Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed bounds check in CDataFileReader::ReplaceData() and CDataFileReader::GetData() and related functions in engine/shared/datafile.cpp leading to arbitrary free and OOB pointer write. #2073

Closed
0n3m4ns4rmy opened this issue Mar 22, 2019 · 2 comments

Comments

@0n3m4ns4rmy
Copy link

commented Mar 22, 2019

Hello Teeworlds dev team,

There is a failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions which can lead to an arbitrary free and OOB pointer write and possibly leading to RCE.

void *CDataFileReader::GetData(int Index)
{
	return GetDataImpl(Index, 0);
}

void CDataFileReader::ReplaceData(int Index, char *pData)
{
	// make sure the data has been loaded
	GetDataImpl(Index, 0);

	UnloadData(Index);
	m_pDataFile->m_ppDataPtrs[Index] = pData;
}

These functions get called with the integer Index being an arbitrary value thus leading to an arbitrary write of a pointer at the line m_pDataFile->m_ppDataPtrs[Index] = pData; and an arbirary free at the line UnloadData(Index); (which should probably also have a stricter bounds check).

void CDataFileReader::UnloadData(int Index)
{
	if(Index < 0)
		return;

	//
	mem_free(m_pDataFile->m_ppDataPtrs[Index]);
	m_pDataFile->m_ppDataPtrs[Index] = 0x0;
}

Regards,

Mans van Someren
http://whatthebug.net/

@Dune-jr

This comment has been minimized.

Copy link
Member

commented Mar 22, 2019

Again, this is because we need to sanitize CMapItemLayerTilemap (the only call to ReplaceData is in

m_DataFile.ReplaceData(pTilemap->m_Data, reinterpret_cast<char *>(pTiles));
).

@0n3m4ns4rmy

This comment has been minimized.

Copy link
Author

commented Mar 22, 2019

I would recommend adding the checks in the "deepest" function to prevent the same bug from happening when new calls to these functions get added or the existing code gets modified.

Dune-jr added a commit to Dune-jr/teeworlds that referenced this issue Mar 25, 2019

Dune-jr added a commit to Dune-jr/teeworlds that referenced this issue Mar 25, 2019

Dune-jr added a commit to Dune-jr/teeworlds that referenced this issue Mar 25, 2019

@oy oy closed this in e086f4b Mar 28, 2019

bors bot added a commit to ddnet/ddnet that referenced this issue Apr 7, 2019

Merge #1592
1592: Add bound check in datafile.cpp anywhere m_ppDataPtrs is accessed as … r=def- a=ChillerDragon

…an array. Should fix teeworlds/teeworlds#2073

(cherry picked from commit e086f4b35b1adf7edc35b4ad332dc7ed1edc5988)

Co-authored-by: Jordy Ruiz <jordy.ruiz@univ-lille.fr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.