BugTraq
xine-lib NES Sound Format Demuxer Buffer Overflow Apr 23 2008 07:05PM
laurent gaffie gmail com (1 replies)
Re: xine-lib NES Sound Format Demuxer Buffer Overflow Apr 23 2008 10:21PM
Guido Landi (lists keamera org)
that buffer can't be overflowed, "header" is 128 byte long:

#define NSF_HEADER_SIZE 0x80
[..]
if (this->input->read(this->input, header, NSF_HEADER_SIZE) !=
NSF_HEADER_SIZE)
return 0;

and copyright can't be more than 50byte:

this->copyright = strdup(&header[0x4E]);

laurent.gaffie (at) gmail (dot) com [email concealed] wrote:
> Hi there
>
> Original advisory:
> http://milw0rm.com/exploits/5458
>
>
> There's another stack-based buffer overflow in demux_nfs.c
>
> line 111:
> this->copyright = strdup(&header[0x4E]);
> line 189:
> char copyright[100];
> line 208:
> sprintf(copyright, "(C) %s", this->copyright);
>
> Regards Laurent Gaffi�
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus