25 lines
No EOL
964 B
Text
25 lines
No EOL
964 B
Text
In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
|
|
write with user-controlled input.
|
|
|
|
The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
|
|
is filled with bytes from the input stream. However, it does not check
|
|
that the number of channels in the input stream is less than or equal
|
|
to the size of the buffer, resulting in an out-of-bounds write. The
|
|
number of channels is clamped at <= 5.
|
|
|
|
adpcm_ima_wav_channel_t channel[2];
|
|
...
|
|
for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
|
|
{
|
|
channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|(
|
|
p_buffer[1] >> 7 ) ))<<7);
|
|
channel[i_ch].i_step_index = p_buffer[1]&0x7f;
|
|
...
|
|
|
|
The mangling of the input p_buffer above and in
|
|
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
|
|
is a potential for remote code execution via a malicious media file.
|
|
|
|
POC:
|
|
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41025.mov |