Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Failed bounds check in CDataFileReader::ReplaceData() and CDataFileReader::GetData() and related functions in engine/shared/datafile.cpp leading to arbitrary free and OOB pointer write. #2073

Closed
0n3m4ns4rmy opened this issue Mar 22, 2019 · 2 comments · Fixed by ddnet/ddnet#1592

Comments

@0n3m4ns4rmy
Copy link

Hello Teeworlds dev team,

There is a failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions which can lead to an arbitrary free and OOB pointer write and possibly leading to RCE.

void *CDataFileReader::GetData(int Index)
{
	return GetDataImpl(Index, 0);
}

void CDataFileReader::ReplaceData(int Index, char *pData)
{
	// make sure the data has been loaded
	GetDataImpl(Index, 0);

	UnloadData(Index);
	m_pDataFile->m_ppDataPtrs[Index] = pData;
}

These functions get called with the integer Index being an arbitrary value thus leading to an arbitrary write of a pointer at the line m_pDataFile->m_ppDataPtrs[Index] = pData; and an arbirary free at the line UnloadData(Index); (which should probably also have a stricter bounds check).

void CDataFileReader::UnloadData(int Index)
{
	if(Index < 0)
		return;

	//
	mem_free(m_pDataFile->m_ppDataPtrs[Index]);
	m_pDataFile->m_ppDataPtrs[Index] = 0x0;
}

Regards,

Mans van Someren
http://whatthebug.net/

@Dune-jr
Copy link
Member

Dune-jr commented Mar 22, 2019

Again, this is because we need to sanitize CMapItemLayerTilemap (the only call to ReplaceData is in

m_DataFile.ReplaceData(pTilemap->m_Data, reinterpret_cast<char *>(pTiles));
).

@0n3m4ns4rmy
Copy link
Author

I would recommend adding the checks in the "deepest" function to prevent the same bug from happening when new calls to these functions get added or the existing code gets modified.

Dune-jr added a commit to Dune-jr/teeworlds that referenced this issue Mar 25, 2019
Dune-jr added a commit to Dune-jr/teeworlds that referenced this issue Mar 25, 2019
Dune-jr added a commit to Dune-jr/teeworlds that referenced this issue Mar 25, 2019
@oy oy closed this as completed in e086f4b Mar 28, 2019
bors bot added a commit to ddnet/ddnet that referenced this issue Apr 7, 2019
1592: Add bound check in datafile.cpp anywhere m_ppDataPtrs is accessed as … r=def- a=ChillerDragon

…an array. Should fix teeworlds/teeworlds#2073

(cherry picked from commit e086f4b)

Co-authored-by: Jordy Ruiz <jordy.ruiz@univ-lille.fr>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants