Bugtraq mailing list archives
Re: xine-lib NES Sound Format Demuxer Buffer Overflow
From: Guido Landi <lists () keamera org>
Date: Thu, 24 Apr 2008 00:21:17 +0200
that buffer can't be overflowed, "header" is 128 byte long: #define NSF_HEADER_SIZE 0x80 [..] if (this->input->read(this->input, header, NSF_HEADER_SIZE) != NSF_HEADER_SIZE) return 0; and copyright can't be more than 50byte: this->copyright = strdup(&header[0x4E]); laurent.gaffie () gmail com wrote:
Hi there Original advisory: http://milw0rm.com/exploits/5458 There's another stack-based buffer overflow in demux_nfs.c line 111: this->copyright = strdup(&header[0x4E]); line 189: char copyright[100]; line 208: sprintf(copyright, "(C) %s", this->copyright); Regards Laurent Gaffi�
Current thread:
- xine-lib NES Sound Format Demuxer Buffer Overflow laurent . gaffie (Apr 23)
- Re: xine-lib NES Sound Format Demuxer Buffer Overflow Guido Landi (Apr 24)