TUCoPS :: HP Unsorted X :: b06-3809.htm

Xm loader of cheese tracker 0.9.9 buffer overflow
Buffer-overflow in the XM loader of Cheese Tracker 0.9.9
Buffer-overflow in the XM loader of Cheese Tracker 0.9.9



#######################################################################

                             Luigi Auriemma

Application:  Cheese Tracker
http://reduz.com.ar/cheesetracker/ 
http://sourceforge.net/projects/cheesetronic 
Versions:     <= 0.9.9 and current CVS
Platforms:    *nix and others
Bug:          buffer-overflow in Loader_XM::load_instrument_internal
Exploitation: local
Date:         23 Jul 2006
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

Cheese Tracker is a well known music tracker for the CT, IT, XM and S3M
file formats.


#######################################################################

=====2) Bug
=====

The XM loader used by Cheese Tracker is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input file in the junkbuster buffer of only 500 bytes.

>From cheesetracker/loaders/loader_xm.cpp:

Loader::Error Loader_XM::load_instrument_internal(Instrument *p_instr,bool p_xi,int p_cpos, int p_hsize, int p_sampnum) {
        ...
        if (!p_xi) {

            if ((reader.get_file_pos()-p_cpos)http://aluigi.org/poc/cheesebof.zip 


#######################################################################

=====4) Fix
=====

No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 
http://mirror.aluigi.org

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH