Package: abcmidi Version: 3.21 Severity: important Dear Maintainer,
As a part of an academic project, we have discovered an integer overflow in the midi2abc binary which is a part of the abcmidi package. The bug occurs in addstring @ midi2abc.c:293 where the function checkmalloc is called with the return value of the function strlen + 1. The checkmalloc function accepts a 32 bit integer as argument which it uses directly to call the function malloc. The addstring function is called from the function process_command_line_arguments and therefore, the string being passed to the function strlen can be controlled. An attacker could create a very large string which would overflow the integer addition at midi2abc.c:293. If the return value of strlen is UINT_MAX, the checkmalloc function would be called with an argument 0. When malloc is called with 0 as its argument, it returns a chunk of size 16 in a 64 bit process. This chunk would then be used to copy UINT_MAX bytes of data which results in a heap overflow. We understand that creating a string of size UINT_MAX is very difficult, but we feel that this is an issue that must be fixed. Please investigate this issue -- System Information: Debian Release: stretch/sid APT prefers xenial-updates APT policy: (500, 'xenial-updates'), (500, 'xenial-security'), (500, 'xenial'), (100, 'xenial-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-142-generic (SMP w/4 CPU cores) Locale: LANG=en_IN, LC_CTYPE=en_IN (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
