oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow

From: Florian <floriangaultier () gmail com>
Date: Wed, 07 Aug 2013 19:29:48 +0200
On 07/08/2013 19:17, Kurt Seifried wrote:

On 08/07/2013 10:24 AM, Florian wrote:

Hi,



Just a CVE Request for this 
http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/



 Thx



I need a better request. You want one CVE? multiple CVEs? A quick read
of the web page indicates multiple different problems. Can you list
them here and provide links to the source code? thanks.



Okay, so the first bug is an integer overflow in j variable, it occurs
here :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L1852

The second bug is a heap overflow and can be triggered in two functions
abc_MIDI_drum :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3211
and
abc_MIDI_gchord :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3258

h->gchord and h->drum are static buffers and are filled until the copied
byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and
'dz0123456789')

It's up to you to open one or multiple CVE.

Don't hesitate if you want more information.

Thx
Previous By Date Next
Previous By Thread Next

Current thread: