Bug#528250: [hex-a-hop] stack-based buffer overflow via crafted save-game

Nico Golde nion at debian.org
Mon May 11 17:42:24 UTC 2009


Package: hex-a-hop
Severity: normal
Tags: security

We got a report that there is a stack-based buffer overflow 
in savestate.h which can be triggered if a victim opens a 
crafted save game. This attack scenario is very constructed 
and rather obscure so the severity is only normal.

The affected code is:
    219                         if (v=='1')
    220                         {
    221                                 while(!feof(f))
    222                                 {
    223                                         char temp[1000];
    224                                         short len;
    225                                         fread(&len, sizeof(len), 1, f);
    226                                         if (feof(f)) break;
    227                                         fread(temp, len, 1, f);
    228                                         temp[len] = 0;
    229                                         first = new X(temp, first);
    230 
    231                                         first->LoadSave(f,save);
    232                                 }
    233                         }

This code is just completely broken and I have to admit that I had no motivation
to write a patch.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20090511/c4bf3585/attachment.pgp>


More information about the Pkg-games-devel mailing list