FluidSynth Use-After-Free Vulnerability in DLS Unloading Process

A heap-based use-after-free vulnerability has been identified in FluidSynth versions 2.5.0 prior to 2.5.2. This issue arises from a race condition during the unloading of DLS files, which can lead to the use of freed memory. The vulnerability occurs if the synthesizer is being destroyed while a DLS file is actively being unloaded, or if samples from the DLS file are being used to synthesize audio. The problem does not occur when DLS files are manually unloaded before the synthesizer is destroyed, as long as no samples are being used by active voices. Additionally, versions of FluidSynth compiled without native DLS support are not affected.

Impact

Exploitation of this vulnerability can cause a heap-based use-after-free, leading to memory corruption. This generally allows for arbitrary code execution in the context of the application using FluidSynth. In some cases, the vulnerability could cause a denial-of-service by crashing the application.

Reproduction

The vulnerability can be reproduced by loading a DLS file and playing a MIDI, which works without issues. However, when attempting to unload the DLS bank while it is still in use and concurrently rendering audio, the application will crash. This can be verified by loading an SF2 bank, which unloads and loads without problems, and then repeating the process with a DLS bank, which will result in a crash.

Remediation

Users can update to FluidSynth version 2.5.2 or later to address this vulnerability. If the DLS file is explicitly unloaded before the synthesizer is destroyed, and no samples are being used by active voices, the issue can be avoided.