Skip to content
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2019-18795/
CVE/CVE-2019-18795/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

CVE-2019-18795

Out-of-Bounds Read in BASS.dll

Software affected

BASS.DLL <= 2.4.14.1

Description

Due to improper input validation of the cbSize in the header of wav file it is possible to trigger an out-of-bounds read when a wav file is parsed by the BASS.dll library.

Details

Explanation

When an wave format is unkown to the bass.dll it tries to convert it with ACMSTREAMOPEN. For the conversion it takes the WAVEFORMATEX format directly from the wave file without proper input validation.

Assembly

The out-of-bounds read happens at:

MSACM32.dll!ValidateReadPointer + 0x15

Instructions at MSACM32.dll!ValidateReadPointer + 0x15:

and dword ptr [ebp-4],0
mov al,byte ptr [ecx]
mov byte ptr [ebp-19h],al
mov al,byte ptr [ecx+edx-1] <-- Out-of-bounds read

Registers: With the cbsize you can control the halfword value in the edx register.

eax   =   0xD5D449
ebx   =   0xD5D57C
ecx   =   0xD5D5D0
edx   =     0x494B
esi   =   0xD5D5C0
edi   =        0x1
esp   =   0xD5D440
ebp   =   0xD5D46C

The callstack:

MSACM32.dll!ValidateReadPointer + 0x15 
MSACM32.dll!ValidateReadWaveFormat + 0x45
MSACM32.dll!acmStreamOpen + 0x9E
bass.dll + 0x2117C 
bass.dll + 0x21798 
_BASS_StreamCreateFile