Windows: wdmaud.drv/Microsoft GS Wavetable Synth Memory Corruption/OOB Read
Platform: Tested on Windows 8.1 Update as Windows 10 Build 10130
Class: Memory Corruption

Summary:
A crafted MIDI file can cause the Microsoft GS Wavetable Synth to crash with at least an OOB buffer read and sometimes heap corruption. This is exposed via Windows Media Player (ActiveX control or desktop) which might result in RCE. 

Description:

When playing back a crafted MIDI file in a player which uses the Microsoft GS Wavetable Synth (which is the default on modern versions of Windows) the sample position get calculated incorrectly when performing channel mixing. In the easiest to demonstrate case this causes an OOB read to occur within the wdmaud.drv DLL loaded into the process. This happens in CDigitalAudio::Mix16X for 32 bit or CDigitalAudio::Mix16 for 64 bit but they are essentially the same function.

For example this crash shows the OOB read:

0:014> r
rax=0000002c82cf7c50 rbx=000000000000002a rcx=00000000fffffffc
rdx=00000000ffffffe3 rsi=00000000fffd1d5d rdi=00000000fffd5d4b
rip=00007ffb707cb9b7 rsp=0000002c8295f6a0 rbp=00000000fd5d4b4e
 r8=0000000000000012  r9=0000002c82bb55ac r10=0000000000000004
r11=0000000000000011 r12=0000000000000002 r13=0000000000000412
r14=0000000000001176 r15=0000000000002a6a
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010204
wdmaud!CDigitalAudio::Mix16+0xd7:
00007ffb`707cb9b7 410fbf1449      movsx   edx,word ptr [r9+rcx*2] ds:0000002e`82bb55a4=????
0:014> k
Child-SP          RetAddr           Call Site
0000002c`8295f6a0 00007ffb`707c69b4 wdmaud!CDigitalAudio::Mix16+0xd7
0000002c`8295f700 00007ffb`707c704f wdmaud!CDigitalAudio::Mix+0x484
0000002c`8295f850 00007ffb`707beac1 wdmaud!CVoice::Mix+0x45f
0000002c`8295fb80 00007ffb`707bd9e7 wdmaud!CSynth::Mix+0x141
0000002c`8295fbe0 00007ffb`707be09c wdmaud!CUserModeSynth::Render+0xc7
0000002c`8295fc60 00007ffb`707be15c wdmaud!CDSLink::SynthProc+0x99
0000002c`8295fcc0 00007ffb`89270b13 wdmaud!CDSLink::SynthThread+0x1d
0000002c`8295fcf0 00007ffb`89270bcd msvcrt!_callthreadstartex+0x2b
0000002c`8295fd20 00007ffb`898413d2 msvcrt!_threadstartex+0x7c
0000002c`8295fd50 00007ffb`8a285444 KERNEL32!BaseThreadInitThunk+0x22
0000002c`8295fd80 00000000`00000000 ntdll!RtlUserThreadStart+0x34

Heap corruption has been observed on rare occasions but it’s unclear what causing the underlying problem and whether it’s controllable, therefore provided as is. 

Proof of Concept:

Provided is a PoC MIDI file which should be loaded into Windows Media Player. 

1) Copy the PoC to a location on a local hard disk, ensure there’s a sound card otherwise it might not work
2) Open the file in Windows Media Player, x64 version seems to be the most reliably for a crash
3) If no crash is observed set the file on repeat, it might take a few tries depending on heap layout. 

Expected Result:
The MIDI file should play to completion. 

Observed Result:
Media Player Crashes

Note if this issue is to be fixed please credit James Ingram. 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 

poc.mid 362 bytes Download