In modules/codec/adpcm.c, VLC can be made to perform an out-of-bounds
write with user-controlled input.
The function DecodeAdpcmImaQT at adpcm.c:595 allocates a buffer which
is filled with bytes from the input stream. However, it does not check
that the number of channels in the input stream is less than or equal
to the size of the buffer, resulting in an out-of-bounds write. The
number of channels is clamped at <= 5.
adpcm_ima_wav_channel_t channel[2];
...
for( i_ch = 0; i_ch < p_dec->fmt_in.audio.i_channels; i_ch++ )
{
channel[i_ch].i_predictor = (int16_t)((( ( p_buffer[0] << 1 )|(
p_buffer[1] >> 7 ) ))<<7);
channel[i_ch].i_step_index = p_buffer[1]&0x7f;
...
The mangling of the input p_buffer above and in
AdpcmImaWavExpandNibble() makes this difficult to exploit, but there
is a potential for remote code execution via a malicious media file.
POC:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41025.mov
