CVE-2023-26923: [MU4 Issue] Stack buffer overflow vulnerability while parse MIDI file · Issue #16346 · musescore/MuseScore

Describe the bug
It only affects the Windows version.
In src/importexport/midi/internal/midishared/midifile.cpp

void MidiFile::skip(qint64 len) { // Note: if MS is updated to use Qt 5.10, this can be implemented with QIODevice::skip(), which should be more efficient // as bytes do not need to be moved around. if (len <= 0) { return; } #if (!defined (_MSCVER) && !defined (_MSC_VER)) char tmp[len]; read(tmp, len); #else const int tmp_size = 256; // Size of fixed-length temporary buffer. MSVC does not support VLA. char tmp[tmp_size]; while (len > tmp_size) { read(tmp, len); //vulnerability len -= tmp_size; } // Now len is <= tmp_size, last read fits in the buffer. read(tmp, tmp_size); #endif }

It is copying the length of len, not tmp_size. If len is bigger than 256, it will overwrite stack.
This leads to a buffer overflow and overwrite the stack cookies. If an attacker knows the stack cookie value, it can lead to code execution. Check PoC.midi in PoC.zip.
This vulnerability works from version 3.0 to 4.0.1(latest)

PoC.zip

If you have any problems, contact me via [email protected]