[VulnWatch] Windows Multimedia mmioRead Denial of Service Vulnerability



It is possible to create specialy malformed audio file that will cause DoS
in application,
that uses winmm.dll library to access media files. According to MSDN:


The mmioRead function reads a specified number of bytes from a file opened
by using the mmioOpen function. LONG mmioRead(
HMMIO hmmio,
HPSTR pch,
LONG cch
);


Parameters

hmmio

File handle of the file to be read.

pch

Pointer to a buffer to contain the data read from the file.

cch

Number of bytes to read from the file.

Return Values

Returns the number of bytes actually read. If the end of the file has been
reached and no more bytes can be read, the return value is 0. If there is an
error reading from the file, the return value is - 1.

As we can see when we pass to big in cch parameter the function should
return -1. This is not what happens. When pussing very large value for
instance 0xFFFFFFFF the function mmioRead enters endless loop. A Proof of
Concept WAVE file has been created and it's available at:
http://sectroyer.110mb.com/mmio_die.wav. When this file is opened by
application SndRec32 it will cause 100% CPU consumption.
Michael Majchrowicz.