CVE-2018-16797

Vulnerability

A heap-based buffer overflow vulnerability exists in PotPlayerMini.exe in PotPlayer version 1.7.8556 (32-bit). The flaw is triggered when parsing a specially crafted .wav file. By setting a large BytesPerSec and SamplesPerSec value, PotPlayer allocates oversized source and destination heap buffers. A small Data_Chunk_Size value causes a heap overflow during the audio processing in PotPlayer.dll. The affected version is 1.7.8556 as tested on Windows 7 (Pro and Home K) [1].

Exploitation

An attacker must convince a user to open a malicious .wav file in PotPlayer; no other privileges or network position are required. The exploit involves crafting the .wav header with a large BytesPerSec (e.g. 0x11111111) and SamplesPerSec, and a small Data_Chunk_Size. This causes the destination heap size to be computed from SamplesPerSec (formula: (imul SamplesPerSec, 0x08)), while the source heap is sized by BytesPerSec. The overflow overwrites adjacent heap memory, including the function table of ffcodec in PotPlayer.dll. On Windows 7, due to the low fragmentation heap (LFH) chunk depth of 0x10 for the requested size, a preceding LFH chunk of the same size can be placed to make the overflow hit the function table, leading to control of EIP via a call eax instruction when EDI holds the destination heap start address [1].

Impact

Successful exploitation allows remote code execution (RCE) in the context of the PotPlayer process. The attacker gains full control over the affected system, including arbitrary code execution, data exfiltration, and further compromise. The CVSS v3 score is 7.8 (HIGH) [1].

Mitigation

As of the publication date (2018-09-10), no official patch or fixed version has been released for PotPlayer 1.7.8556. Users should avoid opening untrusted .wav files with the affected version. No workaround is documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. Users are advised to monitor for updates from the vendor [1].