oss-sec mailing list archives
TORCS 1.3.2 xml buffer overflow - CVE-2012-1189
From: Andres Gomez <agomez () fluidsignal com>
Date: Sat, 18 Feb 2012 13:35:31 -0500
http://www.exploit-db.com/exploits/18471/ http://www.torcs.org Hi, I have found another exploitable buffer overflow in torcs, this time it does'nt have relation with plib. The problem is in: torcs/src/modules/graphic/ssgraph/grsound.cpp, line 103: 96 char filename[512]; FILE *file = NULL; // ENGINE PARAMS tdble rpm_scale; param = GfParmGetStr(handle, "Sound", "engine sample", "engine-1.wav"); rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0); 103 sprintf (filename, "cars/%s/%s", car->_carName, param); file = fopen(filename, "r"); if (!file) { 107 sprintf (filename, "data/sound/%s", param); } else { fclose(file); } This section reads a configuration sound option from [any-car].xml, for example: <section name="Sound"> <attstr name="engine sample" val="renault-v10.wav"/> <attnum name="rpm scale" val="0.35"/> </section> if audio file name in "engine sample" is enough long it could overwrite "filename" buffer (line 96), because there is not size validation in line 103 (also in line 107). I have already notified vendor. Please use CVE-2012-1189 for this issue. Regards. Andrés Gómez
Current thread:
- TORCS 1.3.2 xml buffer overflow - CVE-2012-1189 Andres Gomez (Feb 18)
- Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189 Andres Gomez (Mar 05)
- Message not available
- Re: Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189 Andres Gomez (Mar 06)
- Re: Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189 Tomas Hoger (Mar 06)
- Re: Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189 Andres Gomez (Mar 09)
- Message not available
- Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189 Andres Gomez (Mar 05)