Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: xine-lib NES Sound Format Demuxer Buffer Overflow
From: Guido Landi <lists () keamera org>
Date: Thu, 24 Apr 2008 00:21:17 +0200

that buffer can't be overflowed,  "header" is 128 byte long:

#define NSF_HEADER_SIZE 0x80
[..]
if (this->input->read(this->input, header, NSF_HEADER_SIZE) !=
 NSF_HEADER_SIZE)
 return 0;

and copyright can't be more than 50byte:

this->copyright = strdup(&header[0x4E]);



laurent.gaffie () gmail com wrote:
Hi there

Original advisory:
http://milw0rm.com/exploits/5458


There's another stack-based buffer overflow in demux_nfs.c

line 111:
this->copyright = strdup(&header[0x4E]);
line 189:
char copyright[100];
line 208:
sprintf(copyright, "(C) %s", this->copyright);

Regards Laurent Gaffi´┐Ż



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]