Coordinated Disclosure Timeline

Summary

libcue is a library for parsing CUE sheet files. A malicious file can trigger an out-of-bounds array access in the track_set_index function.

Project

libcue

Tested Version

2.2.1

Details

Out of bounds array access in track_set_index (GHSL-2023-197)

The function track_set_index does not check that i >= 0:

void track_set_index(Track *track, int i, long ind)
{
	if (i > MAXINDEX) {
		fprintf(stderr, "too many indexes\n");
                return;
        }

	track->index[i] = ind;
}

If i is negative, then this code can write to an address outside the bounds of the array.

The value of i is parsed using atoi in cue_scanner.l:

[[:digit:]]+	{ yylval.ival = atoi(yytext); return NUMBER; }

atoi does not check for integer overflow, so it is easy to get it produce a negative number.

This is an example CUE file which triggers the bug:

FILE pwned.mp3 MP3
TRACK 000 AUDIO
INDEX 4294567296 0

The index 4294567296 is converted to -400000 by atoi.

Impact

This issue may lead to code execution when libcue is used to parse a malicious file.

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-197 in any communication regarding this issue.