Home page logo

oss-sec logo oss-sec mailing list archives

TORCS 1.3.2 xml buffer overflow - CVE-2012-1189
From: Andres Gomez <agomez () fluidsignal com>
Date: Sat, 18 Feb 2012 13:35:31 -0500



I have found another exploitable buffer overflow in torcs, this time it
does'nt have relation with plib.
The problem is in:

torcs/src/modules/graphic/ssgraph/grsound.cpp, line 103:

96     char filename[512];
        FILE *file = NULL;

        // ENGINE PARAMS
        tdble rpm_scale;
        param = GfParmGetStr(handle, "Sound", "engine sample",
        rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0);
103   sprintf (filename, "cars/%s/%s", car->_carName, param);
        file = fopen(filename, "r");
        if (!file)
107             sprintf (filename, "data/sound/%s", param);

This section reads a configuration sound option from [any-car].xml, for

<section name="Sound">
        <attstr name="engine sample" val="renault-v10.wav"/>
        <attnum name="rpm scale" val="0.35"/>

if audio file name in "engine sample" is enough long it could overwrite
"filename" buffer (line 96),
because there is not size validation in line 103 (also in line 107).

I have already notified vendor.

Please use CVE-2012-1189 for this issue.


Andrés Gómez

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]