Buffer-overflow in the XM loader of Cheese Tracker 0.9.9

2006-07-24T00:00:00
ID SECURITYVULNS:DOC:13608
Type securityvulns
Reporter Securityvulns
Modified 2006-07-24T00:00:00

Description

                         Luigi Auriemma

Application: Cheese Tracker http://reduz.com.ar/cheesetracker/ http://sourceforge.net/projects/cheesetronic Versions: <= 0.9.9 and current CVS Platforms: *nix and others Bug: buffer-overflow in Loader_XM::load_instrument_internal Exploitation: local Date: 23 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Cheese Tracker is a well known music tracker for the CT, IT, XM and S3M file formats.

====== 2) Bug ======

The XM loader used by Cheese Tracker is affected by a buffer-overflow vulnerability which happens when it tries to store the exceeding data available in the input file in the junkbuster buffer of only 500 bytes.

>From cheesetracker/loaders/loader_xm.cpp:

Loader::Error Loader_XM::load_instrument_internal(Instrument *p_instr,bool p_xi,int p_cpos, int p_hsize, int p_sampnum) { ... if (!p_xi) {

        if &#40;&#40;reader.get_file_pos&#40;&#41;-p_cpos&#41;&lt;p_hsize&#41; {

            Uint8 junkbuster[500];

            //printf&#40;&quot;extra junk XM instrument in header! hsize is &#37;i, extra junk: &#37;i&#92;n&quot;,p_hsize,&#40;reader.get_file_pos&#40;&#41;-p_cpos&#41;&#41;;

            reader.get_byte_array&#40;&#40;Uint8*&#41;junkbuster,p_hsize-&#40;reader.get_file_pos&#40;&#41;-p_cpos&#41;&#41;;
        }
        ...

=========== 3) The Code ===========

http://aluigi.org/poc/cheesebof.zip

====== 4) Fix ======

No fix. No reply from the developers.


Luigi Auriemma http://aluigi.org http://mirror.aluigi.org