[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20637.88.149.150.1.1165988873.squirrel@webmail.zone-h.fr>
Date: Wed, 13 Dec 2006 06:47:53 +0100 (CET)
From: "Siegfried" <admin@...e-h.fr>
To: full-disclosure@...ts.grok.org.uk
Subject: Coolplayer buffer overflow vulnerabilities
Affected software: Coolplayer (coolplayer.sourceforge.net)
Versions: <= 215
Discovered by: Mehdi Oudad and Kevin Fernandez, zone-h.fr
The coolplayer authors have been mailed through contact _\at/_
daansystems. com on november 15 2005 but we never got any reply. On
november 30 2006 they published a new version that somewhat patches the
flaws.
1) A boundary error exists in the CPL_AddPrefixedFile() function of
CPI_Playlist.c :
char cFullPath[MAX_PATH];
memcpy(cFullPath, pcPlaylistFile, iPlaylist_VolumeBytes);
strcpy(cFullPath + iPlaylist_VolumeBytes, pcFilename + 1);
CPL_AddSingleFile(hPlaylist, cFullPath, pcTitle);
The program tries to put a 512 input string into a 260 buffer. This can be
exploited via a malicious playlist file containing overly long song names.
2) A boundary error exists in the main_skin_check_ini_value() function of
skin.c :
sscanf(textposition, "%s %d %d %d %d %d %d %d %d %d %[^\0]", name, &x,
&y, &w, &h, &maxw, &x2, &y2, &w2, &h2, tooltip);
It can be exploited with a skin file containing overly long button names.
3) An error in main_skin_open() of skin.c can be exploited with a skin
file containing overly long bitmap filenames.
Additionally coolplayer was using an obsolete version of the zlib library,
the changelog doesn't say it is updated.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists