xorl %eax, %eax

CVE-2009-1513: libmodplug Stack Buffer Overflow

leave a comment »

This issue was disclosed on 21 April 2009 and affects libmodplug prior to 0.8.7 which is installed by default on Ubuntu 6.06, 8.04, 8.10 and 9.04 as well as Pardus Linux 2008.0. This library is being used as a music player developed as an XMMS module. The bug was reported by Stanislav Brabec and patched by Manfred Tremmel. Here is this simple vulnerability:

17  Module: LOAD_PAT
18
19   PAT sample loader.
20         by Peter Grootswagers (2006)
21         <email:pgrootswagers@planet.nl>
     ...
1117 #ifdef NEWMIKMOD
1118 static void PATinst(UNIMOD *of, INSTRUMENT *d, int smp, int gm)
1119 #else
1120 static void PATinst(INSTRUMENTHEADER *d, int smp, int gm)
1121 #endif
1122 {
1123         WaveHeader hw;
1124         char s[32];
1125         memset(s,0,32);
1126         if( pat_readpat_attr(gm-1, &hw, 0) ) {
1127                 pat_setpat_inst(&hw, d, smp);
1128         }
1129         else {
1130                 hw.modes = PAT_16BIT|PAT_ENVELOPE|PAT_SUSTAIN|PAT_LOOP;
     ...
1147                 strncpy(hw.reserved, midipat[gm-1], 36);
1148                 pat_setpat_inst(&hw, d, smp);
1149         }
     ...
1165 }

This code is part of src/load_pat.cpp which is a PAT loader as the comments state. The overflow is kind of obvious. It copies up to 36 bytes at line 1147 but hw.reserved which is a WaveHeader structure’s member is just 32 bytes long as we can see here:

99 typedef struct {
100         char wave_name[7];
     ...
122         char reserved[32];
123 } WaveHeader;

This was patched like this:

                hw.envelope_offset[5] = 0;
-               strncpy(hw.reserved, midipat[gm-1], 36);
+               strncpy(hw.reserved, midipat[gm-1], sizeof(hw.reserved));
                pat_setpat_inst(&hw, d, smp);

Written by xorl

May 11, 2009 at 12:42

Posted in bugs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s