CVE-2019-19513
Out-of-bounds write
Software affected
BASS_MIDI.DLL <= 2.4.12.1 Used in AIMP, MusicBee etc.
Description
Out-of-bounds write in the deltatime of a MIDI TrackChunk. The file must be parsed by bass_midi.dll. So streaming or locally execute the file should both trigger the OOW. I think if you groom the heap right it maybe is possible to get code execution.
Details
Assembly
The out-of-bounds write happens at
bass_midi+0xab4c
Instructions at bass.dll + 0xab4c:
movzx eax,bl
shr ebx,8
xor edx,edx
mov byte ptr [eax+esi+6DCh],bl <-- OOW
The actual boundary is at esi+6dc+0x87. Because we can control eax with a byte we can write about 0x76 bytes out of bounds.
Registers:
eax = 0xE4 <-- offset
ebx = 0x0 <-- char to write
ecx = 0xF
edx = 0x0
esi = 0x766E89C
edi = 0x761ECB0
esp = 0x6FF798
ebp = 0x6FF7A8
The callstack:
bassmidi.dll + 0xAB4C
bassmidi.dll + 0xC333
bassmidi.dll + 0xC6F1
PoC
Use the midi_bass_poc.py to generate a poc midi file.