Stack overflow in LibXMP
A stack-based buffer overflow vulnerability exists in the depack_pha() function of libxmp, a library for module music playback. The vulnerability is triggered when parsing malformed Pha Packer (PHA) module files.
Improper bounds checking on a local stack buffer allows an attacker to write data outside the bounds of the array, potentially leading to denial-of-service (DoS), and in certain conditions, remote code execution (RCE).
Build:
gcc -g -O0 -I./libxmp/include poc.c poc_data.h ./libxmp/lib/libxmp.a -lm -lz -o poc_crasher
Stack Buffer Overflow
libxmp project GitHub: https://github.com/libxmp/libxmp Issue: libxmp/libxmp#847
src/loaders/prowizard/pha.c Function: depack_pha()
Denial of Service (DoS) Potential Remote Code Execution (RCE) under specific build or runtime conditions
An attacker can craft a malicious .mod or .pha file in Pha Packer format and feed it to any application linked with libxmp. The malformed file causes a stack buffer overflow during pattern parsing in depack_pha().
This issue is in the process of being reported to the libxmp maintainers via GitHub Issues.
Gareth C - https://www.anchorsec.co.uk