There is an integer overflow bug in CDataFileReader::Open() which can lead to a buffer overflow and possibly RCE. The integer overflow(s) occurs when calculating the Size and AllocSize.
unsignedSize = 0;
Size += Header.m_NumItemTypes*sizeof(CDatafileItemType);
Size += (Header.m_NumItems+Header.m_NumRawData)*sizeof(int);
if(Header.m_Version == 4)
Size += Header.m_NumRawData*sizeof(int); // v4 has uncompressed data sizes aswellSize += Header.m_ItemSize;
unsigned AllocSize = Size;
AllocSize += sizeof(CDatafile); // add space for info structure
AllocSize += Header.m_NumRawData*sizeof(void*); // add space for data pointers
As you can see there is no check to see if Size or AllocSize overflow. The integer overflow of AllocSize can lead to AllocSize being smaller than Size. AllocSize then gets used to allocate memory for the CDataFile object and Size gets used to read data to this object leading to a buffer overflow.
Hello Teeworlds dev team,
There is an integer overflow bug in CDataFileReader::Open() which can lead to a buffer overflow and possibly RCE. The integer overflow(s) occurs when calculating the Size and AllocSize.
As you can see there is no check to see if Size or AllocSize overflow. The integer overflow of AllocSize can lead to AllocSize being smaller than Size. AllocSize then gets used to allocate memory for the CDataFile object and Size gets used to read data to this object leading to a buffer overflow.
Regards,
Mans van Someren
http://whatthebug.net/
The text was updated successfully, but these errors were encountered: