Bug#528250: [hex-a-hop] stack-based buffer overflow via crafted save-game
Nico Golde
nion at debian.org
Mon May 11 17:42:24 UTC 2009
Package: hex-a-hop
Severity: normal
Tags: security
We got a report that there is a stack-based buffer overflow
in savestate.h which can be triggered if a victim opens a
crafted save game. This attack scenario is very constructed
and rather obscure so the severity is only normal.
The affected code is:
219 if (v=='1')
220 {
221 while(!feof(f))
222 {
223 char temp[1000];
224 short len;
225 fread(&len, sizeof(len), 1, f);
226 if (feof(f)) break;
227 fread(temp, len, 1, f);
228 temp[len] = 0;
229 first = new X(temp, first);
230
231 first->LoadSave(f,save);
232 }
233 }
This code is just completely broken and I have to admit that I had no motivation
to write a patch.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-games-devel/attachments/20090511/c4bf3585/attachment.pgp>
More information about the Pkg-games-devel
mailing list