Date: Wed, 07 Aug 2013 19:29:48 +0200 From: Florian <floriangaultier@...il.com> To: kseifried@...hat.com CC: oss-security@...ts.openwall.com Subject: Re: CVE Request - LibModPlug <=0.8.8.4 multiple heap overflow On 07/08/2013 19:17, Kurt Seifried wrote: > On 08/07/2013 10:24 AM, Florian wrote: >> Hi, > >> Just a CVE Request for this >> http://blog.scrt.ch/2013/07/24/vlc-abc-parsing-seems-to-be-a-ctf-challenge/ > >> Thx > > > I need a better request. You want one CVE? multiple CVEs? A quick read > of the web page indicates multiple different problems. Can you list > them here and provide links to the source code? thanks. > Okay, so the first bug is an integer overflow in j variable, it occurs here : https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L1852 The second bug is a heap overflow and can be triggered in two functions abc_MIDI_drum : https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3211 and abc_MIDI_gchord : https://github.com/gardaud/libmodplug/blob/master/src/load_abc.cpp#L3258 h->gchord and h->drum are static buffers and are filled until the copied byte is in the charset (respectively 'fbcz0123456789ghijGHIJ' and 'dz0123456789') It's up to you to open one or multiple CVE. Don't hesitate if you want more information. Thx
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.