COMMAND

	Blade encoder overflow in wave file parsing

SYSTEMS AFFECTED

	Blade encoder 0.94.2 and previous versions

PROBLEM

	Thanks to Auriemma Luigi [aluigi@pivx.com],  Security  Researcher,  PivX
	Solutions, LLC :
	
	 http://www.pivx.com/luigi/
	
	
	--snip--
	
	The bug is caused by the  usage  of  an  integer  value  with  sign  for
	seeking the wave file after that the program read the size of  the  "fmt
	" wave chunk.
	
	Exactly the problem is located in the usage of the integer var  "offset"
	in myFseek function at the end of the samplein.c file.
	
	
	===========
	3) The Code
	===========
	
	I have written a very simple wave  file  that  show  a  message  in  the
	console when the program is launched  (bladeenc  blade586-942.wav).  The
	exploit has been coded for run ONLY on the precompiled  version  of  the
	program for Windows on i586
	
	 http://www2.arnes.si/~mmilut/BEnc-0942-Win-i586.zip
	
	The proof-of-concept has been written for Windows98 ONLY.
	
	 http://www.pivx.com/luigi/poc/blade586-942.wav
	

SOLUTION

	 Patch 
	 =====
	
	As I have said in  the  Introduction  this  good  program  is  not  more
	supported, however the patch is very very simple and is  easy  to  apply
	to all the versions of Bladeenc simply because the function to patch  is
	the last in the samplein.c file.
	
	
	bladeenc/samplein.c
	-------------------
	...
	619        char                                    dummy[256];
	620 //PATCH
	621        offset = abs(offset);
	622 //PATCH
	623
	624        while (offset >= 256)
	...
	-------------------