Package: hex-a-hop Severity: normal Tags: security We got a report that there is a stack-based buffer overflow in savestate.h which can be triggered if a victim opens a crafted save game. This attack scenario is very constructed and rather obscure so the severity is only normal.
The affected code is:
219 if (v=='1')
220 {
221 while(!feof(f))
222 {
223 char temp[1000];
224 short len;
225 fread(&len, sizeof(len), 1, f);
226 if (feof(f)) break;
227 fread(temp, len, 1, f);
228 temp[len] = 0;
229 first = new X(temp, first);
230
231 first->LoadSave(f,save);
232 }
233 }
This code is just completely broken and I have to admit that I had no motivation
to write a patch.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpG8J93uR4e4.pgp
Description: PGP signature
