dr_libs Heap Buffer Overflow Vulnerability in WAV File Processing

A heap buffer overflow vulnerability has been identified in dr_libs versions through 0.14.4, within the drwav__read_smpl_to_metadata_obj() function of dr_wav.h. This vulnerability allows memory corruption via specially crafted WAV files. The issue arises from a mismatch in the validation of sampleLoopCount, which is checked in the first pass of the metadata parsing, while the second pass processes 'smpl' chunks unconditionally. This flaw can be exploited by overflowing heap allocations with 36 bytes of attacker-controlled data, through any drwav_init_*_with_metadata() call that handles untrusted input.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, allowing for memory corruption.

Reproduction

The vulnerability can be reproduced by creating a WAV file with a malformed 'smpl' chunk. This can be done by constructing a file that includes a 'smpl' chunk whose sampleLoopCount field does not match the expected count based on the chunk's size. When this file is processed using the drwav_init_file_with_metadata function, the mismatch causes the parser to skip the chunk in the first pass but still process it in the second pass, leading to a heap buffer overflow. The issue can be confirmed using a compiler that supports AddressSanitizer, which will report the heap-buffer-overflow error when the crafted WAV file is processed.

Remediation

Users are advised to update to dr_libs version 0.14.5 or later, where this vulnerability has been fixed.