Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5202840C.6020501@gmail.com>
Date: Wed, 07 Aug 2013 19:29:48 +0200
From: Florian <floriangaultier@...il.com>
To: kseifried@...hat.com
CC: oss-security@...ts.openwall.com
Subject: Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap
 overflow

On 07/08/2013 19:17, Kurt Seifried wrote:
> On 08/07/2013 10:24 AM, Florian wrote:
>> Hi,
> 
>> Just a CVE Request for this 
>> http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/
> 
>>  Thx
> 
> 
> I need a better request. You want one CVE? multiple CVEs? A quick read
> of the web page indicates multiple different problems. Can you list
> them here and provide links to the source code? thanks.
> 

Okay, so the first bug is an integer overflow in j variable, it occurs
here :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L1852

The second bug is a heap overflow and can be triggered in two functions
abc_MIDI_drum :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3211
and
abc_MIDI_gchord :
https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3258

h->gchord and h->drum are static buffers and are filled until the copied
byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and
'dz0123456789')

It's up to you to open one or multiple CVE.

Don't hesitate if you want more information.

Thx

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.