Re: Buffer overflow in WinAMP 2.x

[biafra () X-STREAM CO UK (Jello Biafra)]

Date sent:              Wed, 12 May 1999 13:02:43 +0200
Send reply to:          Wojtek Kaniewski <wojtekka () BYDNET COM PL>
From:                   Wojtek Kaniewski <wojtekka () BYDNET COM PL>
Subject:                Buffer overflow in WinAMP 2.x
To:                     BUGTRAQ () netspace org

> Introduction
> ------------
> WinAMP is a popular Windows sound player with support for many file
> formats (MP3, wave files, modules). It also supports MP3 streaming
> (let's call it sh0utcast).
>
> Description of the problem
> --------------------------
> If we tell WinAMP to open file location (Ctrl+L) which is over 256
> bytes long, it'll produce nice GPF. The bug also appears when loading
> playlists (.m3u and .pls)
>
> What can we do with this bug?
> -----------------------------
> Many sh0utcast radios place .pls files on their websites, which contain
> URL for radio's sh0utcast server.
>
> If we'll make b00m.pls file like this...
>
>   [playlist]
>   NumberOfEntries=1
>   File1=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (about 256 A's)
>
> and put such link...
>
>   <A HREF="b00m.pls">Techno explosion -- The Coolest MP3 Radio</A>
>
> on our website, we can make couple of WinAMPs crash. I suppose, that
> there's a possibility to put our own code in the filename (see cDc-351
> for details).
>
> Nullsoft (producer of WinAMP) has been noticed about the bug two
> versions ago.
>
> --
> wojtekka () irc pl :: http://wojtekka.stone.pl/ :: ^wojtekka@ircnet

On NT Server 4 with no Service Packs installed, this causes an
application error. Platform is a Cyrix MMX 233.

Access Violation (0xc0000005), Address : 0x62626262