oss-sec mailing list archives
Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow
From: Florian <floriangaultier () gmail com>
Date: Wed, 07 Aug 2013 19:29:48 +0200
On 07/08/2013 19:17, Kurt Seifried wrote:
On 08/07/2013 10:24 AM, Florian wrote:Hi,Just a CVE Request for this http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/ThxI need a better request. You want one CVE? multiple CVEs? A quick read of the web page indicates multiple different problems. Can you list them here and provide links to the source code? thanks.
Okay, so the first bug is an integer overflow in j variable, it occurs here : https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L1852 The second bug is a heap overflow and can be triggered in two functions abc_MIDI_drum : https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3211 and abc_MIDI_gchord : https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3258 h->gchord and h->drum are static buffers and are filled until the copied byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and 'dz0123456789') It's up to you to open one or multiple CVE. Don't hesitate if you want more information. Thx
Current thread:
- CVE Request - MongoDB <=2.4.4 uninitialized object Florian (Jul 17)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Kurt Seifried (Jul 17)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Dan Pasette (Jul 18)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Moritz Muehlenhoff (Jul 18)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Kurt Seifried (Jul 18)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Kurt Seifried (Jul 26)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Andreas Nilsson (Jul 30)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Dan Pasette (Jul 18)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Moritz Muehlenhoff (Jul 22)
- Re: CVE Request - MongoDB <=2.4.4 uninitialized object Kurt Seifried (Jul 17)
- Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow Kurt Seifried (Aug 07)
- Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow Florian (Aug 07)
- Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow Kurt Seifried (Aug 09)
- Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow Raphael Geissert (Aug 12)