Hi Michael,
Thank you for your bug report. I think you are correctly spotting a problem.
In fact, similar bugs were found in the past. Thank you very much for your
patch too, and for the hint to reproduce the bug. We will review it all in
detail
for a future release fixing the problem.
Regards,
Antonio Ceballos
On Mon, Apr 5, 2021 at 5:54 AM Michael Vaughan (RIT Student) <
mav8...@rit.edu> wrote:
> Hello,
>
> I wanted to report a potentially exploitable issue within the
> cmd_pgnload() and cmd_pgnreplay() functions in cmd.cc. In the loop between
> lines 482-485 in the former function, a specially crafted epdline could
> overrun the data buffer located here:
>
> char data[MAXSTR]="";
> char epdline[MAXSTR]="";
>
> /* snip */
>
> int i=0;
>
>
> *while ( epdline[i] != '\n' ) { data[i+9] = epdline[i]; ++i;*
> *}*
>
> Since this loop only ends when there is a newline within epdline, the end
> of the data buffer is not checked and the program will continue to copy
> bytes into and past the buffer, eventually overwriting the return address
> on the stack. A PGN file that exploits this bug is potentially possible,
> but it is easier to reproduce this in gdb by setting a breakpoint on the
> load_pgn_as_epd() function. Then load any compliant file with the pgnload
> command as follows:
>
> pgnload *<filename>*
>
> If you step after the SaveEPD() call but before the temporary file
> ".tmp.epd" is opened with fopen(), you can write to (or replace) the
> temporary file with a buffer overflow payload, like two hundred of "A".
> Continuing the program will cause it to open and copy this into the 128
> byte data buffer, overflowing it and overwriting the return address, as
> well as any stack cookie or other data in the way. This code is mirrored in
> the cmd_pgnreplay() function also, and can be mitigated in the same way. It
> should be reproducible there using the same steps.
>
> I have attached a patch to this email with a potential fix to this issue.
> I hope this finds you well.
>
> Regards,
>
> Michael Vaughan
>
