####################################################################### Luigi Auriemma Application: DUMB - Dynamic Universal Music Bibliotheque http://dumb.sourceforge.net Versions: <= 0.9.3 and current CVS Platforms: Windows, *nix, *BSD and more Bug: heap overflow in it_read_envelope Exploitation: local Date: 16 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== DUMB is an open source player library for the IT, XM, S3M and MOD file formats. ####################################################################### ====== 2) Bug ====== it_read_envelope is the function called by it_read_instrument for reading the envelope values for volume, pan and pitch of each instrument in the IT (Impulse Tracker) file if it's major or equal than version 0x200. The function reads an 8 bit value (envelope->n_nodes) which describes the number of nodes in the envelope and then starts to read them using 8 bit for node_y and 16 for node_t. The problem is that both node_y and moreover node_t have a fixed size of 25 elements allocated when the number of instruments in the IT file is read initially. The memory allocated is that of the IT_INSTRUMENT structure which already contains the three IT_ENVELOPE structures used for volume, pan and pitch. The amount of data needed to overflow the allocated memory is about 371 bytes, from the end of pitch_envelope to the end of map_sample, which means we need to specify at least about 213 n_nodes for causing the heap overflow. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/dumbit.zip ####################################################################### ====== 4) Fix ====== The bug will be fixed in the next version. #######################################################################