The Biosig Project Libbiosig Stack-Based Buffer Overflow Vulnerability in MFER Parsing

A stack-based buffer overflow vulnerability has been identified in The Biosig Project's libbiosig version 3.9.0 and the Master Branch (35a819fa). This vulnerability arises in the MFER (Medical waveform Format Encoding Rules) parsing functionality, where a specially crafted MFER file can lead to arbitrary code execution. The issue occurs on line 8850 of biosig.c in the current master branch, specifically when the Tag is 13. The vulnerability is triggered by the 'ifread' function, which reads data from the input file into a stack-allocated buffer without proper length validation, allowing for the overflow and potential execution of malicious code.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, which can overwrite the stack and potentially lead to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using a maliciously crafted MFER file that exploits the unvalidated length handling in the libbiosig library. The file should be designed to include a Tag 13 frame with a length that exceeds the buffer capacity, such as 89 bytes, which libbiosig incorrectly interprets as a much larger value. This can be achieved by encoding the length in a way that libbiosig's parsing logic fails to validate correctly, such as using multiple octets to specify a length that exceeds the safe limit.

Remediation

Users are advised to update to the patched version of libbiosig, which is available on the project's official website.