Threat level definition
Search:
Home
Bugtraq
Vulnerabilities
Mailing Lists
Jobs
Tools
Beta Programs
News
Infocus
Foundations
Microsoft
Unix
IDS
Incidents
Virus
Pen-Test
Firewalls
Columnists
Mailing Lists
Newsletters
Bugtraq
Focus on IDS
Focus on Linux
Focus on Microsoft
Forensics
Pen-test
Security Basics
Vuln Dev
Vulnerabilities
Jobs
Job Opportunities
Resumes
Job Seekers
Employers
Tools
RSS
News
Vulns
Security Research
BugTraq
Back to list
|
Post reply
xine-lib NES Sound Format Demuxer Buffer Overflow
Apr 23 2008 07:05PM
laurent gaffie gmail com
(1 replies)
Re: xine-lib NES Sound Format Demuxer Buffer Overflow
Apr 23 2008 10:21PM
Guido Landi (lists keamera org)
that buffer can't be overflowed, "header" is 128 byte long:
#define NSF_HEADER_SIZE 0x80
[..]
if (this->input->read(this->input, header, NSF_HEADER_SIZE) !=
NSF_HEADER_SIZE)
return 0;
and copyright can't be more than 50byte:
this->copyright = strdup(&header[0x4E]);
laurent.gaffie (at) gmail (dot) com [email concealed] wrote:
> Hi there
>
> Original advisory:
> http://milw0rm.com/exploits/5458
>
>
> There's another stack-based buffer overflow in demux_nfs.c
>
> line 111:
> this->copyright = strdup(&header[0x4E]);
> line 189:
> char copyright[100];
> line 208:
> sprintf(copyright, "(C) %s", this->copyright);
>
> Regards Laurent Gaffi�
>
>
[ reply ]
Privacy Statement
Copyright 2009, SecurityFocus
#define NSF_HEADER_SIZE 0x80
[..]
if (this->input->read(this->input, header, NSF_HEADER_SIZE) !=
NSF_HEADER_SIZE)
return 0;
and copyright can't be more than 50byte:
this->copyright = strdup(&header[0x4E]);
laurent.gaffie (at) gmail (dot) com [email concealed] wrote:
> Hi there
>
> Original advisory:
> http://milw0rm.com/exploits/5458
>
>
> There's another stack-based buffer overflow in demux_nfs.c
>
> line 111:
> this->copyright = strdup(&header[0x4E]);
> line 189:
> char copyright[100];
> line 208:
> sprintf(copyright, "(C) %s", this->copyright);
>
> Regards Laurent Gaffi�
>
>
[ reply ]