Summary
An out-of-bounds array access can occur in track_set_index.
Details
The function track_set_index does not check that i >= 0:
void track_set_index(Track *track, int i, long ind)
{
if (i > MAXINDEX) {
fprintf(stderr, "too many indexes\n");
return;
}
track->index[i] = ind;
}If i is negative, then this code can write to an address outside the bounds of the array.
The value of i is parsed using atoi in cue_scanner.l:
[[:digit:]]+ { yylval.ival = atoi(yytext); return NUMBER; }atoi does not check for integer overflow, so it is easy to get it produce a negative number.
PoC
This is an example CUE file which triggers the bug:
FILE pwned.mp3 MP3
TRACK 000 AUDIO
INDEX 4294567296 0
The index 4294567296 is converted to -400000 by atoi.
Impact
This issue may lead to code execution when libcue is used to parse a malicious file.
kevinbackhouse Reporter
Summary
An out-of-bounds array access can occur in
track_set_index.Details
The function
track_set_indexdoes not check thati >= 0:If
iis negative, then this code can write to an address outside the bounds of the array.The value of
iis parsed usingatoiincue_scanner.l:atoidoes not check for integer overflow, so it is easy to get it produce a negative number.PoC
This is an example CUE file which triggers the bug:
The index
4294567296is converted to-400000byatoi.Impact
This issue may lead to code execution when libcue is used to parse a malicious file.