Hey schismtracker team,
I would like to report a security vulnerability in Amiga Oktalyzer parser (fmt/okt.c).
There is a heap overflow in the way the parser handles Song's orderlist in Amiga Oktalyzer file format.
The fmt_okt_load_song function, takes the 2 bytes long length (plen) of the song orderlist directly from the file.
At the end of the function, it try to memser the structure, however the size of the memset is calculated by substracting MAX_ORDERS minus the plen ([2]). As a consequence, if a file is created with a plen bigger than MAX_ORDER (256), it will underflow and become a big unsigned integer that will make memset overflow beyond their boundaries.
int fmt_okt_load_song(song_t *song, slurp_t *fp, unsigned int lflags)
{
int plen = 0; // how many positions in the orderlist are valid
while (!slurp_eof(fp)) {
uint32_t blklen; // length of this block
size_t nextpos; // ... and start of next one
slurp_read(fp, tag, 4);
slurp_read(fp, &blklen, 4);
blklen = bswapBE32(blklen);
nextpos = slurp_tell(fp) + blklen;
[...]
switch (OKT_BLOCK(tag[0], tag[1], tag[2], tag[3])) {
[...]
case OKT_BLK_PLEN:
if (!(readflags & OKT_HAS_PLEN)) {
readflags |= OKT_HAS_PLEN;
slurp_read(fp, &w, 2); [1]
plen = bswapBE16(w);
}
[...]
song->pan_separation = 64;
memset(song->orderlist + plen, ORDER_LAST, MAX_ORDERS - plen); [2]
Please let me know when you have fixed the vulnerability so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy
Thank you,
Nico Waisman
Semmle Security Research Team
The text was updated successfully, but these errors were encountered:
Actually, that commit message is wrong – the MTM loader memset can't underflow, but a couple of callocs could have been passed negative nmemb args, which to my limited knowledge seems like invoking undefined behavior. Which is never good.
Hey schismtracker team,
I would like to report a security vulnerability in Amiga Oktalyzer parser (fmt/okt.c).
There is a heap overflow in the way the parser handles Song's orderlist in Amiga Oktalyzer file format.
The fmt_okt_load_song function, takes the 2 bytes long length (plen) of the song orderlist directly from the file.
At the end of the function, it try to memser the structure, however the size of the memset is calculated by substracting MAX_ORDERS minus the plen ([2]). As a consequence, if a file is created with a plen bigger than MAX_ORDER (256), it will underflow and become a big unsigned integer that will make memset overflow beyond their boundaries.
int fmt_okt_load_song(song_t *song, slurp_t *fp, unsigned int lflags)
{
int plen = 0; // how many positions in the orderlist are valid
Please let me know when you have fixed the vulnerability so that I can coordinate my disclosure with yours. For reference, here is a link to Semmle's vulnerability disclosure policy: https://lgtm.com/security#disclosure_policy
Thank you,
Nico Waisman
Semmle Security Research Team
The text was updated successfully, but these errors were encountered: