| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 23 Jul 2006 21:53:33 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
vuln@...unia.com
Subject: Buffer-overflow in the XM loader of Cheese Tracker 0.9.9
#######################################################################
Luigi Auriemma
Application: Cheese Tracker
http://reduz.com.ar/cheesetracker/
http://sourceforge.net/projects/cheesetronic
Versions: <= 0.9.9 and current CVS
Platforms: *nix and others
Bug: buffer-overflow in Loader_XM::load_instrument_internal
Exploitation: local
Date: 23 Jul 2006
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Cheese Tracker is a well known music tracker for the CT, IT, XM and S3M
file formats.
#######################################################################
======
2) Bug
======
The XM loader used by Cheese Tracker is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input file in the junkbuster buffer of only 500 bytes.
>From cheesetracker/loaders/loader_xm.cpp:
Loader::Error Loader_XM::load_instrument_internal(Instrument *p_instr,bool p_xi,int p_cpos, int p_hsize, int p_sampnum) {
...
if (!p_xi) {
if ((reader.get_file_pos()-p_cpos)<p_hsize) {
Uint8 junkbuster[500];
//printf("extra junk XM instrument in header! hsize is %i, extra junk: %i\n",p_hsize,(reader.get_file_pos()-p_cpos));
reader.get_byte_array((Uint8*)junkbuster,p_hsize-(reader.get_file_pos()-p_cpos));
}
...
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/cheesebof.zip
#######################################################################
======
4) Fix
======
No fix.
No reply from the developers.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
Powered by blists - more mailing lists