Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15405
HistoryDec 15, 2006 - 12:00 a.m.

[Full-disclosure] Coolplayer buffer overflow vulnerabilities

2006-12-1500:00:00
vulners.com
6
JSON

Affected software: Coolplayer (coolplayer.sourceforge.net)
Versions: <= 215
Discovered by: Mehdi Oudad and Kevin Fernandez, zone-h.fr

The coolplayer authors have been mailed through contact \at/
daansystems. com on november 15 2005 but we never got any reply. On
november 30 2006 they published a new version that somewhat patches the
flaws.

1) A boundary error exists in the CPL_AddPrefixedFile() function of
CPI_Playlist.c :

    char cFullPath[MAX_PATH];
    memcpy&#40;cFullPath, pcPlaylistFile, iPlaylist_VolumeBytes&#41;;
    strcpy&#40;cFullPath + iPlaylist_VolumeBytes, pcFilename + 1&#41;;
    CPL_AddSingleFile&#40;hPlaylist, cFullPath, pcTitle&#41;;

The program tries to put a 512 input string into a 260 buffer. This can be
exploited via a malicious playlist file containing overly long song names.

2) A boundary error exists in the main_skin_check_ini_value() function of
skin.c :

sscanf(textposition, "%s %d %d %d %d %d %d %d %d %d %[^\0]", name, &x,
&y, &w, &h, &maxw, &x2, &y2, &w2, &h2, tooltip);

It can be exploited with a skin file containing overly long button names.

3) An error in main_skin_open() of skin.c can be exploited with a skin
file containing overly long bitmap filenames.

Additionally coolplayer was using an obsolete version of the zlib library,
the changelog doesn't say it is updated.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON