different places, PR in the works) |
|
Pretty good! |
|
Another possible fix would be: I.e. in the loop read |
|
And what about that comment at the top of the function? // Note: if MS is updated to use Qt 5.10, this can be implemented with QIODevice::skip(), which should be more efficient
// as bytes do not need to be moved around. |
|
Good question... Updated the PR |
|
Further simplified it, eliminating that function entirely |
|
CVE-2023-26923 assigned |
|
You may want to mention that is fixed in 4.0.2 and later and also in my 3.7 from https://github.com/Jojo-Schmitz/MuseScore/tree/3.x |
Describe the bug
It only affects the Windows version.
In src/importexport/midi/internal/midishared/midifile.cpp
It is copying the length of len, not tmp_size. If len is bigger than 256, it will overwrite stack.
This leads to a buffer overflow and overwrite the stack cookies. If an attacker knows the stack cookie value, it can lead to code execution. Check PoC.midi in PoC.zip.
This vulnerability works from version 3.0 to 4.0.1(latest)
PoC.zip
If you have any problems, contact me via kunshim@naver.com
The text was updated successfully, but these errors were encountered: