Malformed .WAV triggers an Access Violation on GoldSRC (hl.exe)

A malformed .WAV triggers an Access Violation on GoldSRC engine games (Half-Life) upon invocation, which could lead to remote code execution on a client. Crash Information ------------------ Event Type: Exception Exception Faulting Address: 0x2469a000 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:0950bd62 mov dl,byte ptr [eax+ecx] Basic Block: 0950bd62 mov dl,byte ptr [eax+ecx] Tainted Input Operands: eax, ecx 0950bd65 add dl,80h Tainted Input Operands: dl 0950bd68 mov byte ptr [esi+eax+14h],dl Tainted Input Operands: dl, eax 0950bd6c inc eax Tainted Input Operands: eax 0950bd6d cmp eax,edi Tainted Input Operands: eax 0950bd6f jl hw!createinterface+0x2eb22 (0950bd62) Tainted Input Operands: SignFlag, OverflowFlag Stack Trace: hw!CreateInterface+0x2eb22 hw!CreateInterface+0x2ef27 hw!CreateInterface+0x31d2c hw!CreateInterface+0x2db58 hw!CreateInterface+0x2e97b hw+0x27df6 hw+0x26f94 hw+0x56308 hw+0x564b3 hw!F+0x164e hw!F+0xa70 hw!F+0xbea hl!CreateInterface+0x66b hl!CreateInterface+0x3fc2 KERNEL32!BaseThreadInitThunk+0x24 ntdll_77960000!__RtlUserThreadStart+0x2f ntdll_77960000!_RtlUserThreadStart+0x1b Instruction Address: 0x000000000950bd62 Steps for Reproducing the Crash -------------------------------- Place the attached .WAV in the games audio folder (Steam\steamapps\common\Half-Life\valve\sound\misc) Load the attached .WAV by invoking "spk misc/x.wav" from the console. The game will crash with an access violation while parsing the .WAV Impact ------- An attacker hosting a malicious server could compromise a remote client by having them download a custom map, triggering remote code execution on the victim's computer.