[REVS] DUMB It_read_envelope Heap Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

DUMB It_read_envelope Heap Overflow


<http://dumb.sourceforge.net> DUMB - Dynamic Universal Music
Bibliotheque. DUMB is an open source player library for the IT, XM, S3M
and MOD file formats.

DUMB is vulnerable to a heap overflow in read_envelope.


Vulnerable Systems:
* DUMB version 0.9.3 and CVS head from 16/08/2006

it_read_envelope is the function called by it_read_instrument for reading
the envelope values for volume, pan and pitch of each instrument in the IT
(Impulse Tracker) file if it's major or equal than version 0x200.

The function reads an 8 bit value (envelope->n_nodes) which describes the
number of nodes in the envelope and then starts to read them using 8 bit
for node_y and 16 for node_t.

The problem is that both node_y and moreover node_t have a fixed size of
25 elements allocated when the number of instruments in the IT file is
read initially.

The memory allocated is that of the IT_INSTRUMENT structure which already
contains the three IT_ENVELOPE structures used for volume, pan and pitch.

The amount of data needed to overflow the allocated memory is about 371
bytes, from the end of pitch_envelope to the end of map_sample, which
means we need to specify at least about 213 n_nodes for causing the heap

Proof of concept:
<http://aluigi.org/poc/dumbit.zip> http://aluigi.org/poc/dumbit.zip

The bug will be fixed in the next version.


The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
The original article can be found at: <aluigi.org> aluigi.org


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.