New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed bounds check in CDataFileReader::ReplaceData() and CDataFileReader::GetData() and related functions in engine/shared/datafile.cpp leading to arbitrary free and OOB pointer write. #2073
Comments
|
Again, this is because we need to sanitize teeworlds/src/engine/shared/map.cpp Line 74 in 6dc6fe3
|
|
I would recommend adding the checks in the "deepest" function to prevent the same bug from happening when new calls to these functions get added or the existing code gets modified. |
Dune-jr
added a commit
to Dune-jr/teeworlds
that referenced
this issue
Mar 25, 2019
…an array. Should fix teeworlds#2073
Dune-jr
added a commit
to Dune-jr/teeworlds
that referenced
this issue
Mar 25, 2019
…an array. Should fix teeworlds#2073
Dune-jr
added a commit
to Dune-jr/teeworlds
that referenced
this issue
Mar 25, 2019
…an array. Should fix teeworlds#2073
bors bot
added a commit
to ddnet/ddnet
that referenced
this issue
Apr 7, 2019
1592: Add bound check in datafile.cpp anywhere m_ppDataPtrs is accessed as … r=def- a=ChillerDragon …an array. Should fix teeworlds/teeworlds#2073 (cherry picked from commit e086f4b) Co-authored-by: Jordy Ruiz <jordy.ruiz@univ-lille.fr>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello Teeworlds dev team,
There is a failed bounds check in CDataFileReader::GetData() and CDataFileReader::ReplaceData() and related functions which can lead to an arbitrary free and OOB pointer write and possibly leading to RCE.
These functions get called with the integer
Indexbeing an arbitrary value thus leading to an arbitrary write of a pointer at the linem_pDataFile->m_ppDataPtrs[Index] = pData;and an arbirary free at the lineUnloadData(Index);(which should probably also have a stricter bounds check).Regards,
Mans van Someren
http://whatthebug.net/
The text was updated successfully, but these errors were encountered: