Integer overflow and null pointer dereference in CMap::Load() in engine/shared/map.cpp

[0n3m4ns4rmy]

Hello Teeworlds dev team,

There is an integer overflow in CMap::Load() which can lead to a buffer overflow.

CTile *pTiles = static_cast<CTile *>(mem_alloc(pTilemap->m_Width * pTilemap->m_Height * sizeof(CTile), 1));

// extract original tile data
int i = 0;
CTile *pSavedTiles = static_cast<CTile *>(m_DataFile.GetData(pTilemap->m_Data));
while(i < pTilemap->m_Width * pTilemap->m_Height)
{
	for(unsigned Counter = 0; Counter <= pSavedTiles->m_Skip && i < pTilemap->m_Width * pTilemap->m_Height; Counter++)
	{
		pTiles[i] = *pSavedTiles;
		pTiles[i++].m_Skip = 0;
	}

	pSavedTiles++;
}

pTilemap->m_Width and pTilemap->m_Height can be arbitrary integers and there is no check for an integer overflow when multiplying these integers with each other and with sizeof(CTile).

Also there is no check if mem_alloc returns NULL which can lead to a null pointer dereference.

Regards,

Mans van Someren

http://whatthebug.net/

[Dune-jr]

The code is located here:

teeworlds/src/engine/shared/map.cpp

Lines 58 to 73 in 6dc6fe3

	CTile *pTiles = static_cast<CTile *>(mem_alloc(pTilemap->m_Width * pTilemap->m_Height * sizeof(CTile), 1));
	// extract original tile data
	int i = 0;
	CTile *pSavedTiles = static_cast<CTile *>(m_DataFile.GetData(pTilemap->m_Data));
	while(i < pTilemap->m_Width * pTilemap->m_Height)
	{
	for(unsigned Counter = 0; Counter <= pSavedTiles->m_Skip && i < pTilemap->m_Width * pTilemap->m_Height; Counter++)
	{
	pTiles[i] = *pSavedTiles;
	pTiles[i++].m_Skip = 0;
	}
	pSavedTiles++;
	}

I agree this is a security issue. Should we simply clamp pTilemap->m_Width and pTilemap->m_Height?

[0n3m4ns4rmy]

You could limit pTilemap->m_Width and pTilemap->m_Height so that the integer overflow cant occur or add a check after the multiplications. I suggest reading the accepted answer on this stack overflow post: https://stackoverflow.com/questions/1815367/catch-and-compute-overflow-during-multiplication-of-two-large-integers