Nullsoft Winamp CAF Buffer Overflow

March 6, 2009

Nullsoft Winamp is a widely used multimedia player application that is capable of playing numerous media file formats. In addition to playing CD tracks, MPEG, and the popular MP3 format, Winamp also plays Apple's Core Audio Format (CAF) files.

The CAF file is meant to store and manipulate digital audio data. The format of this specification consists of a simple header followed by data chunks. The first chunk of a CAF file is called the Audio Description chunk, and is required to immediately follow the header. This chunk describes the format of the data.
A breakdown of the Audio Description chunk is shown:

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  4        chunk type ('desc') 0x0004  8        chunk size (sizeof(data)) 0x000c  var      data

The structure of the data field can be broken down as follows:

 offset  size     description ------- -------- ------------------------------------------------ 0x0000  8        sample rate 0x0008  4        format ID 0x000c  4        format flags 0x0010  4        bytes per packet 0x0014  4        frames per packet 0x0018  4        channels per frame 0x001c  4        bits per channel

An integer overflow vulnerability exists in Winamp's processing of CAF files. Specifically, the flaw is due to lack of validation of a field value in the Audio Description chunk. Under specific circumstances, the code will use a value, directly derived from the said chunk, in a calculation of a heap buffer size. The affected value can be manipulated to cause an integer overflow which will result in the allocation of a buffer of insufficient size.
Remote attackers may exploit this vulnerability by enticing the target user to open a malicious CAF file using a vulnerable version of Winamp. Successful exploitation may cause a heap buffer overflow that results in process flow diversion.

SonicWALL has released an IPS signature to detect and block specific exploits targeting this vulnerability. The following signature addresses this issue:

  • 5417 - Nullsoft Winamp CAF File Processing Integer Overflow PoC