Buffer overflow in WinAMP 2.x

[wojtekka () BYDNET COM PL (Wojtek Kaniewski)]

Introduction
------------
WinAMP is a popular Windows sound player with support for many file
formats (MP3, wave files, modules). It also supports MP3 streaming
(let's call it sh0utcast).

Description of the problem
--------------------------
If we tell WinAMP to open file location (Ctrl+L) which is over 256
bytes long, it'll produce nice GPF. The bug also appears when loading
playlists (.m3u and .pls)

What can we do with this bug?
-----------------------------
Many sh0utcast radios place .pls files on their websites, which contain
URL for radio's sh0utcast server.

If we'll make b00m.pls file like this...

  [playlist]
  NumberOfEntries=1
  File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (about 256 A's)

and put such link...

  <A HREF="b00m.pls">Techno explosion -- The Coolest MP3 Radio</A>

on our website, we can make couple of WinAMPs crash. I suppose, that
there's a possibility to put our own code in the filename (see cDc-351
for details).

Nullsoft (producer of WinAMP) has been noticed about the bug two
versions ago.

--
wojtekka () irc pl:: http://wojtekka.stone.pl/ :: ^wojtekka@ircnet