[REVS] DUMB It_read_envelope Heap Overflow



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



DUMB It_read_envelope Heap Overflow
------------------------------------------------------------------------


SUMMARY

<http://dumb.sourceforge.net> DUMB - Dynamic Universal Music
Bibliotheque. DUMB is an open source player library for the IT, XM, S3M
and MOD file formats.

DUMB is vulnerable to a heap overflow in read_envelope.

DETAILS

Vulnerable Systems:
* DUMB version 0.9.3 and CVS head from 16/08/2006

it_read_envelope is the function called by it_read_instrument for reading
the envelope values for volume, pan and pitch of each instrument in the IT
(Impulse Tracker) file if it's major or equal than version 0x200.

The function reads an 8 bit value (envelope->n_nodes) which describes the
number of nodes in the envelope and then starts to read them using 8 bit
for node_y and 16 for node_t.

The problem is that both node_y and moreover node_t have a fixed size of
25 elements allocated when the number of instruments in the IT file is
read initially.

The memory allocated is that of the IT_INSTRUMENT structure which already
contains the three IT_ENVELOPE structures used for volume, pan and pitch.

The amount of data needed to overflow the allocated memory is about 371
bytes, from the end of pitch_envelope to the end of map_sample, which
means we need to specify at least about 213 n_nodes for causing the heap
overflow.

Proof of concept:
<http://aluigi.org/poc/dumbit.zip> http://aluigi.org/poc/dumbit.zip

Fix:
The bug will be fixed in the next version.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at: <aluigi.org> aluigi.org



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] ImageMagick ReadSGIImage() Heap Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ImageMagick ReadSGIImageHeap Overflow ... create, edit, and compose bitmap images. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)
  • [UNIX] Buffer Overflow in GOCR
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... GOCR - open-source character recognition software is vulnerable to buffer ... An integer overflow leading to heap overflow, ... This vulnerability ...
    (Securiteam)
  • [NT] Internet Explorer Compressed Content URL Heap Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is an heap overflow vulnerability discovered in Internet Explorer ... Internet Explorer 6 SP1 with the MS06-042 patch applied are vulnerable. ...
    (Securiteam)
  • [NT] Foxmail Mail Server Multiple Vulnerabilities (USER Command)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerabilities in Foxmail server, can be exploited by a remote attacker ... Heap overflow: Sending a long username will cause a heap overflow. ...
    (Securiteam)
  • [UNIX] Libextractor Heap Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There is an heap overflow vulnerability discovered in libextractor ... the allocation of a buffer using a specific amount of bytes chosen by the ... * contains more than 1 video description atom */ ...
    (Securiteam)