Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13762
HistoryAug 07, 2006 - 12:00 a.m.

Festalon Heap Corruption

2006-08-0700:00:00
vulners.com
23
JSON

#######################################################################

                         Luigi Auriemma

Application: Festalon
http://projects.raphnet.net/#festalon
Versions: <= 0.5.5 and >= 0.5.0
Platforms: Windows, *nix, *BSD, Winamp and XMMS plugin
Bug: heap corruption in FESTAHES_Load
Exploitation: local
Date: 06 Aug 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Festalon is a player (stand-alone and plugin) for the Nintendo .nsf
music files.

#######################################################################

======
2) Bug

HES is a file format for ripped TG16/PC Engine music which has been
added from version 0.5.0.
FESTALON_HES is a structure of 1501888 bytes used to contain the file
in memory.
The program uses an anti-overflow check for avoiding input data major
than the rom size of 0x100000 bytes.
Anyway the check is made on the sum of LoadAddr (used as an offset of
the destination rom buffer) and LoadSize (amount of data to copy) so an
attacker can use a negative LoadAddr value for overwriting the memory
antecedent the one allocated.
The exploitation (I'm not sure if code execution is really possible
although the effects seem similar to a heap overflow) occurs when the
program terminates and free() is called.

From pce/hes.c:

FESTALON_HES *FESTAHES_Load(FESTALON *fe, uint8 *buf, uint32 size)
{
FESTALON_HES *hes;
uint32 LoadAddr,LoadSize;
uint16 InitAddr;
uint8 *tmp;
int x;

fe->TotalChannels = 6;
fe->OutChannels = 2;

hes = FESTA_malloc(16, sizeof(FESTALON_HES));
hes->h6280 = malloc(sizeof(h6280_Regs));

InitAddr = De16(&buf[0x6]);

tmp = &buf[0x10];

while(tmp < (buf + size - 0x10))
{
LoadSize = De32(&tmp[0x4]);
LoadAddr = De32(&tmp[0x8]);
//printf("%08x:%08x\n",LoadSize,LoadAddr);
tmp += 0x10;
if(tmp >= (buf + size + LoadSize)) break;

if((LoadAddr + LoadSize) > 0x100000) break;
memcpy(hes->rom + LoadAddr,tmp,LoadSize);
tmp += LoadSize;
}

#######################################################################

===========
3) The Code

http://aluigi.org/poc/festahc.zip

#######################################################################

======
4) Fix

At the moment the project no longer has a real homepage so I don't know
if it's still 100% supported.
Anyway I consider this bug mostly a "curiosity" than a real
vulnerability.

#######################################################################

JSON