--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: abcmidi: Integer overflow leading to heap buffer overflow in midi2abc
- From: jake <jkrshnmenon@gmail.com>
- Date: Mon, 18 Mar 2019 14:48:00 -0700
- Message-id: <155294568057.28022.7536683593279747196.reportbug@Jarvis>
Package: abcmidi
Version: 3.21
Severity: important
Dear Maintainer,
As a part of an academic project, we have discovered an integer overflow
in the midi2abc binary which is a part of the abcmidi package.
The bug occurs in addstring @ midi2abc.c:293 where the function
checkmalloc is called with the return value of the function strlen + 1.
The checkmalloc function accepts a 32 bit integer as argument which it
uses directly to call the function malloc.
The addstring function is called from the function
process_command_line_arguments and therefore, the string being passed to
the function strlen can be controlled.
An attacker could create a very large string which would overflow the
integer addition at midi2abc.c:293. If the return value of strlen is
UINT_MAX, the checkmalloc function would be called with an argument 0.
When malloc is called with 0 as its argument, it returns a chunk of size
16 in a 64 bit process. This chunk would then be used to copy UINT_MAX
bytes of data which results in a heap overflow.
We understand that creating a string of size UINT_MAX is very difficult,
but we feel that this is an issue that must be fixed.
Please investigate this issue
-- System Information:
Debian Release: stretch/sid
APT prefers xenial-updates
APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.4.0-142-generic (SMP w/4 CPU cores)
Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
--- End Message ---