3rd Feb 2003 [SBWID-5964]
Blade encoder overflow in wave file parsing
Blade encoder 0.94.2 and previous versions
Thanks to Auriemma Luigi [[email protected]], Security Researcher, PivX
Solutions, LLC :
The bug is caused by the usage of an integer value with sign for
seeking the wave file after that the program read the size of the "fmt
" wave chunk.
Exactly the problem is located in the usage of the integer var "offset"
in myFseek function at the end of the samplein.c file.
3) The Code
I have written a very simple wave file that show a message in the
console when the program is launched (bladeenc blade586-942.wav). The
exploit has been coded for run ONLY on the precompiled version of the
program for Windows on i586
The proof-of-concept has been written for Windows98 ONLY.
As I have said in the Introduction this good program is not more
supported, however the patch is very very simple and is easy to apply
to all the versions of Bladeenc simply because the function to patch is
the last in the samplein.c file.
619 char dummy;
621 offset = abs(offset);
624 while (offset >= 256)