####################################################################### Luigi Auriemma Applicazione: Cheese Tracker http://reduz.com.ar/cheesetracker/ http://sourceforge.net/projects/cheesetronic Versioni: <= 0.9.9 e CVS corrente Piattaforme: *nix ed altre Bug: buffer-overflow in Loader_XM::load_instrument_internal Exploitation: locale Data: 23 Jul 2006 Autore: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduzione 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduzione =============== Cheese Tracker e' un tracker musicale molto conosciuto che gestisce i formati CT, IT, XM e S3M. ####################################################################### ====== 2) Bug ====== Il loader per il formato XM utilizzato da Cheese Tracker e' vulnerabile ad un buffer-overflow che avviene quando il programma prova ad immagazzinare i dati in eccesso del file nel buffer junkbuster di soli 500 bytes. Da cheesetracker/loaders/loader_xm.cpp: Loader::Error Loader_XM::load_instrument_internal(Instrument *p_instr,bool p_xi,int p_cpos, int p_hsize, int p_sampnum) { ... if (!p_xi) { if ((reader.get_file_pos()-p_cpos)