mailing list archives
Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189
From: Andres Gomez <agomez () fluidsignal com>
Date: Mon, 5 Mar 2012 14:05:14 -0500
Speed Dreams (http://www.speed-dreams.org/) is also vulnerable due It is a
TORCS's fork, and they both share most of the code.
Should I ask for a new CVE number? or can I use CVE-2012-1189 for this
By the way, how can I get disclosed CVE-2012-1189 details in mitre web
page, since TORCS and Speed Dreams people have already fixed the bugs?.
2012/2/18 Andres Gomez <agomez () fluidsignal com>
I have found another exploitable buffer overflow in torcs, this time it
does'nt have relation with plib.
The problem is in:
torcs/src/modules/graphic/ssgraph/grsound.cpp, line 103:
96 char filename;
FILE *file = NULL;
// ENGINE PARAMS
param = GfParmGetStr(handle, "Sound", "engine sample",
rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0);
103 sprintf (filename, "cars/%s/%s", car->_carName, param);
file = fopen(filename, "r");
107 sprintf (filename, "data/sound/%s", param);
This section reads a configuration sound option from [any-car].xml, for
<attstr name="engine sample" val="renault-v10.wav"/>
<attnum name="rpm scale" val="0.35"/>
if audio file name in "engine sample" is enough long it could overwrite
"filename" buffer (line 96),
because there is not size validation in line 103 (also in line 107).
I have already notified vendor.
Please use CVE-2012-1189 for this issue.