Nytro Posted January 16, 2017 Report Posted January 16, 2017 In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds write with user-controlled input. The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which is filled with bytes from the input stream. However, it does not check that the number of channels in the input stream is less than or equal to the size of the buffer, resulting in an out-of-bounds write. The number of channels is clamped at <= 5. adpcm_ima_wav_channel_t channel[2]; ... for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ ) { channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|( p_buffer[1] >> 7 ) ))<<7); channel[i_ch].i_step_index = p_buffer[1]&0x7f; ... The mangling of the input p_buffer above and in AdpcmImaWavExpandNibble() makes this difficult to exploit, but there is a potential for remote code execution via a malicious media file. POC: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41025.mov Sursa: https://www.exploit-db.com/exploits/41025/ Quote
