[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] TORCS 1.3.2 xml buffer overflow - CVE-2012-1189
From: Andres Gomez <agomez () fluidsignal ! com>
Date: 2012-02-18 18:35:31
Message-ID: CAB9ZNAzBgtqWdjDmsTmzHi+uVCUCqtfO6Goo4fneacfJ5cSBtw () mail ! gmail ! com
[Download RAW message or body]
http://www.exploit-db.com/exploits/18471/
http://www.torcs.org
Hi,
I have found another exploitable buffer overflow in torcs, this time it
does'nt have relation with plib.
The problem is in:
torcs/src/modules/graphic/ssgraph/grsound.cpp, line 103:
96 char filename[512];
FILE *file = NULL;
// ENGINE PARAMS
tdble rpm_scale;
param = GfParmGetStr(handle, "Sound", "engine sample",
"engine-1.wav");
rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0);
103 sprintf (filename, "cars/%s/%s", car->_carName, param);
file = fopen(filename, "r");
if (!file)
{
107 sprintf (filename, "data/sound/%s", param);
}
else
{
fclose(file);
}
This section reads a configuration sound option from [any-car].xml, for
example:
<section name="Sound">
<attstr name="engine sample" val="renault-v10.wav"/>
<attnum name="rpm scale" val="0.35"/>
</section>
if audio file name in "engine sample" is enough long it could overwrite
"filename" buffer (line 96),
because there is not size validation in line 103 (also in line 107).
I have already notified vendor.
Please use CVE-2012-1189 for this issue.
Regards.
Andrés Gómez
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic