Unrestricted resource consumption in wilmidi 0.4.3
Loginsoft-2018-1008
September 13, 2018
CWE
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')
Product Details
WildMIDI is a simple software midi player which has a core softsynth library that can be used with other applications.
URL:https://sourceforge.net/projects/wildmidi/
Vulnerable Versions
wilmidi 0.4.3
Vulnerability Details
A Denial of Service (Hang) was discovered in wilmidi 0.4.3 version.
SYNOPSIS
A commonly found issue in various converter tools is producing an output of unrestricted size, causing memory consumption. The function wmidi_write() in wildmidi.c
```
fprintf(stderr,
"%s [%s] [%3i] [%2um %2us Processed] [%2u%%] %c \r",
display_lyrics, modes, (int)master_volume, pro_mins,
pro_secs, perc_play, spinner[spinpoint++ % 4]);
if (send_output(output_buffer, res) < 0) {
/* driver prints an error message already. */
printf("\r");
```
An inline function wmidi_write() called by write_wav_output() from send_output() [1] in wildmidi.c was recursively being called inside a while loop, which resulted in generating a WAV file of unrestricted size, causing the system to hang up. Initially it looked like this might be because of a broken input file, but later figuring out it’s behavior was expected but there wasn’t any limit to the output file size to be produced, creating the issue.
Analysis
(gdb)
2063 if (send_output(output_buffer, res) < 0) { [ 0%] -
(gdb) s
write_wav_output (output_data=0x629000005200 "", output_size=16384) at /home/woot/Desktop/wildmidi-master/src/wildmidi.c:495
495 if (wmidi_write(audio_fd, output_data, output_size) < 0) {
(gdb) s
wmidi_write (fd=3, buf=0x629000005200, size=16384) at /home/woot/Desktop/wildmidi-master/src/wildmidi.c:380
380 return write(fd, buf, size);
(gdb) n 100
Initializing Sound System
Initializing libWildMidi 0.4.3
+ Volume up e Better resampling n Next Midi
- Volume down l Log volume q Quit
, 1sec Seek Back r Reverb . 1sec Seek Forward
m save as midi p Pause On/Off
Playing $POC
[Approx 1092m 48s Total]
2063 if (send_output(output_buffer, res) < 0) { [ 0%] /
(gdb) n 100
2063 if (send_output(output_buffer, res) < 0) { [ 0%] /
(gdb) n 1000
2063 if (send_output(output_buffer, res) < 0) { [ 0%] /
(gdb) n 5000
2063 if (send_output(output_buffer, res) < 0) { [ 0%] /
(gdb) n 50000
= [ ] [100] [ 3m 9s Processed] [ 0%] - %] \ [ 0%] - WAV file size keeps increasing
2054 perc_play = (wm_info->current_sample * 100)[ 0%] \
Backtrace
(gdb) bt
#0 wmidi_write (fd=3, buf=0x629000005200, size=16384) at /home/woot/Desktop/wildmidi-master/src/wildmidi.c:380
#1 0x000000000040253a in write_wav_output (output_data=0x629000005200 "", output_size=16384) at /home/woot/Desktop/wildmidi-master/src/wildmidi.c:495
#2 0x00000000004054f3 in main (argc=4, argv=0x7fffffffde38) at /home/woot/Desktop/wildmidi-master/src/wildmidi.c:2063
(gdb) i r
rax 0x4000 16384
rbx 0x7fffffffdd30 140737488346416
rcx 0x7ffff69322c0 140737330225856
rdx 0x0 0
rsi 0x0 0
rdi 0xc527fff8a40 13548474305088
rbp 0x7fffffffd990 0x7fffffffd990
rsp 0x7fffffffd980 0x7fffffffd980
r8 0x10000000000 1099511627776
r9 0xc527fff9240 13548474307136
r10 0xffffffff 4294967295
r11 0x246 582
r12 0xffffffffb4a 17592186043210
r13 0x7fffffffda50 140737488345680
r14 0x7fffffffda50 140737488345680
r15 0x0 0
rip 0x4025ea 0x4025ea
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
Proof of concept
wildmidi -o /home/aceteam/wildmidi/some.WAV $POC
Timeline
Vendor Disclosure: 2018-09-12
Public Disclosure: 2018-09-13
Credit
Discovered by ACE Team - Loginsoft
