CVE-2019-18795
Out-of-Bounds Read in BASS.dll
Software affected
BASS.DLL <= 2.4.14.1
Description
Due to improper input validation of the cbSize in the header of wav file it is possible to trigger an out-of-bounds read when a wav file is parsed by the BASS.dll library.
Details
Explanation
When an wave format is unkown to the bass.dll it tries to convert it with ACMSTREAMOPEN. For the conversion it takes the WAVEFORMATEX format directly from the wave file without proper input validation.
Assembly
The out-of-bounds read happens at:
MSACM32.dll!ValidateReadPointer + 0x15
Instructions at MSACM32.dll!ValidateReadPointer + 0x15:
and dword ptr [ebp-4],0
mov al,byte ptr [ecx]
mov byte ptr [ebp-19h],al
mov al,byte ptr [ecx+edx-1] <-- Out-of-bounds read
Registers: With the cbsize you can control the halfword value in the edx register.
eax = 0xD5D449
ebx = 0xD5D57C
ecx = 0xD5D5D0
edx = 0x494B
esi = 0xD5D5C0
edi = 0x1
esp = 0xD5D440
ebp = 0xD5D46C
The callstack:
MSACM32.dll!ValidateReadPointer + 0x15
MSACM32.dll!ValidateReadWaveFormat + 0x45
MSACM32.dll!acmStreamOpen + 0x9E
bass.dll + 0x2117C
bass.dll + 0x21798
_BASS_StreamCreateFile