[Full-disclosure] Buffer-overflow in CoolPlayer 217


#######################################################################

Luigi Auriemma

Application: CoolPlayer
http://coolplayer.sourceforge.net
Versions: <= 217
Platforms: Windows
Bug: buffer-overflow in CPLI_ReadTag_OGG
Exploitation: local
Date: 28 Dec 2007
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


CoolPlayer is a tiny open source media player for Windows.


#######################################################################

======
2) Bug
======


The tags in the OGG Vorbis files are handled by the CPLI_ReadTag_OGG
function which uses sscanf for storing the tag's name and its value in
two stack buffers but the lack of size limiters in the format argument
results in a buffer-overflow.

From CPI_PlaylistItem.c:

void CPLI_ReadTag_OGG(CPs_PlaylistItem* pItem)
...
char cTag[128];
char cValue[2048];

if(sscanf(pComment->user_comments[iCommentIDX], " %[^= ] = %[^=]", cTag, cValue) == 2)
...


#######################################################################

===========
3) The Code
===========


vorbiscomment -t cTag=AAA_2500_A's_AAA -a input.ogg output.ogg


#######################################################################

======
4) Fix
======


The problem has been reported to the developers which have said that
will work on this and on any other old public bug.


#######################################################################


---
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages
Loading