The Biosig Project Libbiosig Stack-Based Buffer Overflow Vulnerability in MFER Parsing

A stack-based buffer overflow vulnerability has been identified in The Biosig Project's libbiosig version 3.9.0 and the Master Branch (35a819fa). This vulnerability arises in the MFER (Medical waveform Format Encoding Rules) parsing functionality, where a specially crafted MFER file can lead to arbitrary code execution. The issue occurs on line 8842 of biosig.c in the current master branch, when the Tag is 12. In this code path, values of 'len' greater than 130 trigger a buffer overflow, as well as values smaller than 2, which cause an integer underflow when calculating 'len-2'.

Impact

Exploitation of this vulnerability allows for a stack-based buffer overflow, where an attacker can write arbitrary data past the end of a stack-allocated buffer. This condition can corrupt the stack and potentially lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the 'sopen_extended' function to parse a maliciously crafted MFER file. The file should be designed to exploit the vulnerability by encoding a length value that triggers the buffer overflow, such as a value greater than 130 or one smaller than 2. When the file is processed, the 'ifread' function will read the specified number of bytes into a stack buffer, causing the overflow.

Remediation

Users are advised to update to the patched version of libbiosig, which is available on the project's official website.