Severity: Medium
Clementine Music Player v. <= 1.3.1, in libgstreamer-1.0-0.dll
(F1CC318CA54B8BC35179A48DAEBB94DF741D9E3B
) module, is affected by a Read Access Violation on Block Data Move (potential Stack Overflow), affecting the MP3 file parsing functionality at memcpy+0x265
.
The vulnerability is triggered when the user opens a crafted MP3 file or loads a remote stream URL that is mishandled by Clementine.
Attackers could exploit this issue to cause a crash (DoS) of the clementine.exe process or achieve arbitrary code execution in the context of the current logged-in Windows user.
eax=00000000 ebx=00000000 ecx=029be272 edx=00000000 esi=0edd2ffe edi=194cba44 eip=76888f55 esp=0edcfb38 ebp=0edcfb40 iopl=0 nv dn ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010616 msvcrt!memcpy+0x265: 76888f55 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_msvcrt.dll!memcpy Basic Block: 777c8f55 rep movs dword ptr es:[edi],dword ptr [esi] Tainted Input operands: 'ecx','esi' 777c8f57 cld 777c8f58 jmp dword ptr msvcrt!memcpy+0x310 (777c9000)[edx*4] Exception Hash (Major/Minor): 0xb323a61f.0x1e633652 Hash Usage : Stack Trace: Major+Minor : msvcrt!memcpy+0x265 Major+Minor : libgstreamer_1_0_0!gst_buffer_fill+0x190 Major+Minor : libgsttag_1_0_0!gst_tag_mux_get_type+0x20df Major+Minor : libgsttag_1_0_0!gst_tag_list_from_id3v2_tag+0x9ab Major+Minor : libglib_2_0_0!g_rec_mutex_unlock+0x14 Minor : libgstreamer_1_0_0!gst_buffer_unmap+0x56 Minor : libgstreamer_1_0_0!gst_memory_resize+0x22 Minor : libgstid3demux+0x17fc Minor : libgstreamer_1_0_0!gst_buffer_set_size+0x2f Minor : libgsttag_1_0_0!gst_tag_demux_get_type+0x1011 Minor : libgstreamer_1_0_0!gst_element_get_type+0x114 Minor : libgsttag_1_0_0!gst_tag_demux_get_type+0x1c49 Minor : libglib_2_0_0!g_mutex_unlock+0x12 Minor : libgstreamer_1_0_0!gst_tag_setter_get_tag_merge_mode+0x186 Minor : KERNEL32!timeGetTime+0x37 Minor : libglib_2_0_0!g_thread_pool_new+0x2f6 Instruction Address: 0x0000000076888f55 Description: Read Access Violation on Block Data Move Short Description: ReadAVonBlockMove Exploitability Classification: PROBABLY_EXPLOITABLE Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at msvcrt!memcpy+0x0000000000000265 (Hash=0xb323a61f.0x1e633652)