DivFix++ denial of service vulnerability
================
Author : qflb.wu
===============


Introduction:
=============
DivFix++ is FREE AVI Video Fix & Preview program.


Affected version:
=====
v0.34


Vulnerability Description:
==========================
the DivFixppCore::avi_header_fix function in src/DivFix++Core.cpp in DivFix++ v0.34 can cause a denial of service(invalid memory write and application crash) via a crafted avi file.


./DivFix++ -i DivFix++_v0.34_invalid_memory_write.avi -o out.avi


----debug info:----
Program received signal SIGSEGV, Segmentation fault.
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
167../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.
(gdb) bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:167
#1  0x00000000004239d8 in DivFixppCore::avi_header_fix() ()
#2  0x000000000042c0c0 in DivFixppCore::Fix(wxString, wxString, bool, bool, bool, bool) ()
#3  0x000000000041404a in DivFixppApp::OnCmdLineParsed(wxCmdLineParser&) ()
#4  0x0000000000414f6e in DivFixppApp::OnInit() ()
#5  0x0000000000416f4f in wxAppConsoleBase::CallOnInit() ()
#6  0x00007ffff6c6903c in wxEntry(int&, wchar_t**) ()
   from /usr/lib/x86_64-linux-gnu/libwx_baseu-3.0.so.0
#7  0x0000000000411e70 in main ()
(gdb) 


-------------------
(gdb) disassemble 0x00000000004239b0,0x00000000004239df
Dump of assembler code from 0x4239b0 to 0x4239df:
   0x00000000004239b0 <_ZN12DivFixppCore14avi_header_fixEv+3504>:add    %al,(%rax)
   0x00000000004239b2 <_ZN12DivFixppCore14avi_header_fixEv+3506>:mov    %eax,%edi
   0x00000000004239b4 <_ZN12DivFixppCore14avi_header_fixEv+3508>:callq  0x434eaf <_Z17make_littleendianIiERT_S0_>
   0x00000000004239b9 <_ZN12DivFixppCore14avi_header_fixEv+3513>:mov    -0x138(%rbp),%rdx
   0x00000000004239c0 <_ZN12DivFixppCore14avi_header_fixEv+3520>:mov    0x38(%rdx),%rdx
   0x00000000004239c4 <_ZN12DivFixppCore14avi_header_fixEv+3524>:lea    0x10(%rdx),%rcx
   0x00000000004239c8 <_ZN12DivFixppCore14avi_header_fixEv+3528>:mov    $0x4,%edx
   0x00000000004239cd <_ZN12DivFixppCore14avi_header_fixEv+3533>:mov    %rax,%rsi
   0x00000000004239d0 <_ZN12DivFixppCore14avi_header_fixEv+3536>:mov    %rcx,%rdi
=> 0x00000000004239d3 <_ZN12DivFixppCore14avi_header_fixEv+3539>:callq  0x40fcc0 <memcpy@plt>
   0x00000000004239d8 <_ZN12DivFixppCore14avi_header_fixEv+3544>:mov    -0x138(%rbp),%rax
---Type <return> to continue, or q <return> to quit---
End of assembler dump.
(gdb) i r 
rax            0x6615286690088
rbx            0x00
rcx            0x1016
rdx            0x44
rsi            0x6615286690088
rdi            0x1016
rbp            0x7fffffffcf100x7fffffffcf10
rsp            0x7fffffffcdd00x7fffffffcdd0
r8             0x8049308407344
r9             0x7ffff7fc1a40140737353882176
r10            0x640000006e429496729710
r11            0x00
r12            0x11
r13            0x11
r14            0x00
r15            0x00
rip            0x4239d30x4239d3 <DivFixppCore::avi_header_fix()+3539>
eflags         0x246[ PF ZF IF ]
cs             0x3351
ss             0x2b43
ds             0x00
es             0x00
fs             0x00
---Type <return> to continue, or q <return> to quit---
gs             0x00
(gdb)


POC:
DivFix++_v0.34_invalid_memory_write.avi
CVE:
CVE-2017-11330


Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42396.zip